feat(security): block mode for hardened runners

[jfagoagas]

Description

Enable block mode for several workflows.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[Copilot]

Pull request overview

This PR hardens GitHub Actions CI/CD workflows by switching step-security/harden-runner from audit mode to block mode and introducing explicit egress allowlists to restrict outbound network access.

Changes:

• Switch step-security/harden-runner egress-policy from audit to block across multiple workflows.
• Add allowed-endpoints allowlists tailored per workflow/job to permit only required external connectivity.
• Standardize the hardening step name to “Harden Runner”.

Reviewed changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
.github/workflows/ui-tests.yml	Enables block-mode runner hardening for UI test workflow with allowlisted endpoints.
.github/workflows/ui-container-checks.yml	Enables block-mode runner hardening for UI container checks with allowlisted endpoints.
.github/workflows/ui-container-build-push.yml	Enables block-mode runner hardening for UI container build/push jobs with allowlisted endpoints.
.github/workflows/ui-codeql.yml	Enables block-mode runner hardening for UI CodeQL analysis with allowlisted endpoints.
.github/workflows/test-impact-analysis.yml	Enables block-mode runner hardening for test impact analysis with allowlisted endpoints.
.github/workflows/sdk-tests.yml	Enables block-mode runner hardening for SDK tests with allowlisted endpoints.
.github/workflows/sdk-security.yml	Enables block-mode runner hardening for SDK security workflow with allowlisted endpoints.
.github/workflows/sdk-container-checks.yml	Enables block-mode runner hardening for SDK container checks with allowlisted endpoints.
.github/workflows/sdk-container-build-push.yml	Enables block-mode runner hardening for SDK container build/push with allowlisted endpoints.
.github/workflows/sdk-codeql.yml	Enables block-mode runner hardening for SDK CodeQL analysis with allowlisted endpoints.
.github/workflows/sdk-code-quality.yml	Enables block-mode runner hardening for SDK code quality workflow with allowlisted endpoints.
.github/workflows/sdk-check-duplicate-test-names.yml	Enables block-mode runner hardening for duplicate test name checks with allowlisted endpoints.
.github/workflows/pr-merged.yml	Enables block-mode runner hardening for PR merged automation with allowlisted endpoints.
.github/workflows/pr-check-changelog.yml	Enables block-mode runner hardening for changelog enforcement with allowlisted endpoints.
.github/workflows/mcp-container-checks.yml	Enables block-mode runner hardening for MCP container checks with allowlisted endpoints.
.github/workflows/mcp-container-build-push.yml	Enables block-mode runner hardening for MCP container build/push jobs with allowlisted endpoints (partial).
.github/workflows/find-secrets.yml	Enables block-mode runner hardening for secrets scanning with allowlisted endpoints.
.github/workflows/ci-zizmor.yml	Enables block-mode runner hardening for zizmor workflow with allowlisted endpoints.
.github/workflows/backport.yml	Enables block-mode runner hardening for backport automation with allowlisted endpoints.
.github/workflows/api-tests.yml	Enables block-mode runner hardening for API tests workflow with allowlisted endpoints.
.github/workflows/api-security.yml	Enables block-mode runner hardening for API security workflow with allowlisted endpoints.
.github/workflows/api-container-checks.yml	Enables block-mode runner hardening for API container checks with allowlisted endpoints.
.github/workflows/api-container-build-push.yml	Enables block-mode runner hardening for API container build/push jobs with allowlisted endpoints.
.github/workflows/api-codeql.yml	Enables block-mode runner hardening for API CodeQL analysis with allowlisted endpoints.
.github/workflows/api-code-quality.yml	Enables block-mode runner hardening for API code quality workflow with allowlisted endpoints.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.49%. Comparing base (716c130) to head (4131450).
⚠️ Report is 8 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10482      +/-   ##
==========================================
+ Coverage   93.42%   93.49%   +0.06%     
==========================================
  Files         219      220       +1     
  Lines       30773    30877     +104     
==========================================
+ Hits        28751    28868     +117     
+ Misses       2022     2009      -13     

Flag	Coverage Δ
api	93.49% <ø> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	∅ <ø> (∅)
api	93.49% <ø> (+0.06%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.