Add demo for self-hosted VM runner (#157)

.github/workflows/self-hosted-file-monitor-with-hr.yml

@@ -0,0 +1,24 @@
+name: "Self-Hosted (VM): File Monitoring with Harden-Runner"
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: [self-hosted, ec2]
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: npm install
+        run: |
+          cd ./src/backdoor-demo
+          npm install
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/backdoor-demo

.github/workflows/self-hosted-network-filtering-hr.yml

@@ -0,0 +1,33 @@
+name: "Self-Hosted (VM): Network Filtering with Harden-Runner"
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: [self-hosted, ec2]
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@self-hosted
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            *.docker.io:443
+            ghcr.io:443
+            github.com:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: npm install
+        run: |
+          cd ./src/exfiltration-demo
+          npm install
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/exfiltration-demo

.github/workflows/self-hosted-network-monitoring-hr.yml

@@ -0,0 +1,24 @@
+name: "Self-Hosted (VM): Network Monitoring with Harden-Runner"
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: [self-hosted, ec2]
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: npm install
+        run: |
+          cd ./src/exfiltration-demo
+          npm install
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: ${{ github.repository }}/prod:latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: ./src/exfiltration-demo

docs/Solutions/MonitorSourceCode.md

@@ -6,6 +6,7 @@
 
 1. [Detect File Tampering (GitHub-Hosted Runner)](#detect-file-tampering-github-hosted-runner)
 2. [Detect File Tampering (Actions Runner Controller)](#detect-file-tampering-actions-runner-controller)
+3. [Detect File Tampering (Self-Hosted VM Runners e.g. on EC2)](#detect-file-tampering-self-hosted-vm-runners-eg-on-ec2)
 
 ## Detect File Tampering (GitHub-Hosted Runner)
 
@@ -60,3 +61,30 @@ For a demo of a workflow running on ARC with Harden Runner integrated, follow th
    https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6285439163
 
    You can see that the file overwrite event is detected, without the need to add `harden-runner` to each job.
+
+## Detect File Tampering (Self-Hosted VM Runners e.g. on EC2)
+
+- Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the Harden-Runner agent on your runner image (e.g. AMI). This is typically done using packer.
+
+- The Harden-Runner agent monitors file events and correlates them with each step of the workflow.
+
+- Both ephemeral and persistent VM runners are supported.
+
+- You can access security insights and runtime detections under the Runtime Security tab in your dashboard.
+
+For a demo of a workflow running on self-hosted EC2 with Harden Runner integrated, follow this tutorial:
+
+### File Monitoring
+
+1. View this workflow file:
+   https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/arc-solarwinds-simulation.yml
+
+   Notice that `harden-runner` Action is not added to this workflow, and that this workflow runs on a `self-hosted` runner.
+
+2. Check out an example run of this workflow here:
+   https://github.com/step-security/github-actions-goat/actions/runs/6285439163
+
+3. Visit the workflow insights for this run here:
+   https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6285439163
+
+   You can see that the file overwrite event is detected, without the need to add `harden-runner` to each job.

docs/Solutions/RestrictOutboundTraffic.md

@@ -6,6 +6,7 @@
 
 1. [Filter Network Traffic (GitHub-hosted Runner)](#filter-network-traffic-github-hosted-runner)
 2. [Filter Network Traffic (Actions Runner Controller)](#filter-network-traffic-actions-runner-controller)
+3. [Filter Network Traffic (Self-Hosted VM Runners e.g. on EC2)](#filter-network-traffic-self-hosted-vm-runners-eg-on-ec2)
 
 ## Filter Network Traffic (GitHub-hosted Runner)
 
@@ -128,3 +129,48 @@ While there is a secure-by-default policy, to filter traffic to specific destina
    https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6292614301
 
    You will notice that the call to `attacker.com` was blocked in this case.
+
+## Filter Network Traffic (Self-Hosted VM Runners e.g. on EC2)
+
+- Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the Harden-Runner agent on your runner image (e.g. AMI). This is typically done using packer.
+
+- The Harden-Runner agent monitors each job run on the VM; you do NOT need to add the Harden-Runner GitHub Action to each job for audit mode. You do need to add the Harden-Runner GitHub Action for block mode.
+
+- Both ephemeral and persistent VM runners are supported.
+
+- You can access security insights and runtime detections under the Runtime Security tab in your dashboard.
+
+For a demo of a workflow running on self-hosted EC2 with Harden Runner integrated, follow this tutorial:
+
+### Network Monitoring
+
+1. View this workflow file:
+   https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/arc-zero-effort-observability.yml
+
+   Notice that `harden-runner` Action is not added to this workflow, and that this workflow runs on a `self-hosted` EC2 runner.
+
+2. Check out an example run of this workflow here:
+   https://github.com/step-security/github-actions-goat/actions/runs/6292615173
+
+3. Visit the workflow insights for this run here:
+   https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6292615173
+   You can see the outbound traffic for each of the steps, without the need to add `harden-runner` to each job.
+
+Even though you do not need to add Harden-Runner Action, the insights are exactly the same as with GitHub-Hosted runner.
+
+### Network Filtering with Harden Runner
+
+To filter traffic to specific destinations in a job run in self-hosted VM runner, you use the `harden-runner` GitHub Action in `block` mode.
+
+1. View the workflow file:
+   https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/arc-codecov-simulation.yml
+
+   Notice that `harden-runner` Action is added and there is a list of allowed endpoints.
+
+2. Check out an example run of this workflow here:
+   https://github.com/step-security/github-actions-goat/actions/runs/6292614301
+
+3. Visit the workflow insights for this run here:
+   https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6292614301
+
+   You will notice that the call to `attacker.com` was blocked in this case.