{"id":18131637,"url":"https://github.com/mrtc0/bouheki-runner-docker","last_synced_at":"2025-04-06T15:29:44.923Z","repository":{"id":84696075,"uuid":"472642162","full_name":"mrtc0/bouheki-runner-docker","owner":"mrtc0","description":null,"archived":false,"fork":false,"pushed_at":"2022-03-22T08:50:28.000Z","size":279,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-01T22:05:35.855Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mrtc0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-03-22T06:34:23.000Z","updated_at":"2022-03-22T13:35:40.000Z","dependencies_parsed_at":"2023-03-02T11:01:04.852Z","dependency_job_id":null,"html_url":"https://github.com/mrtc0/bouheki-runner-docker","commit_stats":{"total_commits":6,"total_committers":1,"mean_commits":6.0,"dds":0.0,"last_synced_commit":"42c202f2c2b8d2ab7c0ba13c59cd102cf91fd307"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrtc0%2Fbouheki-runner-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrtc0%2Fbouheki-runner-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrtc0%2Fbouheki-runner-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrtc0%2Fbouheki-runner-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mrtc0","download_url":"https://codeload.github.com/mrtc0/bouheki-runner-docker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247502690,"owners_count":20949308,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-01T12:08:23.719Z","updated_at":"2025-04-06T15:29:44.905Z","avatar_url":"https://github.com/mrtc0.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# bouheki-runner\n\n⚠ WIP ⚠\n\nbouheki-runner is security audit agent on the GitHub Actions Self-hosted runner to prevent data exfiltration.  \nProtects against supply chain attacks and other attacks by hijacked dependent libraries.\n\n## Using bouheki-runner\n\n0. Make sure Self-hosted Runner satisfy the conditions for bouheki to work\n\nref. https://blog.ssrf.in/bouheki/getting-started/installation/\n\n1. Add `mrtc0/bouheki-runner` to your GitHub Actions Workflow file as the first step.\n\n```yaml\nbouheki:\n  name: \"bouheki\"\n  runs-on: self-hosted\n  steps:\n    - uses: mrtc0/bouheki-runner@master\n      with:\n        allowed-endpoints: '127.0.0.11/32,10.0.2.1/24,rubygems.org'\n        mode: 'block'\n        target: 'container'\n        service_action: 'start'\n```\n\n2. Other jobs can use the `needs` option to be executed after bouheki is executed.\n\n```yaml\ntest:\n  name: \"test\"\n  runs-on: self-hosted\n  container:\n    image: rubylang/ruby:3.1.1-focal\n  needs: bouheki\n  steps:\n  - name: Checkout repository\n    uses: actions/checkout@v2\n\n  - name: Setup\n    run: bundle install\n\n  - name: Run test\n    run: bundle exec rspec spec\n```\n\n3. Finally, perform a cleanup process\n\n```yaml\nbouheki_stop:\n  name: \"stop bouheki\"\n  runs-on: self-hosted\n  if: always()\n  needs: test\n  steps:\n    - name: Stop bouheki\n      run: sudo systemctl stop bouheki\n```\n\n### Full Example\n\n```yaml\nname: \"test\"\n\non:\n  push:\n\njobs:\n  bouheki:\n    name: \"bouheki\"\n    runs-on: self-hosted\n    steps:\n      - uses: mrtc0/bouheki-runner@master\n        with:\n          allowed-endpoints: '127.0.0.11/32,10.0.2.1/24,rubygems.org' # DNS Servers, rubygems.org\n          mode: 'block'\n          target: 'container'\n          service_action: 'start'\n\n  test:\n    name: \"test\"\n    runs-on: self-hosted\n    container:\n      image: rubylang/ruby:3.1.1-focal\n    needs: bouheki\n    steps:\n    - name: Checkout repository\n      uses: actions/checkout@v2\n\n    - name: Setup\n      run: bundle install\n\n  bouheki_stop:\n    name: \"stop bouheki\"\n    runs-on: self-hosted\n    if: always()\n    needs: test\n    steps:\n      - name: Stop bouheki\n        run: sudo systemctl stop bouheki\n\n```\n\nFor example, excluding `rubygems.org` from `allowed-endpoints` will cause bundle install to fail.\n\n![Block rubygems.org](misc/block-rubygems.png)\n\nThen a log is logged in which bouheki blocks the connection.\n\n```json\n$ cat /var/log/bouheki.log\n...\n{\"Action\":\"BLOCKED\",\"Addr\":\"151.101.129.227\",\"Comm\":\"bundle\",\"Hostname\":\"75f2194bbe3e\",\"PID\":32662,\"ParentComm\":\"sh\",\"Port\":443,\"Protocol\":\"UDP\",\"level\":\"info\",\"msg\":\"Traffic is trapped in the filter.\",\"time\":\"2022-03-18T15:36:14Z\"}\n{\"Action\":\"BLOCKED\",\"Addr\":\"151.101.65.227\",\"Comm\":\"bundle\",\"Hostname\":\"75f2194bbe3e\",\"PID\":32662,\"ParentComm\":\"sh\",\"Port\":443,\"Protocol\":\"TCP\",\"level\":\"info\",\"msg\":\"Traffic is trapped in the filter.\",\"time\":\"2022-03-18T15:36:14Z\"}\n{\"Action\":\"BLOCKED\",\"Addr\":\"151.101.193.227\",\"Comm\":\"bundle\",\"Hostname\":\"75f2194bbe3e\",\"PID\":32662,\"ParentComm\":\"sh\",\"Port\":443,\"Protocol\":\"TCP\",\"level\":\"info\",\"msg\":\"Traffic is trapped in the filter.\",\"time\":\"2022-03-18T15:36:14Z\"}\n{\"Action\":\"BLOCKED\",\"Addr\":\"151.101.1.227\",\"Comm\":\"bundle\",\"Hostname\":\"75f2194bbe3e\",\"PID\":32662,\"ParentComm\":\"sh\",\"Port\":443,\"Protocol\":\"TCP\",\"level\":\"info\",\"msg\":\"Traffic is trapped in the filter.\",\"time\":\"2022-03-18T15:36:14Z\"}\n{\"Action\":\"BLOCKED\",\"Addr\":\"151.101.129.227\",\"Comm\":\"bundle\",\"Hostname\":\"75f2194bbe3e\",\"PID\":32662,\"ParentComm\":\"sh\",\"Port\":443,\"Protocol\":\"TCP\",\"level\":\"info\",\"msg\":\"Traffic is trapped in the filter.\",\"time\":\"2022-03-18T15:36:14Z\"}\n```\n\n# References\n\n- https://github.com/mrtc0/bouheki\n- https://blog.ssrf.in/bouheki/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrtc0%2Fbouheki-runner-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmrtc0%2Fbouheki-runner-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrtc0%2Fbouheki-runner-docker/lists"}