step-security · varunsh-coder · Apr 13, 2025 · Apr 13, 2025
diff --git a/action.yml b/action.yml
@@ -17,7 +17,11 @@ inputs:
     required: false
     default: "false"
   disable-sudo:
-    description: "Disable sudo access for the runner account"
+    description: "Disable sudo access for the runner account. Note: This parameter is deprecated. Please use disable-sudo-and-containers for enhanced security."
+    required: false
+    default: "false"
+  disable-sudo-and-containers:
+    description: "Disable sudo and container access for the runner account"
     required: false
     default: "false"
   disable-file-monitoring:

diff --git a/src/cleanup.ts b/src/cleanup.ts
@@ -94,6 +94,20 @@ import { isGithubHosted } from "./tls-inspect";
     }
   }
 
+  var disable_sudo_and_containers = process.env.disableSudoAndContainers;
+  if (disable_sudo_and_containers !== "true") {
+    try {
+      var journalLog = cp.execSync("sudo journalctl -u agent.service --lines=1000", {
+        encoding: "utf8",
+        maxBuffer: 1024 * 1024 * 10 // 10MB buffer
+      });
+      console.log("agent.service log:");
+      console.log(journalLog);
+    } catch (error) {
+      console.log("Warning: Could not fetch service logs:", error.message);
+    }
+  }
+
   try {
     await common.addSummary();
   } catch (exception) {

diff --git a/src/interfaces.ts b/src/interfaces.ts
@@ -8,6 +8,7 @@ export interface Configuration {
   egress_policy: string;
   disable_telemetry: boolean;
   disable_sudo: boolean;
+  disable_sudo_and_containers: boolean;
   disable_file_monitoring: boolean;
   is_github_hosted: boolean;
   private: string;
@@ -20,6 +21,7 @@ export interface PolicyResponse {
   policyName?: string;
   allowed_endpoints?: string[];
   disable_sudo?: boolean;
+  disable_sudo_and_containers?: boolean;
   disable_file_monitoring?: boolean;
   disable_telemetry?: boolean;
   egress_policy?: string;

diff --git a/src/policy-utils.ts b/src/policy-utils.ts
@@ -56,6 +56,10 @@ export function mergeConfigs(
     localConfig.disable_sudo = remoteConfig.disable_sudo;
   }
 
+  if (remoteConfig.disable_sudo_and_containers !== undefined) {
+    localConfig.disable_sudo_and_containers = remoteConfig.disable_sudo_and_containers;
+  }
+
   if (remoteConfig.disable_file_monitoring !== undefined) {
     localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring;
   }

diff --git a/src/setup.ts b/src/setup.ts
@@ -62,6 +62,7 @@ interface MonitorResponse {
       egress_policy: core.getInput("egress-policy"),
       disable_telemetry: core.getBooleanInput("disable-telemetry"),
       disable_sudo: core.getBooleanInput("disable-sudo"),
+      disable_sudo_and_containers: core.getBooleanInput("disable-sudo-and-containers"),
       disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"),
       private: context?.payload?.repository?.private || false,
       is_github_hosted: isGithubHosted(),
@@ -92,6 +93,13 @@ interface MonitorResponse {
         encoding: "utf8",
       }
     );
+    fs.appendFileSync(
+      process.env.GITHUB_STATE,
+      `disableSudoAndContainers=${confg.disable_sudo_and_containers}${EOL}`,
+      {
+        encoding: "utf8",
+      }
+    );
     core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`);
 
     if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {