Merge pull request #416 from step-security/rc-8

Release 2.8.0
step-security · May 22, 2024 · f086349 · f086349
2 parents 9ff9d14 + b9c325d
commit f086349
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -161,6 +161,34 @@ Once allowed endpoints are set in the policy in the workflow file, or in the [Po
   <img src="images/blocked-outbound-call-3.png" alt="Policy recommended by harden-runner" >
 </p>
 
+### 📋 View the name and path of every file written during the build process
+
+> Applies to both GitHub-hosted and self-hosted runners
+
+View the name and path of every file that was written during the build process. This feature is supported with a commercial license.
+
+- Harden-Runner tracks every file written to the GitHub Actions working directory during the build process.
+- In the insights page in the `File Write Events` tab you can see a file explorer view of each file that was written to.
+- Clicking on any file reveals a list of processes that wrote to it, providing complete transparency.
+
+<p align="left">
+  <img src="images/file-write-events.png" alt="View the name and path of every file written during the build process" >
+</p>
+
+### 🔄 View process names and arguments
+
+> Applies to both GitHub-hosted and self-hosted runners
+
+View process names, PIDs, and process arguments. This feature is supported with a commercial license.
+
+- Harden-Runner tracks every process that is run during the build process.
+- Clicking on any file reveals a list of processes that wrote to it.
+- You can walk up the process tree and view process arguments to understand the build process and detect suspicious activity.
+
+<p align="left">
+  <img src="images/process-events-3.png" alt="View process names and arguments" >
+</p>
+
 ### 📁 Detect tampering of source code during build
 
 > Applies to both GitHub-hosted and self-hosted runners

diff --git a/dist/pre/index.js b/dist/pre/index.js
diff --git a/dist/pre/index.js.map b/dist/pre/index.js.map
diff --git a/images/file-write-events.png b/images/file-write-events.png
diff --git a/images/process-events-3.png b/images/process-events-3.png
diff --git a/src/checksum.ts b/src/checksum.ts
@@ -14,7 +14,7 @@ export function verifyChecksum(downloadPath: string, is_tls: boolean) {
 
   if (is_tls) {
     expectedChecksum =
-      "e0cd0f0da1ac48df713acd8c4f0e591274de0f2c251b8526cf956c654f024ec2"; // checksum for tls_agent
+      "846ae66c6cfab958fe61736cec0b58bdb7651b36af04c279405c7114675d7033"; // checksum for tls_agent
   }
 
   if (checksum !== expectedChecksum) {

diff --git a/src/setup.ts b/src/setup.ts
@@ -231,7 +231,7 @@ interface MonitorResponse {
 
     if (await isTLSEnabled(context.repo.owner)) {
       downloadPath = await tc.downloadTool(
-        "https://packages.stepsecurity.io/github-hosted/harden-runner_1.1.3_linux_amd64.tar.gz"
+        "https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.0_linux_amd64.tar.gz"
       );
       verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
     } else {