-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱 .github: Audit CodeQL egress with harden-runner #1728
Conversation
@ossf/scorecard-maintainers I would like to propose this change. Let me know if someone has a different opinion. |
Codecov Report
@@ Coverage Diff @@
## main #1728 +/- ##
=======================================
Coverage 57.02% 57.02%
=======================================
Files 63 63
Lines 6192 6192
=======================================
Hits 3531 3531
Misses 2420 2420
Partials 241 241 |
The license for hard-runner is https://github.com/step-security/harden-runner/blob/main/LICENSE |
Integration tests success for |
Integration tests success for |
Thanks @naveensrinivasan for trying it out. Let me know if you need any help adding it. Note: the Action uses an agent, and the agent also has the same license. https://github.com/step-security/agent/blob/main/LICENSE I am trying to make harden-runner an OSSF project. So do share feedback from using this, as those improvement ideas can be used in the OSSF project, if/when that gets thru...Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. @justaugustus @laurentsimon for a second opinion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@naveensrinivasan -- Tweaked the PR title, since we're auditing egress, not blocking yet
Included hard-runner to restrict egress traffic.
a40b6e9
to
9adb214
Compare
Integration tests success for |
What kind of change does this PR introduce?
Included hard-runner to restrict egress traffic.
What is the current behavior?
What is the new behavior (if this is a feature change)?**
Which issue(s) this PR fixes
NONE
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note