Security
Security is Job Zero for Sprinters. Sprinters’ approach can be summarized as a combination of the principle of least privilege, data austerity and defense in depth.
Let’s dive deeper into the two main parts of the system: the Sprinters platform and the Sprinters runner instances on your AWS account.
Platform
The Sprinters platform runs on Sprinters’ own infrastructure and handles events sent by GitHub and launches runner instances in your AWS account.
To be able to operate, Sprinters needs to access to your GitHub account and your AWS account.
Sprinters also needs to store
- the credentials to your AWS account in order to be able to launch runner instances
- the history of the jobs you ran with Sprinters in order to display them in the Sprinters Console
GitHub
Sprinters strictly adheres to the principle of least-privilege and only requests this absolute minimum set of permissions to be able to operate:
| Permission | Access | Scope | Usage |
|---|---|---|---|
metadata |
read | repository | Mandatory permission for all GitHub Apps |
actions |
read | repository | Get details about workflow jobs and workflow runs to check whether Sprinters should launch a runner |
| write | repository | Cancel a workflow run in case there was an issue with a runner | |
administration |
write | repository | Create a registration token for a new runner to ensure it can interact with GitHub Actions |
email addresses |
read | user | Notify you in case an issue with a runner needs your attention |
Sprinters has:
- no access to the contents of your repositories
- no access to your secrets
- no access to your environment variables
Communications between Sprinters and GitHub are fully encrypted with TLS 1.3.
AWS
Sprinters strictly adheres to the principle of least-privilege and only requests this absolute minimum set of permissions to be able to operate:
| Action | Usage |
|---|---|
ec2:RunInstances |
Launch ephemeral EC2 instances for your runners |
ec2:CreateTags |
Tag those EC2 instances as runners |
ec2:DescribeInstances |
List runner EC2 instances and check whether they are running |
ec2:ModifyVolume |
Optimize boot speed of runner EC2 instances |
ec2:TerminateInstances |
Clean up runner EC2 instances in case they fail to gracefully shut down |
ec2:DescribeSpotPriceHistory |
Automatically select cheapest availability zone for spot instances and calculate savings |
Sprinters has:
- no login access to your EC2 instances
- no access to the contents of your EBS volumes
- no access to your EBS snapshots
Communications between Sprinters and AWS are fully encrypted with TLS 1.3.
Data
All data stored by Sprinters is encrypted at rest. On top of that AWS login credentials stored by Sprinters are fully encrypted with AES-256 GCM. Each GitHub organization or personal account has a distinct encryption key. All keys are themselves also encrypted.
Communications between Sprinters and your browser are fully encrypted with TLS 1.3 or 1.2.
Runner Instances
Runner instances run on your AWS account within the privacy of your VPC. Services your jobs rely on no longer need to be exposed over the public internet.
To ensure a 100% clean environment for every job, each runner is launched using a new ephemeral EC2 instance and a security group that prohibits ingress.
It has a hardened kernel and is based on GitHub’s official runner image .
The instance doesn’t listen on any ports. The runner software doesn’t communicate with Sprinters. It only opens an outbound HTTPS connection to GitHub in order to receive job steps and send back execution logs.
The boot volume, where the software is installed, is read-only, guaranteeing integrity.
Writes are automatically redirected to an ephemeral encrypted temp volume which is reformatted on every boot and destroyed when the instance terminates.
Swap space is also allocated on another ephemeral encrypted volume which is also wiped on every boot and destroyed when the instance terminates.
Sprinters has no access to the contents of these volumes.