Release v2.4.1 (#309)

README.md

@@ -113,7 +113,7 @@ GitHub-hosted runner uses passwordless sudo for running jobs.
 
 ### 🔔 Get security alerts
 
-Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to get security alerts.
+Install the [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) to get security alerts.
 
 - Email and Slack notifications are supported
 - Notifications are sent when outbound traffic is blocked or source code is overwritten
@@ -123,11 +123,11 @@ Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app
 
 Private repositories are supported if they have a commercial license. Check out the [documentation](https://docs.stepsecurity.io/harden-runner/installation/business-enterprise-license) for more details.
 
-Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to use Harden-Runner GitHub Action for `Private` repositories.
+Install the [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) to use Harden-Runner GitHub Action for `Private` repositories.
 
 - If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public.
 - You need to authenticate first to access insights URL for private repository. Only those who have access to the repository can view it.
-- [Harden Runner App](https://github.com/marketplace/harden-runner-app) only needs `actions: read` permissions on your repositories.
+- [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) only needs `actions: read` permissions on your repositories.
 
 Read this [case study on how Kapiche uses Harden Runner](https://www.stepsecurity.io/case-studies/kapiche/) to improve software supply chain security in their open source and private repositories.
 

dist/post/index.js

@@ -61147,24 +61147,119 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
     });
 };
 
+
 function printInfo(web_url) {
     console.log("\x1b[32m%s\x1b[0m", "View security insights and recommended policy at:");
     console.log(`${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`);
 }
+const processLogLine = (line, tableEntries) => {
+    if (line.includes("pid") &&
+        line.includes("process") &&
+        line.includes("domain") &&
+        line.includes("ip address")) {
+        const matches = line.match(/ip address:port ([\d.:]+), domain: ([\w.-]+), pid: (\d+), process: (\w+)/);
+        if (matches) {
+            const [ipAddress, domain, pid, process] = matches.slice(1);
+            // Check if all values are non-empty
+            if (pid && process && domain && ipAddress) {
+                const status = ipAddress.startsWith("54.185.253.63")
+                    ? "❌ Blocked"
+                    : "✅ Allowed";
+                tableEntries.push({ pid, process, domain, ipAddress, status });
+            }
+        }
+    }
+};
 function addSummary() {
     return __awaiter(this, void 0, void 0, function* () {
-        if (process.env.STATE_monitorStatusCode === "200") {
-            const web_url = "https://app.stepsecurity.io";
-            const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
+        if (process.env.STATE_monitorStatusCode !== "200") {
+            return;
+        }
+        const web_url = "https://app.stepsecurity.io";
+        const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
+        const log = "/home/agent/agent.log";
+        if (!external_fs_.existsSync(log)) {
+            return;
+        }
+        let needsSubscription = false;
+        try {
+            let data = external_fs_.readFileSync("/home/agent/annotation.log", "utf8");
+            if (data.includes("StepSecurity Harden Runner is disabled")) {
+                needsSubscription = true;
+            }
+        }
+        catch (err) {
+            //console.error(err);
+        }
+        if (needsSubscription) {
             yield core.summary.addSeparator()
-                .addRaw(`<p><picture>
-          <source media="(prefers-color-scheme: light)" srcset="https://github.com/step-security/harden-runner/raw/main/images/banner.png" width="200">
-          <img alt="Dark Banner" src="https://github.com/step-security/harden-runner/raw/main/images/banner-dark.png" width="200">
-        </picture></p>`, true)
-                .addLink("View security insights and recommended policy", insights_url)
+                .addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`);
+            yield core.summary.addRaw(`
+<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p>
+<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p>
+`)
                 .addSeparator()
                 .write();
+            return;
         }
+        const content = external_fs_.readFileSync(log, "utf-8");
+        const lines = content.split("\n");
+        let tableEntries = [];
+        for (const line of lines) {
+            processLogLine(line, tableEntries);
+        }
+        if (tableEntries.length === 0) {
+            return;
+        }
+        let insightsRow = `<tr>
+      <td colspan="3" align="center"><a href="${insights_url}">🛡️ Check out the full report and recommended policy at StepSecurity</a></td>
+    </tr>`;
+        yield core.summary.addSeparator().addRaw(`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
+      <h3>GitHub Actions Runtime Security</h3>`);
+        tableEntries.sort((a, b) => {
+            if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
+                return -1;
+            }
+            else if (a.status !== "❌ Blocked" && b.status === "❌ Blocked") {
+                return 1;
+            }
+            else {
+                return 0;
+            }
+        });
+        tableEntries = tableEntries.slice(0, 3);
+        yield core.summary.addRaw(`
+  <h3>🌐 Network Events</h3>
+  <table>
+    <thead>
+      <tr>
+        <th>Process</th>
+        <th>Endpoint</th>
+        <th>Status</th>
+      </tr>
+    </thead>
+    <tbody>
+      ${tableEntries
+            .map((entry) => `<tr>
+          <td>${entry.process}</td>
+          <td>${entry.domain.replace(/\.$/, "")}</td>
+          <td>${entry.status}</td>
+        </tr>`)
+            .join("")}
+      <tr>
+        <td>...</td>
+        <td>...</td>
+        <td>...</td>
+      </tr>
+       ${insightsRow}
+    </tbody>
+  </table>
+`);
+        yield core.summary.addSeparator()
+            .addRaw(`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>. 
+      Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`)
+            .addSeparator()
+            .write();
     });
 }
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
@@ -61244,7 +61339,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
 
 
 
-
 (() => cleanup_awaiter(void 0, void 0, void 0, function* () {
     if (process.platform !== "linux") {
         console.log(UBUNTU_MESSAGE);
@@ -61287,14 +61381,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
         var content = external_fs_.readFileSync(status, "utf-8");
         console.log(content);
     }
-    // write annotations
-    var annotationsFile = "/home/agent/annotation.log";
-    if (external_fs_.existsSync(annotationsFile)) {
-        var content = external_fs_.readFileSync(annotationsFile, "utf-8");
-        content.split(/\r?\n/).forEach((line) => {
-            core.error(line);
-        });
-    }
     var disable_sudo = process.env.STATE_disableSudo;
     if (disable_sudo !== "true") {
         var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service", {