Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/dduzgun-security/github-self-hosted-runners

Guideline of best practices to follow to configure Github Enterprise Cloud self-hosted runners in a secure way.
https://github.com/dduzgun-security/github-self-hosted-runners

github-actions runner security

Last synced: about 1 month ago
JSON representation

Guideline of best practices to follow to configure Github Enterprise Cloud self-hosted runners in a secure way.

Host: GitHub
URL: https://github.com/dduzgun-security/github-self-hosted-runners
Owner: dduzgun-security
License: mit
Created: 2020-12-01T19:56:23.000Z (about 4 years ago)
Default Branch: main
Last Pushed: 2024-02-23T17:55:10.000Z (12 months ago)
Last Synced: 2024-10-30T22:39:47.552Z (4 months ago)
Topics: github-actions, runner, security
Homepage:
Size: 42 KB
Stars: 76
Watchers: 5
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

awesome-runners - dduzgun-security/github-self-hosted-runners - hosted runners by yourself. (Purpose / General collection of self-hosted runner best practices)

README

        [![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners)

[![Contributors][contributors-shield]][contributors-url]

[![Forks][forks-shield]][forks-url]

[![Stargazers][stars-shield]][stars-url]

[![Issues][issues-shield]][issues-url]

[![MIT License][license-shield]][license-url]






  

    

  

  
Github Self-Hosted Runners Configuration


  


    Guideline of best practices to follow to use Github Self-Hosted Runners in a secure way.

    


    


    Report an issue

  


## Table of contents

   * [About the project](#about-the-project)

   * [Confidentiality](#confidentiality)

      * [Using self-hosted runners only in trusted GitHub Actions](#using-self-hosted-runners-only-in-trusted-github-actions)

      * [Limit access to self-hosted runners](#limit-access-to-self-hosted-runners)

      * [Disable forks](#disable-forks)

      * [Enabling branch protections](#enabling-branch-protections)

      * [Do not store secrets in the host runner](#do-not-store-secrets-in-the-host-runner)

      * [Run the self-hosted runner on hardened hosts only](#run-the-self-hosted-runner-on-hardened-hosts-only)

   * [Integrity](#integrity)

      * [Use the latest and greatest runner](#use-the-latest-and-greatest-runner)

   * [Availability](#availability)

      * [High availability](#high-availability)

      * [Automatically clear and remove workspaces](#automatically-clear-and-remove-workspaces)

   * [Authentication](#authentication)

      * [Secure the authentication token of the self-hosted runner](#secure-the-authentication-token-of-the-self-hosted-runner)

   * [Authorization](#authorization)

      * [Only use the technologies you need](#only-use-the-technologies-you-need)

   * [Audit](#audit)

   * [Checklist](#checklist)

   * [Support section](#support-section)

   * [Contributing](#contributing)

   * [License](#license)

   * [Contact](#contact)

## About the project

Looking for a guideline to configure your GitHub Self-Hosted Runners in a secure way? 

Here is a :fire: list of things to do!

## Confidentiality

##### Using self-hosted runners only in trusted GitHub Actions

Self-hosted runners are using the dedicated host as the runner. 

Only verified GitHub Actions must use self-hosted runners to reduce the use of a potential malicious open-source GitHub Action that might access our private network.

##### Limit access to self-hosted runners

Restrict the use of self-hosted runners to specific repositories only.  

https://docs.github.com/en/free-pro-team@latest/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups

##### Disable forks

Disable forks since forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.

##### Enabling branch protections

Obviously, we don't want anyone to add changes to a GitHub Action. A great way to have more control over your GitHub Actions is to create branch protection on your repositories. Having a mandatory approver to a PR will reduce the chances of someone trying to force push code changed.

##### Do not store secrets in the host runner

When a GitHub Action uses the self-hosted runner, it clones the code in a workdir `_work`.  

We must ensure that no secrets (application, system, ..) are accessible in this folder.

##### Run the self-hosted runner on hardened hosts only

The host of the self-hosted runner must be a hardened OS. 

Hardening of the OS is the act of configuring an OS securely, updating it, creating rules and policies to help govern the system in a secure manner, and removing unnecessary applications and services. This is done to minimize a computer OS's exposure to threats and to mitigate possible risk.  

https://www.cisecurity.org/cis-benchmarks/ 

## Integrity

##### Use the latest and greatest runner

Ensure that the host machine always uses the latest version of the self-hosted runner.  

https://github.com/actions/runner/releases/latest

![image](https://user-images.githubusercontent.com/59659739/100800872-2ffc4c80-33f5-11eb-8ed5-95b3a91d863a.png)

> [!TIP]

> If it works with your GitHub Actions workflows, consider using a [rootless dind action runner](https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner-dind-rootless) provided by GitHub as a base self-hosted runner image.

## Availability

##### High availability

Since self-hosted runners are essential to talk with the internal network of an enterprise, they need to be highly available.  

https://github.com/philips-labs/terraform-aws-github-runner

##### Automatically clear and remove workspaces

Since the self-hosted runner clones the source code in a workspace, we need to ensure that this workspace doesn't get overpopulated and consumes all the available space of the host.

## Authentication

##### Secure the authentication token of the self-hosted runner

The authentication token used to configure the runner needs to be secured and restricted since it has write-access permissions on the repository.  

Using Hashicorp Vault may be a good solution for this.

## Authorization

##### Only use the technologies you need

Keep the self-hosted runner simple and authorize only the things you need. For example, if you don't need npm don't install it inside the runner.

## Audit

https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#auditing-github-actions-events

## Checklist

 - [ ] Using self-hosted runners only in trusted GitHub Actions

 - [ ] Limit access to self-hosted runners

 - [ ] Disable forks

 - [ ] Enabling branch protections

 - [ ] Run the self-hosted runner on hardened hosts only

 - [ ] Use the latest and greatest runner

 - [ ] High Availability

 - [ ] Automatically clear and remove workspaces

 - [ ] Secure the authentication token of the self-hosted runner

 - [ ] Only use the technologies you need

## Support section

[Github Enterprise Support](https://enterprise.github.com/support) offers very usefull assistance on everything you search. :+1:

* [Documentations](https://help.github.com/en)

* [Request creation](https://enterprise.githubsupport.com/hc/en-us/requests/new)

Also, GitHub offers a [Premium Support](https://help.github.com/en/github/working-with-github-support/about-github-premium-support-for-github-enterprise-cloud) with a 24/7 hours of operation availability time.

## Contributing

Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are **greatly appreciated**.

1. Fork the Project

2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`)

3. Commit your Changes (`git add . && git commit -m 'Add some AmazingFeature'`)

4. Push to the Branch (`git push origin feature/AmazingFeature`)

5. Open a Pull Request

## License

Distributed under the MIT License. See `LICENSE.txt` for more information.

## Contact

[Deniz Onur Duzgun](https://github.com/dduzgun-security)  

[Maxime Georjon](https://github.com/mxge)  

[Khalid Nazmus Sakib](https://github.com/knsakibnbc)

[contributors-shield]: https://img.shields.io/github/contributors/dduzgun-security/github-self-hosted-runners.svg?style=flat-square

[contributors-url]: https://github.com/dduzgun-security/github-self-hosted-runners/graphs/contributors

[forks-shield]: https://img.shields.io/github/forks/dduzgun-security/github-self-hosted-runners?style=flat-square

[forks-url]: https://github.com/dduzgun-security/github-self-hosted-runners/network/members

[stars-shield]: https://img.shields.io/github/stars/dduzgun-security/github-self-hosted-runners.svg?style=flat-square

[stars-url]: https://github.com/dduzgun-security/github-self-hosted-runners/stargazers

[issues-shield]: https://img.shields.io/github/issues/dduzgun-security/github-self-hosted-runners.svg?style=flat-square

[issues-url]: https://github.com/dduzgun-security/github-self-hosted-runners/issues

[license-shield]: https://img.shields.io/github/license/dduzgun-security/github-self-hosted-runners.svg?style=flat-square

[license-url]: https://github.com/dduzgun-security/github-self-hosted-runners/blob/master/LICENSE.txt