Corporate laptops and production servers typically have robust security monitoring in place to reduce risk and meet compliance requirements. However, CI/CD runners, which handle sensitive information like secrets for cloud environments and create production builds, often lack such security measures. This oversight has led to significant supply chain attacks, including the SolarWinds and Codecov breaches.

Traditional security monitoring and EDR solutions are ineffective for CI/CD runners due to their ephemeral nature. These tools also lack the necessary context to correlate events with specific workflow runs in a CI/CD environment.

StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.

• Getting Started Guide
• Why Choose Harden-Runner
• Features and Capabilities
• Case Studies and Trusted Projects
• How It Works
• Known Limitations
• Join the Discussions

Learn how Harden-Runner works through the video below, which shows how it detected a supply chain attack on a Google open-source project.

This guide walks you through the steps to set up and use Harden-Runner in your CI/CD workflows.

To integrate Harden-Runner, follow these steps:

• Open your GitHub Actions workflow file (e.g., .github/workflows/<workflow-name>.yml).
• Add the following code as the first step in each job:

  steps:
    - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.3
      with:
        egress-policy: audit
  

Tip: Automate this step by pasting your workflow into the StepSecurity online tool

• Prevent Exfiltration: Prevent the exfiltration of CI/CD secrets and source code.
• Detect Tampering: Identify source code modifications during builds.
• Anomaly Detection: Spot unusual dependencies and workflow behaviors.
• Simplify Permissions: Determine the minimum required GITHUB_TOKEN permissions.

Harden-Runner offers a comprehensive suite of features to enhance the security of your CI/CD workflows, available in two tiers: Community (Free) and Enterprise (Paid).

• CI/CD-Aware Event Correlation: Each outbound network connection, file operation, and process execution is mapped to the exact step, job, and workflow where it occurs.
• Automated Baseline Creation: Harden-Runner builds a baseline for each job based on past outbound network connections.
• Anomaly Detection: Once the baseline is created, any future outbound calls not in the baseline trigger a detection.
• Block Network Egress Traffic with Domain Allowlist: Optionally use the automatically created baseline to control outbound network traffic by specifying allowed domains, preventing unauthorized data exfiltration.
• Detect Modification of Source Code: Monitor and alert on unauthorized changes to your source code during the CI/CD pipeline.

Includes all features in the Community tier, plus:

• Support for Private Repositories: Extend Harden-Runner's security capabilities to your private GitHub repositories.
• Support for Self-Hosted Runners: Apply security controls and monitoring to self-hosted GitHub Actions runners.
• GitHub Checks Integration: Enable GitHub Checks for Harden-Runner—if the baseline remains unchanged, the check passes; if it changes, the check fails, showing new outbound connections.
• View Outbound GitHub API calls at the Job Level: Monitor HTTPS requests to GitHub APIs
• Determine Minimum GITHUB_TOKEN Permissions: Monitor outbound HTTPS requests to GitHub APIs to recommend the least-privilege permissions needed for your workflows, enhancing security by reducing unnecessary access.
• View the Name and Path of Every File Written During the Build Process: Gain visibility into every file written to the build environment, including the ability to correlate file writes with processes, ensuring complete transparency.
• View Process Names and Arguments: Monitor every process executed during the build process, along with its arguments, and navigate the process tree to detect suspicious activities.

For a detailed comparison and more information, please visit our Pricing Page.

Explore the full feature set in the Features Documentation.

Harden-Runner is trusted by over 5000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more.

CISA Explore	Microsoft Explore	Google Explore	DataDog Explore	Intel Explore	Kubernetes Explore	Node.js Explore	AWS Explore

• Harden-Runner Detects CI/CD Supply Chain Attack in Google’s Open-Source Project Flank
• Harden-Runner Detects CI/CD Supply Chain Attack in Microsoft’s Open-Source Project Azure Karpenter Provider in Real-Time
• Harden-Runner Detects Anomalous Traffic to api.ipify.org Across Multiple Customers
• Harden-Runner Flags Anomalous Outbound Call, Leading to Docker Documentation Update

• How Coveo Strengthened GitHub Actions Security with StepSecurity
• Hashgraph Achieves Comprehensive CI/CD Security Without Compromising Development Speed
• Kapiche secures their GitHub Actions software supply chain with Harden-Runner
• Arcjet Enhances CI/CD Security with Harden-Runner

Want to know the technical details? Dive into the architecture of Harden-Runner and its integrations for GitHub-hosted and self-hosted runners in our How Harden-Runner Works Documentation.

While Harden-Runner offers powerful features, there are certain limitations based on the environment, such as OS support. See the complete list in Known Limitations.

Join the conversation! For questions, ideas, or feedback, visit our Discussions Page.

For enterprise support, email support@stepsecurity.io. Interested in using Harden-Runner in other CI/CD platforms? Reach out to interest@stepsecurity.io.

Harden-Runner is open source. See the LICENSE file for details.