Security

Security is Job Zero for Sprinters. Sprinters’ approach can be summarized as a combination of the principle of least privilege, data austerity and defense in depth.

Let’s dive deeper into the two main parts of the system: the Sprinters platform and the Sprinters runner instances on your AWS account.

How Sprinters Works Diagram

Platform

The Sprinters platform runs on Sprinters’ own infrastructure and handles events sent by GitHub and launches runner instances in your AWS account.

To be able to operate, Sprinters needs to access to your GitHub account and your AWS account.

Sprinters also needs to store

  • the credentials to your AWS account in order to be able to launch runner instances
  • the history of the jobs you ran with Sprinters in order to display them in the Sprinters Console

Data

All data stored by Sprinters is encrypted at rest. All data transferred by Sprinters is encrypted while in motion.

Communication between Sprinters and your browser is fully encrypted with TLS 1.3 or 1.2.

GitHub

Permissions

Sprinters strictly adheres to the principle of least-privilege and only requests this absolute minimum set of permissions to be able to operate:

Permission Access Scope Usage
metadata read repository Mandatory permission for all GitHub Apps
actions read repository Get details about workflow jobs and workflow runs to check whether Sprinters should launch a runner
write repository Cancel a workflow run in case there was an issue with a runner
administration write repository Create a registration token for a new runner to ensure it can interact with GitHub Actions
email addresses read user Notify you in case an issue with a runner needs your attention

Sprinters has:

  • no access to the contents of your repositories
  • no access to your secrets
  • no access to your environment variables

Data in motion

Communication between Sprinters and GitHub is fully encrypted with TLS 1.3.

AWS

Permissions

Sprinters strictly adheres to the principle of least-privilege and only requests this absolute minimum set of permissions to be able to operate:

Action Usage
ec2:RunInstances Launch ephemeral EC2 instances for your runners
ec2:CreateTags Tag those EC2 instances as runners
ec2:DescribeInstances List runner EC2 instances and check whether they are running
ec2:ModifyVolume Optimize boot speed of runner EC2 instances
ec2:TerminateInstances Clean up runner EC2 instances in case they fail to gracefully shut down
ec2:DescribeSpotPriceHistory Automatically select cheapest availability zone for spot instances and calculate savings

Sprinters has:

  • no login access to your EC2 instances
  • no access to the contents of your EBS volumes
  • no access to your EBS snapshots

Credentials

To be able to operate, Sprinters needs to access to your AWS account.

Secure cross-account IAM roles

By default, Sprinters will use secure cross-account IAM roles to obtain temporary short-lived credentials to access your AWS account.

This is made possible through a trust policy that grants permission to Sprinters’ AWS account to assume an IAM role in your AWS accounts with the permissions defined above. To prevent the confused deputy problem , this trust policy is secured with an external id.

Access keys

Alternatively, Sprinters also gives you the possibility to store an access key to access your AWS account. This access key is fully encrypted with AES-256 GCM. Each account has a distinct encryption key. All keys are themselves also encrypted.

Data in motion

Communication between Sprinters and AWS is fully encrypted with TLS 1.3.

Runner Instances

Runner instances run on your AWS account within the privacy of your VPC. Services your jobs rely on no longer need to be exposed over the public internet.

To ensure a 100% clean environment for every job, each runner is launched using a new ephemeral EC2 instance and a security group that prohibits ingress.

The image is based on GitHub’s official runner image .

The instance doesn’t listen on any ports. The runner software doesn’t communicate with Sprinters. It only opens an outbound HTTPS connection to GitHub in order to receive job steps and send back execution logs.

Runner Instance Diagram

The boot volume, where the software is installed, is read-only, guaranteeing integrity.

Writes are automatically redirected to an ephemeral encrypted temp volume which is reformatted on every boot and destroyed when the instance terminates.

Swap space is also allocated on another ephemeral encrypted volume which is also wiped on every boot and destroyed when the instance terminates.

Sprinters has no access to the contents of these volumes.

© 2024 InfrastructureX GmbH
Docs · Terms of Service · Privacy Policy · Impressum
Sprinters is a registered trademark of InfrastructureX GmbH
Made with ♥️ in München