Where should allowed-endpoints be stored? #84
Replies: 3 comments 5 replies
-
@varunsh-coder i think in the workflow file or in the backend API is fine. Im looking at saving them in environment variables, so i can declare them easier for the entire organisation. |
Beta Was this translation helpful? Give feedback.
-
@varunsh-coder another alternative over storing the config in the workflow is to store it in a separate file. For example, a file called allowed-endpoints: >
aa
bb
cc Two existing Actions that take this approach are actions/labeler (with The advantage of this over having the configuration in the workflow file is that you don't need to change the workflow file to change the configuration. Additionally, a separate configuration file will be cleaner when there are more configuration fields available - it would even be a necessity if more complex configuration (with nested objects) are required (since The advantage of this over storing it on the BE is that it is still version controlled by the developers. One disadvantage, I guess, is how to deal with different jobs having different allow lists. One solution could be to separate configurations by their job key, e.g.: # .github/workflows/example.yml
jobs:
example:
name: Example
runs-on: ubuntu-latest
steps:
- name: Harden runner
uses: step-security/[email protected]
with:
egress-policy: block
# .github/harder-runner.yml
example: # <-- matches the key of the job in the workflow.
allowed-endpoints: >
aa
bb
cc |
Beta Was this translation helpful? Give feedback.
-
As a first step, how about extracting the list to an external file? It should be relatively easy to implement while allowing to share allowed endpoints between workflows or not. Example: jobs:
unit-test:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
with:
egress-policy: block
allowed-endpoints-file: .github/allowed-ci-endpoints.txt |
Beta Was this translation helpful? Give feedback.
-
If you have used
harden-runner
, you know that you first start inaudit
mode.You then get a link to the insights and recommended policy. As of now, you can take the list of
allowed-endpoints
and add them to the GitHub Actions workflow file.Some developers have expressed desire to not store the endpoints in the workflow file. This is to not have to update the workflow periodically in case the endpoints change. Although the endpoints should not change often, I would like to understand if
allowed-endpoints
should be stored in the backend.Backend is the API and data store that stores the correlated outbound traffic.
e.g. when you visit https://app.stepsecurity.io/github/jauderho/dockerfiles/actions/runs/1742888941, it fetches the data for that workflow run and shows it from the backend API.
Now, the idea is that instead of adding the
allowed-endpoints
in the workflow YAML file, you can simply check the endpoints that should be allowed, and save the policy using the insights page using asave policy
button. Then the policy will get saved along with the insights in the backend. Next time the same workflow runs, harden-runner will fetch the policy from the backend and then block traffic based on that policy. This way, if there is a new endpoint, one does not need to change the workflow YAML file (so no need to do pull request and update the YAML file). Just go to the insights page, and approve the new endpoint.The downside is that the
allowed-endpoints
are not visible in the YAML file.What are your thoughts? Should the option to store
allowed-endpoints
in the backend be enabled?Beta Was this translation helpful? Give feedback.
All reactions