Skip to content

Commit

Permalink
Update tutorials (#151)
Browse files Browse the repository at this point in the history
  • Loading branch information
@varunsh-coder
varunsh-coder authored Sep 23, 2023
1 parent 73ed74a commit 1adb8fc
Show file tree
Hide file tree
Showing 38 changed files with 446 additions and 379 deletions.
32 changes: 24 additions & 8 deletions .github/workflows/arc-codecov-simulation.yml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
name: 3. ARC Codecov Simulation
name: "ARC: Network Filtering with Harden-Runner"
on:
workflow_dispatch:

jobs:
arc-codecov-simulation:
build:
runs-on: self-hosted
steps:
- name: Harden Runner
Expand All @@ -12,10 +12,26 @@ jobs:
egress-policy: block
allowed-endpoints: >
api.github.com:443
*.docker.io:443
ghcr.io:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
production.cloudflare.docker.com:443
registry.npmjs.org:443
- uses: actions/checkout@v3

# Codecov Scenario: Exfiltrate data to attacker's endpoint
- name: Data Exfiltration To Attacker Controller Endpoint
run: curl pastebin.com -L
- uses: actions/setup-node@v3
with:
node-version: 18
- name: npm install
run: |
cd ./src/exfiltration-demo
npm install
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@v5
with:
name: ${{ github.repository }}/prod:latest
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
workdir: ./src/exfiltration-demo
4 changes: 2 additions & 2 deletions .github/workflows/arc-secure-by-default.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: 2. Secure-By-Default ARC Cluster-Level Policy
name: "ARC: Secure-By-Default Cluster-Level Policy"
on:
workflow_dispatch:

jobs:
direct-ip-hosted:
runs-on: ubuntu-latest
Expand Down
22 changes: 15 additions & 7 deletions .github/workflows/arc-solarwinds-simulation.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: 4. ARC SolarWinds Simulation
name: "ARC: File Monitoring with Harden-Runner"
on:
workflow_dispatch:

Expand All @@ -7,10 +7,18 @@ jobs:
runs-on: self-hosted
steps:
- uses: actions/checkout@v3

# SolarWinds Scenario: Overwrite calc.go to inject backdoor
- name: File Overwrite with mv
- uses: actions/setup-node@v3
with:
node-version: 18
- name: npm install
run: |
code='package main\n\nfunc main(){\nprintln("code added")\n}'
printf "$code" > calc1.go
mv calc1.go calc.go
cd ./src/backdoor-demo
npm install
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@v5
with:
name: ${{ github.repository }}/prod:latest
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
workdir: ./src/backdoor-demo
26 changes: 18 additions & 8 deletions .github/workflows/arc-zero-effort-observability.yml
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,24 @@
name: 1. Zero-effort Observability
name: "ARC: Zero-effort Observability"
on:
workflow_dispatch:

jobs:
observability:
build:
runs-on: self-hosted
permissions:
contents: read
steps:
- uses: actions/checkout@v2

- name: Build Docker image
run: docker build .
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 18
- name: npm install
run: |
cd ./src/exfiltration-demo
npm install
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@v5
with:
name: ${{ github.repository }}/prod:latest
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
workdir: ./src/exfiltration-demo
20 changes: 0 additions & 20 deletions .github/workflows/ci.yml
View file

This file was deleted.

24 changes: 24 additions & 0 deletions .github/workflows/hosted-file-monitor-with-hr.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: "Hosted: File Monitoring with Harden-Runner"
on:
workflow_dispatch:

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v3
- name: npm install
run: |
cd ./src/backdoor-demo
npm install
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@v5
with:
name: ${{ github.repository }}/prod:latest
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
workdir: ./src/backdoor-demo
21 changes: 21 additions & 0 deletions .github/workflows/hosted-file-monitor-without-hr.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: "Hosted: File Monitoring without Harden-Runner"
on:
workflow_dispatch:

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: npm install
run: |
cd ./src/backdoor-demo
npm install
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@v5
with:
name: ${{ github.repository }}/prod:latest
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
workdir: ./src/backdoor-demo
30 changes: 30 additions & 0 deletions .github/workflows/hosted-network-filtering-hr.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: "Hosted: Network Filtering with Harden-Runner"
on:
workflow_dispatch:

jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
ghcr.io:443
github.com:443
registry.npmjs.org:443
- uses: actions/checkout@v3
- name: npm install
run: |
cd ./src/exfiltration-demo
npm install
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@v5
with:
name: ${{ github.repository }}/prod:latest
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
workdir: ./src/exfiltration-demo
24 changes: 24 additions & 0 deletions .github/workflows/hosted-network-monitoring-hr.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: "Hosted: Network Monitoring with Harden-Runner"
on:
workflow_dispatch:

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v3
- name: npm install
run: |
cd ./src/exfiltration-demo
npm install
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@v5
with:
name: ${{ github.repository }}/prod:latest
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
workdir: ./src/exfiltration-demo
21 changes: 21 additions & 0 deletions .github/workflows/hosted-network-without-hr.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: "Hosted: Network Monitoring without Harden-Runner"
on:
workflow_dispatch:

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: npm install
run: |
cd ./src/exfiltration-demo
npm install
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@v5
with:
name: ${{ github.repository }}/prod:latest
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
workdir: ./src/exfiltration-demo
13 changes: 0 additions & 13 deletions .github/workflows/npm.yml
View file

This file was deleted.

10 changes: 7 additions & 3 deletions .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
name: Publish Docker
name: Puzzle
on:
workflow_dispatch:
push:


jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -11,10 +10,15 @@ jobs:
with:
egress-policy: audit
- uses: actions/checkout@v3
- name: npm install
run: |
cd ./src/exfiltration-demo
npm install
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@v5
with:
name: ${{ github.repository }}/prod:latest
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
workdir: ./src/exfiltration-demo
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ GitHub Actions Goat not only demonstrates vulnerabilities but also presents solu

| No. | Vulnerability | Countermeasure | References |
| --- | -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 1. | Lack of Network Traffic Filtering can lead to Exfiltration of CI/CD Credentials | [GitHub Actions Runtime Security - Filter Network Traffic](docs/Solutions/RestrictOutboundTraffic.md) | ["Implement network segmentation and traffic filtering" in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 1. | Lack of Network Traffic Filtering can lead to Exfiltration of source code and CI/CD Credentials | [GitHub Actions Runtime Security - Filter Network Traffic](docs/Solutions/RestrictOutboundTraffic.md) | ["Implement network segmentation and traffic filtering" in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 2. | Lack of CI/CD Runtime Security can lead to Tampering of Source Code or Artifacts during Build | [GitHub Actions Runtime Security - Detect File Tampering](docs/Solutions/MonitorSourceCode.md) | ["Implement endpoint detection and response (EDR) tools" in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 3. | Lack of Detailed Audit Logs for CI/CD Activities | [Trace deployments to CI/CD pipeline and commit](docs/Solutions/Provenance.md) | ["Keep audit logs" section in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 4. | Overprivileged GITHUB_TOKEN Permissions can lead to tampering of repository contents or container images | [Update workflows to use least privileged GITHUB_TOKEN permissions](docs/Solutions/FixGITHUB_TOKENPermissions.md) | ["Use credentials that are minimally scoped" in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets) |
Expand Down
12 changes: 0 additions & 12 deletions calc.go
View file

This file was deleted.

9 changes: 0 additions & 9 deletions calc_test.go
View file

This file was deleted.

Loading

0 comments on commit 1adb8fc

Please sign in to comment.