Security
Security is Job Zero for Sprinters. Sprinters’ approach can be summarized as a combination of the principle of least privilege, data austerity and defense in depth.
Let’s dive deeper into the two main parts of the system: the Sprinters platform and the Sprinters runner instances on your AWS account.
Platform
The Sprinters platform runs on Sprinters’ own infrastructure and handles events sent by GitHub and launches runner instances in your AWS account.
To be able to operate, Sprinters needs to access to your GitHub account and your AWS account.
Data
Sprinters strictly adheres to the principle of data austerity and only stores the absolute minimum amount of data necessary to operate.
This includes:
- the history of the jobs you ran with Sprinters in order to display them in the Sprinters Console
- the number of vCPU minutes you used for each job and how many are left in your account
All data stored by Sprinters is encrypted at rest. All data transferred by Sprinters is encrypted while in motion.
Sprinters:
- does not store any access credentials to your GitHub or AWS account
- does not store any credit card or other financial information
Browser
Javascript and cookies
Sprinters does not load any javascript from external sources and does not store any third party cookies.
Sprinters only uses a single cookie to keep track of the user’s session.
Data in motion
Communication between Sprinters and your browser is fully encrypted with TLS 1.3 or 1.2.
GitHub
Permissions
Sprinters strictly adheres to the principle of least-privilege and only requests this absolute minimum set of permissions to be able to operate:
| Permission | Access | Scope | Usage |
|---|---|---|---|
metadata |
read | repository | Mandatory permission for all GitHub Apps |
actions |
read | repository | Get details about workflow jobs and workflow runs to check whether Sprinters should launch a runner |
| write | repository | Cancel a workflow run in case there was an issue with a runner | |
administration |
write | repository | Create a registration token for a new runner to ensure it can interact with GitHub Actions |
email addresses |
read | user | Notify you in case an issue with a runner needs your attention |
Sprinters has:
- no access to the contents of your repositories
- no access to your secrets
- no access to your environment variables
Data in motion
Communication between Sprinters and GitHub is fully encrypted with TLS 1.3.
AWS
Permissions
Sprinters strictly adheres to the principle of least-privilege and only requests this absolute minimum set of permissions to be able to operate:
| Action | Usage |
|---|---|
ec2:RunInstances |
Launch ephemeral EC2 instances for your runners |
ec2:CreateTags |
Tag those EC2 instances as runners |
ec2:DescribeInstances |
List runner EC2 instances and check whether they are running |
ec2:ModifyVolume |
Optimize boot speed of runner EC2 instances |
ec2:TerminateInstances |
Clean up runner EC2 instances in case they fail to gracefully shut down |
ec2:DescribeSpotPriceHistory |
Automatically select cheapest availability zone for spot instances and calculate savings |
Sprinters has:
- no login access to your EC2 instances
- no access to the contents of your EBS volumes
- no access to your EBS snapshots
Cross-account IAM role
Sprinters uses a cross-account IAM role to obtain temporary short-lived credentials to access your AWS account with the permissions defined above. To prevent the confused deputy problem , this trust policy is secured with an external id matching your GitHub account name.
Data in motion
Communication between Sprinters and AWS is fully encrypted with TLS 1.3.
Runner Instances
Sprinters strictly adheres to the principle of defense in depth and secures your runner instances at every layer of the stack.
Runner instances run on your AWS account within the privacy of your VPC. Services your jobs rely on no longer need to be exposed over the public internet.
To ensure a 100% clean environment for every job, each runner is launched using a new ephemeral EC2 instance and a security group that prohibits ingress.
The image is based on GitHub’s official runner image .
The instance doesn’t listen on any ports. The runner software doesn’t communicate with Sprinters. It only opens an outbound HTTPS connection to GitHub in order to receive job steps and send back execution logs.
The boot volume, where the software is installed, is read-only, guaranteeing integrity.
Writes are automatically redirected to an ephemeral encrypted temp volume which is reformatted on every boot and destroyed when the instance terminates.
Swap space is also allocated on another ephemeral encrypted volume which is also wiped on every boot and destroyed when the instance terminates.
Sprinters has no access to the contents of these volumes.
