{"id":13487065,"url":"https://github.com/dduzgun-security/github-self-hosted-runners","last_synced_at":"2025-04-12T23:04:40.323Z","repository":{"id":45149443,"uuid":"317652671","full_name":"dduzgun-security/github-self-hosted-runners","owner":"dduzgun-security","description":"Guideline of best practices to follow to configure Github Enterprise Cloud self-hosted runners in a secure way.","archived":false,"fork":false,"pushed_at":"2024-02-23T17:55:10.000Z","size":43,"stargazers_count":76,"open_issues_count":0,"forks_count":3,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-10-30T22:39:47.552Z","etag":null,"topics":["github-actions","runner","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dduzgun-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-12-01T19:56:23.000Z","updated_at":"2024-10-25T16:39:05.000Z","dependencies_parsed_at":"2024-01-16T09:02:57.449Z","dependency_job_id":"daa35a93-63f2-49f5-979d-d684df7fba9d","html_url":"https://github.com/dduzgun-security/github-self-hosted-runners","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dduzgun-security%2Fgithub-self-hosted-runners","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dduzgun-security%2Fgithub-self-hosted-runners/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dduzgun-security%2Fgithub-self-hosted-runners/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dduzgun-security%2Fgithub-self-hosted-runners/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dduzgun-security","download_url":"https://codeload.github.com/dduzgun-security/github-self-hosted-runners/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234874639,"owners_count":18900006,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","runner","security"],"created_at":"2024-07-31T18:00:54.958Z","updated_at":"2025-01-20T23:32:20.726Z","avatar_url":"https://github.com/dduzgun-security.png","language":null,"funding_links":[],"categories":["Self-hosted runner security","Purpose"],"sub_categories":["General collection of self-hosted runner best practices"],"readme":"[![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners)\n[![Contributors][contributors-shield]][contributors-url]\n[![Forks][forks-shield]][forks-url]\n[![Stargazers][stars-shield]][stars-url]\n[![Issues][issues-shield]][issues-url]\n[![MIT License][license-shield]][license-url]\n\n\u003c!-- PROJECT LOGO --\u003e\n\u003cbr /\u003e\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/dduzgun-security/github-self-hosted-runners\"\u003e\n    \u003cimg src=\"https://github.blog/wp-content/uploads/2019/08/DL-V2-LinkedIn_FB.png?fit=1200%2C630\" alt=\"Logo\" \u003e\n  \u003c/a\u003e\n\n  \u003ch3 align=\"center\"\u003eGithub Self-Hosted Runners Configuration\u003c/h3\u003e\n\n  \u003cp align=\"center\"\u003e\n    Guideline of best practices to follow to use Github Self-Hosted Runners in a secure way.\n    \u003cbr /\u003e\n    \u003cbr /\u003e\n    \u003ca href=\"https://github.com/dduzgun-security/github-self-hosted-runners/issues\"\u003eReport an issue\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/p\u003e\n\n\n## Table of contents\n\n\u003c!--ts--\u003e\n   * [About the project](#about-the-project)\n   * [Confidentiality](#confidentiality)\n      * [Using self-hosted runners only in trusted GitHub Actions](#using-self-hosted-runners-only-in-trusted-github-actions)\n      * [Limit access to self-hosted runners](#limit-access-to-self-hosted-runners)\n      * [Disable forks](#disable-forks)\n      * [Enabling branch protections](#enabling-branch-protections)\n      * [Do not store secrets in the host runner](#do-not-store-secrets-in-the-host-runner)\n      * [Run the self-hosted runner on hardened hosts only](#run-the-self-hosted-runner-on-hardened-hosts-only)\n   * [Integrity](#integrity)\n      * [Use the latest and greatest runner](#use-the-latest-and-greatest-runner)\n   * [Availability](#availability)\n      * [High availability](#high-availability)\n      * [Automatically clear and remove workspaces](#automatically-clear-and-remove-workspaces)\n   * [Authentication](#authentication)\n      * [Secure the authentication token of the self-hosted runner](#secure-the-authentication-token-of-the-self-hosted-runner)\n   * [Authorization](#authorization)\n      * [Only use the technologies you need](#only-use-the-technologies-you-need)\n   * [Audit](#audit)\n   * [Checklist](#checklist)\n   * [Support section](#support-section)\n   * [Contributing](#contributing)\n   * [License](#license)\n   * [Contact](#contact)\n\u003c!--te--\u003e\n\n\u003c!-- ABOUT THE PROJECT --\u003e\n## About the project\nLooking for a guideline to configure your GitHub Self-Hosted Runners in a secure way? \n\nHere is a :fire: list of things to do!\n\n\u003c!-- CONFIDENTIALITY --\u003e\n## Confidentiality\n##### Using self-hosted runners only in trusted GitHub Actions\nSelf-hosted runners are using the dedicated host as the runner. \nOnly verified GitHub Actions must use self-hosted runners to reduce the use of a potential malicious open-source GitHub Action that might access our private network.\n\n##### Limit access to self-hosted runners\nRestrict the use of self-hosted runners to specific repositories only.  \nhttps://docs.github.com/en/free-pro-team@latest/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups\n\n##### Disable forks\nDisable forks since forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.\n\n##### Enabling branch protections\nObviously, we don't want anyone to add changes to a GitHub Action. A great way to have more control over your GitHub Actions is to create branch protection on your repositories. Having a mandatory approver to a PR will reduce the chances of someone trying to force push code changed.\n\n##### Do not store secrets in the host runner\nWhen a GitHub Action uses the self-hosted runner, it clones the code in a workdir `_work`.  \nWe must ensure that no secrets (application, system, ..) are accessible in this folder.\n\n##### Run the self-hosted runner on hardened hosts only\nThe host of the self-hosted runner must be a hardened OS. \nHardening of the OS is the act of configuring an OS securely, updating it, creating rules and policies to help govern the system in a secure manner, and removing unnecessary applications and services. This is done to minimize a computer OS's exposure to threats and to mitigate possible risk.  \nhttps://www.cisecurity.org/cis-benchmarks/ \n\n\u003c!-- INTEGRITY --\u003e\n## Integrity\n##### Use the latest and greatest runner\nEnsure that the host machine always uses the latest version of the self-hosted runner.  \nhttps://github.com/actions/runner/releases/latest\n\n![image](https://user-images.githubusercontent.com/59659739/100800872-2ffc4c80-33f5-11eb-8ed5-95b3a91d863a.png)\n\n\u003e [!TIP]\n\u003e If it works with your GitHub Actions workflows, consider using a [rootless dind action runner](https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner-dind-rootless) provided by GitHub as a base self-hosted runner image.\n\n\u003c!-- AVAILABILITY --\u003e\n## Availability\n##### High availability\nSince self-hosted runners are essential to talk with the internal network of an enterprise, they need to be highly available.  \nhttps://github.com/philips-labs/terraform-aws-github-runner\n\n##### Automatically clear and remove workspaces\nSince the self-hosted runner clones the source code in a workspace, we need to ensure that this workspace doesn't get overpopulated and consumes all the available space of the host.\n\n\u003c!-- AUTHENTICATION --\u003e\n## Authentication\n##### Secure the authentication token of the self-hosted runner\nThe authentication token used to configure the runner needs to be secured and restricted since it has write-access permissions on the repository.  \nUsing Hashicorp Vault may be a good solution for this.\n\n\u003c!-- AUTHORIZATION --\u003e\n## Authorization\n##### Only use the technologies you need\nKeep the self-hosted runner simple and authorize only the things you need. For example, if you don't need npm don't install it inside the runner.\n\n\u003c!-- AUDIT --\u003e\n## Audit\nhttps://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#auditing-github-actions-events\n\n\u003c!-- CHECKLIST --\u003e\n## Checklist\n - [ ] Using self-hosted runners only in trusted GitHub Actions\n - [ ] Limit access to self-hosted runners\n - [ ] Disable forks\n - [ ] Enabling branch protections\n - [ ] Run the self-hosted runner on hardened hosts only\n - [ ] Use the latest and greatest runner\n - [ ] High Availability\n - [ ] Automatically clear and remove workspaces\n - [ ] Secure the authentication token of the self-hosted runner\n - [ ] Only use the technologies you need\n\n\u003c!-- SUPPORT SECTION --\u003e\n## Support section\n[Github Enterprise Support](https://enterprise.github.com/support) offers very usefull assistance on everything you search. :+1:\n\n* [Documentations](https://help.github.com/en)\n* [Request creation](https://enterprise.githubsupport.com/hc/en-us/requests/new)\n\nAlso, GitHub offers a [Premium Support](https://help.github.com/en/github/working-with-github-support/about-github-premium-support-for-github-enterprise-cloud) with a 24/7 hours of operation availability time.\n\n\u003c!-- CONTRIBUTING --\u003e\n## Contributing\nContributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are **greatly appreciated**.\n\n1. Fork the Project\n2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`)\n3. Commit your Changes (`git add . \u0026\u0026 git commit -m 'Add some AmazingFeature'`)\n4. Push to the Branch (`git push origin feature/AmazingFeature`)\n5. Open a Pull Request\n\n\u003c!-- LICENSE --\u003e\n## License\nDistributed under the MIT License. See `LICENSE.txt` for more information.\n\n\u003c!-- CONTACT --\u003e\n## Contact\n[Deniz Onur Duzgun](https://github.com/dduzgun-security)  \n[Maxime Georjon](https://github.com/mxge)  \n[Khalid Nazmus Sakib](https://github.com/knsakibnbc)\n\n\u003c!-- MARKDOWN LINKS \u0026 IMAGES --\u003e\n\u003c!-- https://www.markdownguide.org/basic-syntax/#reference-style-links --\u003e\n[contributors-shield]: https://img.shields.io/github/contributors/dduzgun-security/github-self-hosted-runners.svg?style=flat-square\n[contributors-url]: https://github.com/dduzgun-security/github-self-hosted-runners/graphs/contributors\n[forks-shield]: https://img.shields.io/github/forks/dduzgun-security/github-self-hosted-runners?style=flat-square\n[forks-url]: https://github.com/dduzgun-security/github-self-hosted-runners/network/members\n[stars-shield]: https://img.shields.io/github/stars/dduzgun-security/github-self-hosted-runners.svg?style=flat-square\n[stars-url]: https://github.com/dduzgun-security/github-self-hosted-runners/stargazers\n[issues-shield]: https://img.shields.io/github/issues/dduzgun-security/github-self-hosted-runners.svg?style=flat-square\n[issues-url]: https://github.com/dduzgun-security/github-self-hosted-runners/issues\n[license-shield]: https://img.shields.io/github/license/dduzgun-security/github-self-hosted-runners.svg?style=flat-square\n[license-url]: https://github.com/dduzgun-security/github-self-hosted-runners/blob/master/LICENSE.txt\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdduzgun-security%2Fgithub-self-hosted-runners","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdduzgun-security%2Fgithub-self-hosted-runners","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdduzgun-security%2Fgithub-self-hosted-runners/lists"}