An open platform to update your CI/CD pipelines to comply with security requirements.
If you use GitHub Actions, use can use SecureWorkflows to:
- Automatically set minimum GITHUB_TOKEN permissions
- Pin Actions to a full length commit SHA
- Add Harden-Runner GitHub Action to each job
Support for GitLab, CircleCI, and more CI/CD providers will be added in the future. Check the Roadmap for details.
- SecureWorkflows is being used to secure critical open source projects
- StepSecurity was rewarded a Secure Open Source (SOS) reward for this work
- SecureWorkflows was demoed at
SupplyChainSecurityCon
at Open Source Summit North America 2022
To secure your GitHub Actions workflow:
- Copy and paste your GitHub Actions workflow YAML file at https://app.stepsecurity.io
- Click
Secure Workflows
button - Paste the fixed workflow back in your codebase
GitHub App to create pull requests will be released soon. Check the Roadmap for details.
- Add OpenSSF Scorecards starter workflow
- View the Scorecard results in GitHub Code Scanning UI
- Follow remediation tip that points to https://app.stepsecurity.io
SecureWorkflows API
- Takes in a GitHub Actions workflow YAML file as an input
- Returns a transformed workflow file with fixes applied
- You can select which of these changes you want to make
- The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API
- If the token is compromised, it can be misused (e.g. to overwrite releases or source code)
- To limit the damage, GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.
Before the fix, your workflow may look like this (no permissions set)
jobs:
closeissue:
runs-on: ubuntu-latest
steps:
- name: Close Issue
uses: peter-evans/close-issue@v1
with:
issue-number: 1
comment: Auto-closing issue
After the fix, the workflow will have minimum permissions added for the GITHUB token.
permissions:
contents: read
jobs:
closeissue:
permissions:
issues: write # for peter-evans/close-issue to close issues
runs-on: ubuntu-latest
steps:
- name: Close Issue
uses: peter-evans/close-issue@v1
with:
issue-number: 1
comment: Auto-closing issue
- SecureWorkflows stores the permissions needed by different GitHub Actions in a knowledge base
- It looks up the permissions needed by each Action in your workflow, and sums the permissions up to come up with a final recommendation
- If you are the owner of a GitHub Action, please contribute to the knowledge base
- GitHub Action tags and Docker tags are mutatble. This poses a security risk
- If the tag changes you will not have a chance to review the change before it gets used
- GitHub's Security Hardening for GitHub Actions guide recommends pinning actions to full length commit for third party actions.
Before the fix, your workflow may look like this (use of v1
and latest
tags)
jobs:
integration-test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v1
- name: Integration test
uses: docker://ghcr.io/step-security/integration-test/int:latest
After the fix, each Action and docker image will be pinned to an immutable checksum.
jobs:
integration-test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9
- name: Integration test
uses: docker://ghcr.io/step-security/integration-test/int@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0
- SecureWorkflows automates the process of getting the commit SHA for each mutable Action version or Docker image tag
- It does this by using GitHub and Docker registry APIs
Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies.
Before the fix, your workflow may look like this
jobs:
closeissue:
runs-on: ubuntu-latest
steps:
- name: Close Issue
uses: peter-evans/close-issue@v1
with:
issue-number: 1
comment: Auto-closing issue
After the fix, each workflow has the harden-runner Action added as the first step.
jobs:
closeissue:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@v1
with:
egress-policy: audit
- name: Close Issue
uses: peter-evans/close-issue@v1
with:
issue-number: 1
comment: Auto-closing issue
SecureWorkflows updates the YAML file and adds Harden-Runner GitHub Action as the first step to each job.