Release v2.4.0 (#292)

README.md

@@ -15,11 +15,11 @@
 
 ---
 
-Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to
+🔒 Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to
 
-1. Prevent exfiltration of credentials
-2. Detect tampering of source code during build
-3. Detect compromised dependencies and build tools
+1. Prevent exfiltration of credentials 🔑
+2. Detect tampering of source code during build 🕵️
+3. Detect compromised dependencies and build tools 🚨
 
 
 <p align="center">
@@ -77,19 +77,20 @@ For details, check out the documentation at https://docs.stepsecurity.io
   <img src="images/main-screenshot1.png" alt="Policy recommended by harden-runner">
 </p>
 
-### Restrict egress traffic to allowed endpoints
+### 🚦 Restrict egress traffic to allowed endpoints
 
 Once allowed endpoints are set in the policy in the workflow file, or in the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store)
 
 - Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4).
 - It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution
 - Blocks outbound traffic using IP tables
+- Wildcard domains are supported, e.g. you can add `*.data.mcr.microsoft.com:443` to the allowed list, and egress traffic will be allowed to `eastus.data.mcr.microsoft.com:443` and `westus.data.mcr.microsoft.com:443`. 
 
 <p align="left">
   <img src="images/block-outbound-call.png" alt="Policy recommended by harden-runner" >
 </p>
 
-### Detect tampering of source code during build
+### 🕵️ Detect tampering of source code during build
 
 Harden-Runner monitors file writes and can detect if a file is overwritten.
 
@@ -101,7 +102,7 @@ Harden-Runner monitors file writes and can detect if a file is overwritten.
   <img src="images/fileoverwrite.png" alt="Policy recommended by harden-runner" >
 </p>
 
-### Run your job without sudo access
+### 🚫 Run your job without sudo access
 
 GitHub-hosted runner uses passwordless sudo for running jobs.
 
@@ -110,7 +111,7 @@ GitHub-hosted runner uses passwordless sudo for running jobs.
   recommendation to disable sudo in the insights page
 - When you set `disable-sudo` to `true`, the job steps run without sudo access to the Ubuntu VM
 
-### Get security alerts
+### 🔔 Get security alerts
 
 Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to get security alerts.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "step-security-harden-runner",
-  "version": "2.3.1",
+  "version": "2.4.0",
   "description": "Security agent for GitHub-hosted runner to monitor the build process",
   "main": "index.js",
   "scripts": {

src/checksum.ts

@@ -10,7 +10,7 @@ export function verifyChecksum(downloadPath: string) {
     .digest("hex"); // checksum of downloaded file
 
   const expectedChecksum: string =
-    "10fd5587cfeba6aac4125be78ee32f60d5e780de10929f454525670c4c16935d"; // checksum for v0.12.2
+    "a1e79e4d7323a63a845c446b9a964a772b0ab7dff9fc94f8a1d10e901f2acde1"; // checksum for v0.13.2
 
   if (checksum !== expectedChecksum) {
     core.setFailed(

src/setup.ts

@@ -145,7 +145,7 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
     let auth = `token ${token}`;
 
     const downloadPath: string = await tc.downloadTool(
-      "https://github.com/step-security/agent/releases/download/v0.12.2/agent_0.12.2_linux_amd64.tar.gz",
+      "https://github.com/step-security/agent/releases/download/v0.13.2/agent_0.13.2_linux_amd64.tar.gz",
       undefined,
       auth
     );