diff --git a/.github/workflows/PRTargetWorkflow.yml b/.github/workflows/PRTargetWorkflow.yml index 8bf0debd9..d91e2a73f 100644 --- a/.github/workflows/PRTargetWorkflow.yml +++ b/.github/workflows/PRTargetWorkflow.yml @@ -7,11 +7,19 @@ on: - synchronize - reopened +permissions: + contents: read + jobs: pr-target-check: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@v4 diff --git a/.github/workflows/anomalous-outbound-calls.yaml b/.github/workflows/anomalous-outbound-calls.yaml index 2e87a976c..a08021b2d 100644 --- a/.github/workflows/anomalous-outbound-calls.yaml +++ b/.github/workflows/anomalous-outbound-calls.yaml @@ -1,13 +1,16 @@ name: Anomalous Outbound Calls on: workflow_dispatch: +permissions: + contents: read + jobs: unexpected-outbound-calls: name: AnomalousOutboundCalls runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - run: "curl https://pastebin.com -L || true" diff --git a/.github/workflows/arc-codecov-simulation.yml b/.github/workflows/arc-codecov-simulation.yml index dd1ab7dc9..141f90a8d 100644 --- a/.github/workflows/arc-codecov-simulation.yml +++ b/.github/workflows/arc-codecov-simulation.yml @@ -7,7 +7,7 @@ jobs: runs-on: self-hosted steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: block allowed-endpoints: > @@ -28,7 +28,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/arc-secure-by-default.yml b/.github/workflows/arc-secure-by-default.yml index 96a7098dc..df166412d 100644 --- a/.github/workflows/arc-secure-by-default.yml +++ b/.github/workflows/arc-secure-by-default.yml @@ -2,10 +2,18 @@ name: "ARC: Secure-By-Default Cluster-Level Policy" on: workflow_dispatch: +permissions: + contents: read + jobs: direct-ip-hosted: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 # Codecov Scenario: Exfiltrate data to attacker's IP address @@ -14,6 +22,11 @@ jobs: direct-ip-arc: runs-on: self-hosted steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 # Codecov Scenario: Exfiltrate data to attacker's IP address diff --git a/.github/workflows/arc-solarwinds-simulation.yml b/.github/workflows/arc-solarwinds-simulation.yml index 72ce7c177..eb972c117 100644 --- a/.github/workflows/arc-solarwinds-simulation.yml +++ b/.github/workflows/arc-solarwinds-simulation.yml @@ -6,6 +6,11 @@ jobs: arc-solarwinds-simulation: runs-on: self-hosted steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/backdoor-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/arc-zero-effort-observability.yml b/.github/workflows/arc-zero-effort-observability.yml index 5cb8daacc..f1a75e4e1 100644 --- a/.github/workflows/arc-zero-effort-observability.yml +++ b/.github/workflows/arc-zero-effort-observability.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: self-hosted steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/baseline_checks.yml b/.github/workflows/baseline_checks.yml index 06fc0bc75..a4b3e2258 100644 --- a/.github/workflows/baseline_checks.yml +++ b/.github/workflows/baseline_checks.yml @@ -7,11 +7,11 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@int-sh + - uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@6aadd1a8de5ca43c8e17a0633ef90e2178da5228 # v4.1.0 - uses: actions/checkout@v3 @@ -22,12 +22,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/block-dns-exfiltration.yaml b/.github/workflows/block-dns-exfiltration.yaml index 767d5d981..80f1a5fc3 100644 --- a/.github/workflows/block-dns-exfiltration.yaml +++ b/.github/workflows/block-dns-exfiltration.yaml @@ -1,13 +1,16 @@ name: Block DNS Exfiltration With Harden-Runner on: workflow_dispatch: +permissions: + contents: read + jobs: build: name: Deploy runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/changed-files-vulnerability-with-hr.yml b/.github/workflows/changed-files-vulnerability-with-hr.yml index d8ed7379f..f6eaed095 100644 --- a/.github/workflows/changed-files-vulnerability-with-hr.yml +++ b/.github/workflows/changed-files-vulnerability-with-hr.yml @@ -15,7 +15,7 @@ jobs: name: Test changed-files steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block @@ -29,7 +29,7 @@ jobs: # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@af292f1e845a0377b596972698a8598734eb2796 # v40.0.0 - name: List all changed files run: | diff --git a/.github/workflows/changed-files-vulnerability-without-hr.yml b/.github/workflows/changed-files-vulnerability-without-hr.yml index 4b74464f1..19d45ee13 100644 --- a/.github/workflows/changed-files-vulnerability-without-hr.yml +++ b/.github/workflows/changed-files-vulnerability-without-hr.yml @@ -14,6 +14,11 @@ jobs: runs-on: ubuntu-latest name: Test changed-files steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@v4 with: fetch-depth: 0 @@ -21,7 +26,7 @@ jobs: # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@af292f1e845a0377b596972698a8598734eb2796 # v40.0.0 - name: List all changed files run: | diff --git a/.github/workflows/hosted-file-monitor-with-hr.yml b/.github/workflows/hosted-file-monitor-with-hr.yml index eeb3b63f6..c280e0640 100644 --- a/.github/workflows/hosted-file-monitor-with-hr.yml +++ b/.github/workflows/hosted-file-monitor-with-hr.yml @@ -6,7 +6,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit @@ -17,13 +17,13 @@ jobs: cd ./src/backdoor-demo npm install - - uses: madhead/semver-utils@latest + - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-file-monitor-without-hr.yml b/.github/workflows/hosted-file-monitor-without-hr.yml index a673fca8c..6286ac93d 100644 --- a/.github/workflows/hosted-file-monitor-without-hr.yml +++ b/.github/workflows/hosted-file-monitor-without-hr.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 - name: npm install @@ -13,13 +18,13 @@ jobs: cd ./src/backdoor-demo npm install - - uses: madhead/semver-utils@latest + - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-https-monitoring-hr.yml b/.github/workflows/hosted-https-monitoring-hr.yml index 379884875..b49999d83 100644 --- a/.github/workflows/hosted-https-monitoring-hr.yml +++ b/.github/workflows/hosted-https-monitoring-hr.yml @@ -2,17 +2,23 @@ name: "Hosted: HTTPS Monitoring with Harden-Runner" on: workflow_dispatch: +permissions: + contents: read + jobs: build: + permissions: + contents: read # for JasonEtco/create-an-issue to read template files + issues: write # for JasonEtco/create-an-issue to create new issues runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - uses: actions/checkout@v3 - - uses: JasonEtco/create-an-issue@v2 + - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/hosted-network-filtering-hr.yml b/.github/workflows/hosted-network-filtering-hr.yml index 7dd7dcbfa..2a44b37aa 100644 --- a/.github/workflows/hosted-network-filtering-hr.yml +++ b/.github/workflows/hosted-network-filtering-hr.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block @@ -17,7 +17,7 @@ jobs: registry.npmjs.org:443 www.githubstatus.com:443 - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@6aadd1a8de5ca43c8e17a0633ef90e2178da5228 # v4.1.0 - uses: actions/checkout@v3 @@ -28,17 +28,17 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - - uses: madhead/semver-utils@latest + - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-network-monitoring-hr.yml b/.github/workflows/hosted-network-monitoring-hr.yml index 0aa554773..1917a83a3 100644 --- a/.github/workflows/hosted-network-monitoring-hr.yml +++ b/.github/workflows/hosted-network-monitoring-hr.yml @@ -10,7 +10,7 @@ jobs: with: egress-policy: audit - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@6aadd1a8de5ca43c8e17a0633ef90e2178da5228 # v4.1.0 - uses: actions/checkout@v3 @@ -21,12 +21,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-network-without-hr.yml b/.github/workflows/hosted-network-without-hr.yml index 3533b8c72..d0c371a82 100644 --- a/.github/workflows/hosted-network-without-hr.yml +++ b/.github/workflows/hosted-network-without-hr.yml @@ -6,7 +6,12 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: crazy-max/ghaction-github-status@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: crazy-max/ghaction-github-status@6aadd1a8de5ca43c8e17a0633ef90e2178da5228 # v4.1.0 - uses: actions/checkout@v3 @@ -17,12 +22,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f42852631..d8d4b71f9 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -6,7 +6,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - uses: actions/checkout@v3 @@ -15,7 +15,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/secret-in-build-log.yml b/.github/workflows/secret-in-build-log.yml index 847c1ca10..51f9f2431 100644 --- a/.github/workflows/secret-in-build-log.yml +++ b/.github/workflows/secret-in-build-log.yml @@ -3,6 +3,9 @@ name: Secret in Build Log on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -11,7 +14,7 @@ jobs: - uses: actions/checkout@v3 - name: harden-runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit diff --git a/.github/workflows/self-hosted-file-monitor-with-hr.yml b/.github/workflows/self-hosted-file-monitor-with-hr.yml index a53608566..13e7503ae 100644 --- a/.github/workflows/self-hosted-file-monitor-with-hr.yml +++ b/.github/workflows/self-hosted-file-monitor-with-hr.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: [self-hosted, ec2] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/backdoor-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/self-hosted-network-filtering-hr.yml b/.github/workflows/self-hosted-network-filtering-hr.yml index 815f293ea..5787a8b0c 100644 --- a/.github/workflows/self-hosted-network-filtering-hr.yml +++ b/.github/workflows/self-hosted-network-filtering-hr.yml @@ -7,7 +7,7 @@ jobs: runs-on: [self-hosted, ec2] steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: block allowed-endpoints: > @@ -24,7 +24,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/self-hosted-network-monitoring-hr.yml b/.github/workflows/self-hosted-network-monitoring-hr.yml index 5f0ba2320..9a182b88e 100644 --- a/.github/workflows/self-hosted-network-monitoring-hr.yml +++ b/.github/workflows/self-hosted-network-monitoring-hr.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: [self-hosted, ec2] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/tj-actions-changed-files-incident.yaml b/.github/workflows/tj-actions-changed-files-incident.yaml index 7426c56fb..d2317037c 100644 --- a/.github/workflows/tj-actions-changed-files-incident.yaml +++ b/.github/workflows/tj-actions-changed-files-incident.yaml @@ -14,7 +14,7 @@ jobs: name: Test changed-files steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: audit @@ -26,7 +26,7 @@ jobs: # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v35 + uses: tj-actions/changed-files@039afcd1024c210363c9d3fc8fd07e1f3fcf2867 # v35.9.3 - name: List all changed files run: | diff --git a/.github/workflows/toc-tou.yml b/.github/workflows/toc-tou.yml index 50ca25cb9..c56b60b8c 100644 --- a/.github/workflows/toc-tou.yml +++ b/.github/workflows/toc-tou.yml @@ -15,6 +15,11 @@ jobs: contents: read pull-requests: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@v4 - name: Wait for demo purposes @@ -40,6 +45,11 @@ jobs: contents: read pull-requests: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@v4 - name: Wait for demo purposes diff --git a/.github/workflows/unexpected-outbound-calls.yml b/.github/workflows/unexpected-outbound-calls.yml index f53167970..14cc0a73e 100644 --- a/.github/workflows/unexpected-outbound-calls.yml +++ b/.github/workflows/unexpected-outbound-calls.yml @@ -1,13 +1,16 @@ name: Unexpected Outbound Calls on: workflow_dispatch: +permissions: + contents: read + jobs: unexpected-outbound-calls: name: UnexpectedOutboundCalls runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - run: "curl https://attacker.com -L || true"