Update content/actions/learn-github-actions/security-hardening-for-github-actions.md
This commit is contained in:
Meg Bird
@@ -253,7 +253,7 @@ You should also consider the environment of the self-hosted runner machines:
|
||||
- What sensitive information resides on the machine configured as a self-hosted runner? For example, private SSH keys, API access tokens, among others.
|
||||
- Does the machine have network access to sensitive services? For example, Azure or AWS metadata services. The amount of sensitive information in this environment should be kept to a minimum, and you should always be mindful that any user capable of invoking workflows has access to this environment.
|
||||
|
||||
Some customers might attempt to partially mitigate these risks by implementing systems that automatically destroy the self-hosted runner after each job execution. However, this approach might not be as effective as intended, as there is no way to guarantee that a self-hosted runner only runs one job. Some jobs will use secrets as command line arguments which can be seen by another job running on the same runner, e.g. by running `ps x -w`. This can leads to secret leakages.
|
||||
Some customers might attempt to partially mitigate these risks by implementing systems that automatically destroy the self-hosted runner after each job execution. However, this approach might not be as effective as intended, as there is no way to guarantee that a self-hosted runner only runs one job. Some jobs will use secrets as command-line arguments which can be seen by another job running on the same runner, such as `ps x -w`. This can lead to secret leakages.
|
||||
|
||||
## Auditing {% data variables.product.prodname_actions %} events
|
||||
|
||||
|
||||
Reference in New Issue
Block a user