README.md

Github Self-Hosted Runners Configuration

Guideline of best practices to follow to use Github Self-Hosted Runners in a secure way.

Report an issue

Table of contents

• About the project
• Confidentiality
  • Using self-hosted runners only in trusted GitHub Actions
  • Limit access to self-hosted runners
  • Disable forks
  • Enabling branch protections
  • Do not store secrets in the host runner
  • Run the self-hosted runner on hardened hosts only
• Integrity
  • Use the latest and greatest runner
• Availability
  • High availability
  • Automatically clear and remove workspaces
• Authentication
  • Secure the authentication token of the self-hosted runner
• Authorization
  • Only use the technologies you need
• Audit
• Checklist
• Support section
• Contributing
• License
• Contact

About the project

Looking for a guideline to configure your GitHub Self-Hosted Runners in a secure way?

Here is a :fire: list of things to do!

Confidentiality

Using self-hosted runners only in trusted GitHub Actions

Self-hosted runners are using the dedicated host as the runner. Only verified GitHub Actions must use self-hosted runners to reduce the use of a potential malicious open-source GitHub Action that might access our private network.

Limit access to self-hosted runners

Restrict the use of self-hosted runners to specific repositories only.
https://docs.github.com/en/free-pro-team@latest/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups

Disable forks

Disable forks since forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.

Enabling branch protections

Obviously, we don't want anyone to add changes to a GitHub Action. A great way to have more control over your GitHub Actions is to create branch protection on your repositories. Having a mandatory approver to a PR will reduce the chances of someone trying to force push code changed.

Do not store secrets in the host runner

When a GitHub Action uses the self-hosted runner, it clones the code in a workdir _work.
We must ensure that no secrets (application, system, ..) are accessible in this folder.

Run the self-hosted runner on hardened hosts only

The host of the self-hosted runner must be a hardened OS. Hardening of the OS is the act of configuring an OS securely, updating it, creating rules and policies to help govern the system in a secure manner, and removing unnecessary applications and services. This is done to minimize a computer OS's exposure to threats and to mitigate possible risk.
https://www.cisecurity.org/cis-benchmarks/

Integrity

Use the latest and greatest runner

Ensure that the host machine always uses the latest version of the self-hosted runner.
https://github.com/actions/runner/releases/latest

Availability

High availability

Since self-hosted runners are essential to talk with the internal network of an enterprise, they need to be highly available.
https://github.com/philips-labs/terraform-aws-github-runner

Automatically clear and remove workspaces

Since the self-hosted runner clones the source code in a workspace, we need to ensure that this workspace doesn't get overpopulated and consumes all the available space of the host.

Authentication

Secure the authentication token of the self-hosted runner

The authentication token used to configure the runner needs to be secured and restricted since it has write-access permissions on the repository.
Using Hashicorp Vault may be a good solution for this.

Authorization

Only use the technologies you need

Keep the self-hosted runner simple and authorize only the things you need. For example, if you don't need npm don't install it inside the runner.

Audit

https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#auditing-github-actions-events

Checklist

• Using self-hosted runners only in trusted GitHub Actions
• Limit access to self-hosted runners
• Disable forks
• Enabling branch protections
• Run the self-hosted runner on hardened hosts only
• Use the latest and greatest runner
• High Availability
• Automatically clear and remove workspaces
• Secure the authentication token of the self-hosted runner
• Only use the technologies you need

Support section

Github Enterprise Support offers very usefull assistance on everything you search. :+1:

• Documentations
• Request creation

Also, GitHub offers a Premium Support with a 24/7 hours of operation availability time.

Contributing

Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git add . && git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

License

Distributed under the MIT License. See LICENSE.txt for more information.

Contact

Deniz Onur Duzgun
Maxime Georjon
Khalid Nazmus Sakib