, , ,

Enhancing GitHub Actions Security with Bullfrog

  • By Michael
  • November 8, 2024
  • 118 Views

When working with continuous integration and continuous deployment (CI/CD), balancing development velocity with strong security it is critical both are considered high priority. We’ve previously detailed our development and deployment processes, here we detail some technical implementations that are the result of these processes. Among the various automation tools available, GitHub Actions has become a backbone for streamlining workflows. However, with automation comes the imperative need for strong and consistent security measures. In this post we are focusing on outbound network connections, in response to CI/CD pipelines being used to exfil data from companies, we tested Bullfrog—a GitHub Action designed to harden your workflows by controlling egress traffic.

Understanding Bullfrog

Bullfrog is a simple, plug-and-play GitHub Action that enhances the security of your workflows by managing outbound network connections. By defining a list of allowed IPs and domains, Bullfrog ensures that only authorized egress traffic is permitted, effectively mitigating potential security risks associated with unauthorized egress.

Key Features

  • Egress Control: Define specific IP’s and domains to allow outbound connections, blocking any unauthorized traffic based on your rules.
  • Audit Mode: Monitor all outbound connections without impacting existing workflows, aiding in identifying necessary allowances.
  • Compatibility: Supports GitHub-hosted runners on Ubuntu (ubuntu-latest, ubuntu-22.04, and ubuntu-24.04).

Why Bullfrog?

Consider a scenario where a development team utilizes GitHub Actions for building and deploying applications. Without egress control, the workflow may inadvertently connect to unauthorized external services, posing security risks.

Bullfrog is a GitHub Action that strengthens the security of CI/CD workflows by managing outbound network connections. By defining allowed IPs and domains, Bullfrog ensures only authorized traffic can exit, reducing risks tied to unauthorized egress.

 
  • Monitor Outbound Connections: Using Bullfrog’s audit mode, the team can track all outbound connections during workflow execution.
  • Define Egress Policies: Based on audit results, the team specifies allowed IPs and domains, ensuring only sanctioned connections are possible.
  • Enforce Restrictions: Switching to block mode applies these policies, preventing unauthorized outbound traffic.
Bullfrog’s features—including egress control, audit mode, and compatibility with GitHub-hosted runners on Ubuntu—provide both visibility into network interactions and proactive management of security risks, offering a streamlined solution for secure GitHub Actions workflows.
Step 1

Implementing Bullfrog in Your GitHub Workflows

Integrating Bullfrog into your GitHub workflows is straightforward.

Adding Bullfrog as the First Step in Your Job:

Ensure Bullfrog is the initial step in each job to monitor and control all subsequent outbound connections. The egress-policy set to audit will allow for us to enumerate a list of all outbound network connections, without breaking workflows.

Review the “uses” line and update the release as necessary.

				
					jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Set up Bullfrog
        uses: bullfrogsec/bullfrog@v0.8.2
        with:
          egress-policy: audit
				
			
Step 2

Configure Allowed IPs and Domains

Specify the IP’s and domains permitted for outbound connections. Wildcards are accepted for domains.

				
					- name: Set up Bullfrog
  uses: bullfrogsec/bullfrog@v0.8.2
  with:
    egress-policy: audit

##Add Allowed IPs
    allowed-ips: |
      192.168.1.1
      10.0.0.1
      
##Add Allowed Domains
    allowed-domains: |
      *.centric3.com
      api.centric3.com

				
			
Step 3

Set the Egress Policy to Block

Once confident in the audit output, you can choose between audit (default) to monitor connections or block to enforce restrictions.

				
					- name: Set up Bullfrog
  uses: bullfrogsec/bullfrog@v0.8.2
  with:
    egress-policy: block

				
			
Step 4

Define DNS Policy

Control DNS requests when egress-policy is set to block. Options are allowed-domains-only (default) or any.

In the Define DNS Policy section, you can configure how Bullfrog handles DNS requests when the egress-policy is set to block. There are two options:

  1. allowed-domains-only (default): This setting permits DNS requests exclusively to the domains specified in the allowed-domains list. It ensures that only predefined domains can be resolved, enhancing security by restricting DNS queries to trusted sources.
  2. any: This option allows DNS requests to any domain, without restriction. While it offers greater flexibility, it may expose the workflow to potential security risks from untrusted domains.
				
					- name: Set up Bullfrog
  uses: bullfrogsec/bullfrog@v0.8.2
  with:
    egress-policy: block
    dns-policy: any

				
			
Step 5 (Optional)

Enable Sudo if Necessary

The enable-sudo option in Bullfrog allows steps within your GitHub Actions workflow to execute commands with elevated privileges using sudo. This is particularly useful for tasks that require administrative access. By default, enable-sudo is set to true, permitting such operations. However, if your workflow doesn’t need elevated privileges, it’s advisable to set enable-sudo to false to enhance security by limiting unnecessary access.


Allow steps to execute commands with sudo by setting enable-sudo to true (default) or false. 
				
					- name: Set up Bullfrog
  uses: bullfrogsec/bullfrog@v0.8.2
  with:
    enable-sudo: true

				
			

GitHub Example Workflow with Bullfrog

				
					name: Pipeline

on:
  push:
    branches:
      - develop
  pull_request:
    branches:
      - develop

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Set up Bullfrog
        uses: bullfrogsec/bullfrog@v0.8.2
        with:
          egress-policy: block
          allowed-ips: |
            192.168.1.1
            10.0.0.1
          allowed-domains: |
            *.centric3.com
            api.centric3.com

      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '4.1.0'

      - name: Install dependencies
        run: npm install

      - name: Run tests
        run: npm test

				
			

Ready to Get Started?

Contact us today to begin your Digital Transformation Journey