Add recommendations for runner groups and labels #91
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,7 +6,7 @@ title: 'Securing GitHub Actions Workflows' | |
| weight: 5 | ||
| publishDate: 2024-08-16 | ||
| params: | ||
| authors: [{ name: 'Greg Mohler', handle: 'callmegreg' }, { name: 'Kitty Chiu', handle: 'kittychiu' }, { name: 'Thomas Sjögren', handle: 'konstruktoid' }] | ||
|
|
||
| # Classifications of the framework to drive key concepts, design principles, and architectural best practices | ||
| pillars: | ||
|
|
@@ -88,9 +88,10 @@ To secure GitHub Actions workflows, consider the following strategies: | |
| 7. **Avoid workflow injection**: Sanitize user input and avoid using expression values in sensitive contexts (such as `run` steps) to prevent injection attacks. | ||
| 8. **Avoid `pull_request_target`**: This event runs workflows in the base repository context with elevated permissions. This can enable malicious execution using pull requests from forks. | ||
| 9. **Secure `workflow_run` workflows**: Treat all artifacts, code, and data from triggering workflows as untrusted. Use [branch filters](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#limiting-your-workflow-to-run-based-on-branches) and validate all inputs. | ||
| 10. **Use `head.sha` instead of `head.ref`**: Where possible, reference by commit SHA instead of a user-provided branch name or tag (ref), especially in sensitive contexts (such as `run` steps). If required, use environment variable to store `head.ref` and reference it to prevent injection attack. | ||
| 11. **Use caution with public repositories**: Anyone can suggest changes to public repositories. Review workflow triggers, and never use self-hosted runners with public repositories. | ||
| 12. **Restrict allowed actions**: Use the [*Allow enterprise, and select non-enterprise, actions and reusable workflows*](https://docs.github.com/en/enterprise-cloud@latest/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#controlling-access-to-public-actions-and-reusable-workflows) setting to control which actions can run. | ||
| 13. **Segregate runners**: Use runner groups and labels to separate high-privilege runners from low-privilege runners, and restrict high-privilege runner groups to selected repositories or workflows to reduce exposure to sensitive resources. | ||
|
|
||
| ## Assumptions and preconditions | ||
|
|
||
|
|
@@ -127,7 +128,8 @@ Repository rulesets provide a strong defensive layer that complements workflow-l | |
| - [Require status checks to pass before merging](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-status-checks-to-pass-before-merging): Ensure automated validation checks pass before merging. | ||
| - [Require code scanning results](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-code-scanning-results): Identify security vulnerabilities before merge. | ||
| - [Require signed commits](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-signed-commits): Ensure all commits are signed to prove who authored them and that they haven't been modified. | ||
| - [Require workflows to pass before merging](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-workflows-to-pass-before-merging): Ensure organizational or enterprise-level requirements for workflows are met before merging. This could be a workflow that checks for required labels, validates commit messages, or performs other organizational policy checks. | ||
| - [Restrict bypass permissions](https://docs.github.com/en/code-security/how-tos/secure-your-secrets/manage-bypass-requests): Limit bypass capabilities to emergencies and monitor via audit logs. | ||
|
|
||
| ### Implement least privilege for workflow permissions | ||
|
|
||
|
|
@@ -258,6 +260,18 @@ The [allowed actions and reusable workflows setting](https://docs.github.com/en/ | |
|
|
||
| Consider defining the list of allowed actions using policy as code (e.g., via Terraform or the REST API) to establish a request/approval process, track changes for audit purposes, and improve visibility into which actions are allowed. | ||
|
|
||
| ### Segregate runners | ||
|
|
||
| Use [runner groups](https://docs.github.com/en/actions/concepts/runners/runner-groups) or [labels](https://docs.github.com/en/actions/how-tos/manage-runners/self-hosted-runners/apply-labels) to separate high-privilege runners from low-privilege runners. High-privilege runners may have access to sensitive resources, while low-privilege runners should not. | ||
|
|
||
| This separation provides more granular control over [which repositories can access different runners](https://docs.github.com/en/actions/how-tos/manage-runners/self-hosted-runners/manage-access#changing-which-repositories-can-access-a-runner-group) and which [jobs can access specific runners](https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job). It also reduces the risk that a compromised or misconfigured workflow could gain access to sensitive resources. | ||
|
There was a problem hiding this comment. Can you clarify the "which jobs can access specific runners" ? this cannot be enforced once a repo has access to a given runner (you can restrict which workflows can use the runner but not the jobs) any job can use it. Unless you restrict the workflows that can access a runner if a user can author workflows in a repo which has access to the runner it can use it.
Author
There was a problem hiding this comment. yeah, it's actually workflows but https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#choosing-self-hosted-runners says "To specify a self-hosted runner for your job, configure runs-on in your workflow file with self-hosted runner labels." and "When you combine groups and labels, the runner must meet both requirements to be eligible to run the job." (https://docs.github.com/en/actions/how-tos/manage-runners/self-hosted-runners/use-in-a-workflow#using-labels-and-groups-to-route-jobs). |
||
|
|
||
| For example, you could create: | ||
|
|
||
| - A runner group for container image build runners, limited to only the repositories that require those privileges. | ||
| - A runner group for runners with access to restricted networks. | ||
| - A separate runner group for low-privilege tasks such as linting and static analysis, used in repositories where secrets are either absent entirely or isolated in separate environments. | ||
|
|
||
| ## Additional solution detail and trade-offs to consider | ||
|
|
||
| ### Pinning actions based on a version tag | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.