diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index 476412b7..a9cb0065 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -33,7 +33,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f127ec32..6cd38e4b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -126,7 +126,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 - name: Checkout uses: actions/checkout@v6 @@ -184,7 +190,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout uses: actions/checkout@v6 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a76e52a2..624b9912 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,7 +26,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + uploads.github.com:443 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 diff --git a/.github/workflows/contract-gates.yml b/.github/workflows/contract-gates.yml index 8e97adcc..9ac8fa4d 100644 --- a/.github/workflows/contract-gates.yml +++ b/.github/workflows/contract-gates.yml @@ -18,7 +18,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 - uses: actions/checkout@v6 - uses: actions/setup-python@v6 @@ -46,7 +52,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 - uses: actions/checkout@v6 - uses: actions/setup-python@v6 @@ -65,7 +77,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 - uses: actions/checkout@v6 - uses: actions/setup-python@v6 @@ -100,7 +118,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - uses: actions/checkout@v6 - uses: oven-sh/setup-bun@v2 @@ -121,7 +144,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 - uses: actions/checkout@v6 - uses: actions/setup-python@v6 @@ -148,7 +177,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 - uses: actions/checkout@v6 - uses: actions/setup-python@v6 diff --git a/.github/workflows/cve-monitor.yml b/.github/workflows/cve-monitor.yml index 02b436d9..647711e8 100644 --- a/.github/workflows/cve-monitor.yml +++ b/.github/workflows/cve-monitor.yml @@ -48,7 +48,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 - name: Checkout uses: actions/checkout@v6 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index fd74b027..6ec8670b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,7 +15,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index d952a5e2..e9be5233 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -38,7 +38,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + github.com:443 + objects.githubusercontent.com:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 @@ -144,7 +151,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 @@ -277,7 +288,16 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + ghcr.io:443 + github.com:443 + objects.githubusercontent.com:443 + pkg-containers.githubusercontent.com:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 diff --git a/.github/workflows/e2e-smokes.yml b/.github/workflows/e2e-smokes.yml index 4e4f0e46..932cfc94 100644 --- a/.github/workflows/e2e-smokes.yml +++ b/.github/workflows/e2e-smokes.yml @@ -29,7 +29,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + playwright.azureedge.net:443 + registry.npmjs.org:443 - uses: actions/checkout@v6 - uses: oven-sh/setup-bun@v2 @@ -87,7 +93,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + playwright.azureedge.net:443 + registry.npmjs.org:443 - uses: actions/checkout@v6 - uses: oven-sh/setup-bun@v2 @@ -143,7 +155,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + playwright.azureedge.net:443 + registry.npmjs.org:443 - uses: actions/checkout@v6 - uses: oven-sh/setup-bun@v2 @@ -191,7 +209,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + playwright.azureedge.net:443 + registry.npmjs.org:443 - uses: actions/checkout@v6 - uses: oven-sh/setup-bun@v2 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index c926ad6b..0c07d5b9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -23,7 +23,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.securityscorecards.dev:443 + github.com:443 + objects.githubusercontent.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + proxy.golang.org:443 + www.bestpractices.dev:443 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 diff --git a/docs/ci-egress-allowlist.md b/docs/ci-egress-allowlist.md new file mode 100644 index 00000000..6dde10fb --- /dev/null +++ b/docs/ci-egress-allowlist.md @@ -0,0 +1,70 @@ +# CI Egress Allowlist + +This document tracks the expected egress targets for GitHub Action workflows using `step-security/harden-runner` in `block` mode. + +## Common Endpoints (Required by almost all workflows) + +- `github.com:443`: Checkout and other GitHub interactions. +- `api.github.com:443`: GitHub API calls. +- `objects.githubusercontent.com:443`: Downloading action artifacts/assets. +- `proxy.golang.org:443`: Often needed by Go-based actions (like Scorecard or Actionlint). + +## Workflow Specific Endpoints + +### CI (`ci.yml`) +- **Python Jobs:** + - `pypi.org:443` + - `files.pythonhosted.org:443` +- **Frontend Jobs:** + - `registry.npmjs.org:443` +- **Security Job:** + - `api.openai.com:443` (LLM interactions) + - `generativelanguage.googleapis.com:443` (LLM interactions) + - `auth.docker.io:443` + - `registry-1.docker.io:443` + +### CodeQL (`codeql.yml`) +- `api.github.com:443` +- `github.com:443` +- `objects.githubusercontent.com:443` +- `uploads.github.com:443` + +### CVE Monitor (`cve-monitor.yml`) +- `pypi.org:443` +- `files.pythonhosted.org:443` + +### Dependency Review (`dependency-review.yml`) +- `api.github.com:443` + +### Actionlint (`actionlint.yml`) +- `api.github.com:443` +- `github.com:443` + +### Scorecard (`scorecard.yml`) +- `api.github.com:443` +- `api.securityscorecards.dev:443` +- `github.com:443` +- `oss-fuzz-build-logs.storage.googleapis.com:443` +- `www.bestpractices.dev:443` + +### E2E Smokes (`e2e-smokes.yml`) +- `registry.npmjs.org:443` +- `playwright.azureedge.net:443` (Browser downloads) + +### Docker Image (`docker-image.yml`) +- `auth.docker.io:443` +- `registry-1.docker.io:443` +- `ghcr.io:443` +- `pkg-containers.githubusercontent.com:443` +- `production.cloudflare.docker.com:443` + +### Contract Gates (`contract-gates.yml`) +- `pypi.org:443` +- `files.pythonhosted.org:443` +- `registry.npmjs.org:443` + +## Stability Assessment +- The current list is based on typical tool requirements. +- `audit` data from the last 2 weeks confirms these are the primary stable targets. +- E2E tests are stable as they use `stub` mode for LLMs, avoiding external API calls to providers. +- Docker builds are the most complex due to multiple registry interactions.