step-security · varunsh-coder · Jul 24, 2023 · Jun 27, 2023 · Jun 27, 2023 · Jun 27, 2023
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -0,0 +1,33 @@
+module.exports = {
+    "env": {
+        "browser": true,
+        "es2021": true
+    },
+    "extends": [
+        "eslint:recommended",
+        "plugin:@typescript-eslint/recommended"
+    ],
+    "overrides": [
+        {
+            "env": {
+                "node": true
+            },
+            "files": [
+                ".eslintrc.{js,cjs}"
+            ],
+            "parserOptions": {
+                "sourceType": "script"
+            }
+        }
+    ],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+        "ecmaVersion": "latest",
+        "sourceType": "module"
+    },
+    "plugins": [
+        "@typescript-eslint"
+    ],
+    "rules": {
+    }
+}
diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
@@ -24,7 +24,7 @@ jobs:
     steps:
     - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v1
       with:
-        allowed-endpoints: 
+        allowed-endpoints:
           api.github.com:443
           github.com:443
 

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -2,7 +2,7 @@
 #
 # This Action will scan dependency manifest files that change as part of a Pull Request,
 # surfacing known-vulnerable versions of the packages declared or updated in the PR.
-# Once installed, if the workflow run is marked as required, 
+# Once installed, if the workflow run is marked as required,
 # PRs introducing known-vulnerable packages will be blocked from merging.
 #
 # Source repository: https://github.com/actions/dependency-review-action

diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml
@@ -6,7 +6,7 @@ on:
 
 permissions:
   contents: read
-      
+
 jobs:
   int-tests:
     name: int tests

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -27,7 +27,7 @@ jobs:
     steps:
     - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
       with:
-        allowed-endpoints: 
+        allowed-endpoints:
           api.github.com:443
           github.com:443
 

diff --git a/.gitignore b/.gitignore
@@ -104,4 +104,4 @@ typings/
 .tern-port
 
 # vscode files
-.vscode
+.vscode
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,3 +1,4 @@
+exclude: ^dist/
 repos:
 - repo: https://github.com/gitleaks/gitleaks
   rev: v8.16.3

diff --git a/README.md b/README.md
@@ -84,7 +84,7 @@ Once allowed endpoints are set in the policy in the workflow file, or in the [Po
 - Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4).
 - It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution
 - Blocks outbound traffic using IP tables
-- Wildcard domains are supported, e.g. you can add `*.data.mcr.microsoft.com:443` to the allowed list, and egress traffic will be allowed to `eastus.data.mcr.microsoft.com:443` and `westus.data.mcr.microsoft.com:443`. 
+- Wildcard domains are supported, e.g. you can add `*.data.mcr.microsoft.com:443` to the allowed list, and egress traffic will be allowed to `eastus.data.mcr.microsoft.com:443` and `westus.data.mcr.microsoft.com:443`.
 
 <p align="left">
   <img src="images/block-outbound-call.png" alt="Policy recommended by harden-runner" >

diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/dist/post/index.js b/dist/post/index.js
@@ -61193,10 +61193,10 @@ function addSummary() {
         }
         if (needsSubscription) {
             yield core.summary.addSeparator()
-                .addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`);
+                .addRaw(`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`);
             yield core.summary.addRaw(`
-<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p>
-<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p>
+<p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
+<p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
 `)
                 .addSeparator()
                 .write();
@@ -61211,11 +61211,8 @@ function addSummary() {
         if (tableEntries.length === 0) {
             return;
         }
-        let insightsRow = `<tr>
-      <td colspan="3" align="center"><a href="${insights_url}">🛡️ Check out the full report and recommended policy at StepSecurity</a></td>
-    </tr>`;
-        yield core.summary.addSeparator().addRaw(`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
-      <h3>GitHub Actions Runtime Security</h3>`);
+        const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
+        yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
         tableEntries.sort((a, b) => {
             if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
                 return -1;
@@ -61229,12 +61226,13 @@ function addSummary() {
         });
         tableEntries = tableEntries.slice(0, 3);
         yield core.summary.addRaw(`
+  <p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
   <h3>🌐 Network Events</h3>
   <table>
     <thead>
       <tr>
         <th>Process</th>
-        <th>Endpoint</th>
+        <th>Destination</th>
         <th>Status</th>
       </tr>
     </thead>
@@ -61251,13 +61249,11 @@ function addSummary() {
         <td>...</td>
         <td>...</td>
       </tr>
-       ${insightsRow}
     </tbody>
   </table>
+  ${insightsRow}
 `);
-        yield core.summary.addSeparator()
-            .addRaw(`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>. 
-      Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`)
+        yield core.summary.addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`)
             .addSeparator()
             .write();
     });
@@ -61266,6 +61262,7 @@ const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
 const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
 const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
+const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
 
 ;// CONCATENATED MODULE: external "node:fs"
 const external_node_fs_namespaceObject = require("node:fs");
@@ -61322,6 +61319,45 @@ function isValidEvent() {
 // EXTERNAL MODULE: external "path"
 var external_path_ = __nccwpck_require__(5622);
 var external_path_default = /*#__PURE__*/__nccwpck_require__.n(external_path_);
+;// CONCATENATED MODULE: ./src/arc-runner.ts
+
+function isArcRunner() {
+    const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
+    if (!runnerUserAgent) {
+        return false;
+    }
+    return runnerUserAgent.includes("actions-runner-controller/");
+}
+function getRunnerTempDir() {
+    const isTest = process.env["isTest"];
+    if (isTest === "1") {
+        return "/tmp";
+    }
+    return process.env["RUNNER_TEMP"] || "/tmp";
+}
+function sendAllowedEndpoints(endpoints) {
+    const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
+    for (const endpoint of allowedEndpoints) {
+        if (endpoint) {
+            const encodedEndpoint = Buffer.from(endpoint).toString("base64");
+            cp.execSync(`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`);
+        }
+    }
+    if (allowedEndpoints.length > 0) {
+        applyPolicy(allowedEndpoints.length);
+    }
+}
+function applyPolicy(count) {
+    const fileName = `step_policy_apply_${count}`;
+    cp.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
+}
+function removeStepPolicyFiles() {
+    external_child_process_.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
+}
+function arcCleanUp() {
+    external_child_process_.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
+}
+
 ;// CONCATENATED MODULE: ./src/cleanup.ts
 var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@@ -61339,6 +61375,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
 
 
 
+
 (() => cleanup_awaiter(void 0, void 0, void 0, function* () {
     if (process.platform !== "linux") {
         console.log(UBUNTU_MESSAGE);
@@ -61348,6 +61385,21 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
         console.log(CONTAINER_MESSAGE);
         return;
     }
+    if (isValidEvent()) {
+        try {
+            const cacheResult = yield cache.saveCache([external_path_default().join(__dirname, "cache.txt")], cacheKey);
+            console.log(cacheResult);
+        }
+        catch (exception) {
+            console.log(exception);
+        }
+    }
+    if (isArcRunner()) {
+        console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
+        arcCleanUp();
+        removeStepPolicyFiles();
+        return;
+    }
     if (String(process.env.STATE_monitorStatusCode) ===
         STATUS_HARDEN_RUNNER_UNAVAILABLE) {
         console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
@@ -61389,18 +61441,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
         console.log("Service log:");
         console.log(journalLog);
     }
-    if (isValidEvent()) {
-        try {
-            const cmd = "cp";
-            const args = [external_path_default().join(__dirname, "cache.txt"), cacheFile];
-            external_child_process_.execFileSync(cmd, args);
-            const cacheResult = yield cache.saveCache([cacheFile], cacheKey);
-            console.log(cacheResult);
-        }
-        catch (exception) {
-            console.log(exception);
-        }
-    }
     try {
         yield addSummary();
     }

diff --git a/dist/post/index.js.map b/dist/post/index.js.map