CodeCode

Close the CI/CD Security Gap

It’s time to stop overlooking CI/CD as an attack surface. StepSecurity helps teams immediately improve their CI/CD security with a multi-layered approach of visibility, detection, response, and remediation.

CloudCloud

Trusted By

Start answering questions about your CI/CD Security

Can I trust my third-party CI/CD components?

Are my pipeline-as-code files following security 
best practices?

Am I able to detect attacks on my CI/CD runners?

Overlooked Attack Surfaces

Unaddressed CI/CD Security 
Risks in Your Pipeline

Breaking News -- CI/CD Supply Attack Chains on the Rise

January 2024

PyTorch Supply Chain Compromise

Application Security

Researchers detail a CI/CD attack leading to PyTorch releases compromise via GitHub Actions self-hosted runners.

March 2024

tj-actions/changed-files GitHub Action puts thousands of repositories at risk for arbitrary command execution

Learn about the critical vulnerability in tj-actions/changed-files GitHub Action and how StepSecurity's solution fortifies your CI/CD pipelines against potential exploits.

XZ Utils Backdoored during 
CI build

April 2024

XZ Utils

Sept 25, 2024

Security Breach in Stripe Repo: A Deep Dive into the "Pwn Request" Vulnerability

Stripe Repository Breach

The Vulnerability in Stripe’s GitHub Actions Workflow Shows Why Securing CI/CD Pipelines Is Essential

Lacking Security Controls

Current Solutions Are Built for Code or Cloud, Not Pipelines

Common cloud security and application security solutions build in protections for pipelines as bolt-on capabilities. StepSecurity is the only purpose-built platform focused on securing the ephemeral and unique nature of CI/CD pipelines.

Testimonial
“Before StepSecurity, detecting the origin of a suspicious outbound network connection was challenging with traditional CNAPPs or IDS solutions, as we’d only see a general alert. StepSecurity gives us complete visibility into which specific Action triggered a connection and even lets us drill down into host processes tied to that Action. Now, we have a clear and actionable picture of every network connection our runners make, and we can respond with confidence.”
Testimonial
"StepSecurity provided an immediate large scale effect by providing a single pane-of-glass visibility into all traffic egressing from our GitHub Actions CI/CD infrastructure. This provided immediate real-world visibility and enhanced our ability to detect and respond to incidents."
Testimonial
"It's easy to get started with GitHub Actions, but using it securely has historically required manual effort and configuration which isn't as straightforward. StepSecurity solves this by automating security best practices for Workflows as well as through their harden-runner Action which provides protection against exfiltration and source code tampering throughout the lifecycle of a Workflow. Leveraging the harden-runner Action is both painless and an absolute must for any project!"
Multilayered Approach

The Definitive Platform for 
CI/CD Protection

Multilayered Approach

The Definitive Platform for 
CI/CD Protection

Spot and Stop Threats

Secure you entire CI/CD ecosystem and reduce risk with enterprise-grade controls, powerful detection capabilities, and automated remediation.

  • Security visibility into outbound traffic from all runners
  • Restrict access to sensitive resources
  • Monitor runtime behavior for anomalies
  • Block unauthorized registry pulls
  • Inventory of all CI/CD Components in use
  • A comprehensive scoring system to evaluate the risk of third-party CI/CD Components
  • Secure drop-in replacements for risky third-party CI/CD Components
  • Internal Marketplace of vetted and trust CI/CD Components
  • Continuous monitoring and reporting of CI/CD security posture
  • Consistent application of security controls across repositories
  • Faster remediation of security issues through automated pull requests
  • Enforce CI/CD secrets management best practices
Case Study

StepSecurity detects a CI/CD supply chain attack on Microsoft’s Azure Karpenter Provider in real-time!

This case study discusses how StepSecurity Harden-Runner detected a CI/CD supply chain attack in real-time in Microsoft’s open-source project Azure Karpenter Provider. Key insights are:

  • This could have compromised the cloud environment that the project had access to
  • Within an hour of the exploit, StepSecurity reported the detection to the Microsoft Security Response Center (MSRC).
  • Microsoft acknowledged StepSecurity for helping detect and remediate the incident
Case Study

StepSecurity detects a CI/CD supply chain attack on Microsoft’s Azure Karpenter Provider in real-time!

This case study discusses how StepSecurity Harden-Runner detected a CI/CD supply chain attack in real-time in Microsoft’s open-source project Azure Karpenter Provider. Key insights are:

  • This could have compromised the cloud environment that the project had access to
  • Within an hour of the exploit, StepSecurity reported the detection to the Microsoft Security Response Center (MSRC).
  • Microsoft acknowledged StepSecurity for helping detect and remediate the incident
Case Study

StepSecurity Detects CI/CD Supply Chain Attack in Google’s Open-Source Project Flank in Real-Time

This case study discusses how StepSecurity Harden-Runner detected a CI/CD supply chain attack in real-time in Google’s open-source project Flank. Key Insights are:

  • This could have caused an XZ Utils and SolarWinds style software supply chain attack.
  • The researcher exploited a Pwn Request Vulnerability to exfiltrate CI/CD credentials
  • Harden-Runner detected this malicious outbound network call in real-time
Case Study

StepSecurity detects a CI/CD supply chain attack on Microsoft’s Azure Karpenter Provider in real-time!

This case study discusses how StepSecurity Harden-Runner detected a CI/CD supply chain attack in real-time in Microsoft’s open-source project Azure Karpenter Provider. Key insights are:

  • This could have compromised the cloud environment that the project had access to
  • Within an hour of the exploit, StepSecurity reported the detection to the Microsoft Security Response Center (MSRC).
  • Microsoft acknowledged StepSecurity for helping detect and remediate the incident
Case Study

StepSecurity detects a CI/CD supply chain attack on Microsoft’s Azure Karpenter Provider in real-time!

This case study discusses how StepSecurity Harden-Runner detected a CI/CD supply chain attack in real-time in Microsoft’s open-source project Azure Karpenter Provider. Key insights are:

  • This could have compromised the cloud environment that the project had access to
  • Within an hour of the exploit, StepSecurity reported the detection to the Microsoft Security Response Center (MSRC).
  • Microsoft acknowledged StepSecurity for helping detect and remediate the incident
Case Study

StepSecurity Detects CI/CD Supply Chain Attack in Google’s Open-Source Project Flank in Real-Time

This case study discusses how StepSecurity Harden-Runner detected a CI/CD supply chain attack in real-time in Google’s open-source project Flank. Key Insights are:

  • This could have caused an XZ Utils and SolarWinds style software supply chain attack.
  • The researcher exploited a Pwn Request Vulnerability to exfiltrate CI/CD credentials
  • Harden-Runner detected this malicious outbound network call in real-time
Capabilities

Sophisticated Security Capabilities 
Purpose-Built for CI/CD

01

Monitor outbound network events and detect secret exposures across the pipeline

Continuously monitor and analyze traffic so you can can identify potential exposures early and respond before damages incur.

02

Build security-first with our Internal GitHub Actions Marketplace

Accelerate development while maintaining security controls. Our curated marketplace of security-hardened GitHub Actions lets teams move fast without compromising safety.

03

Manage and improve CI/CD Security posture with automated remediation pull requests

Proactively identify and fix security gaps in your pipelines with automated pull requests that implement security best practices.

Take the Next Step in Securing your CI/CD Pipelines Today!

Why StepSecurity

Experience the StepSecurity Difference

Without StepSecurity

  • Severely limited visibility into pipeline network traffic
  • Niche configuration knowledge needed for pipeline security
  • Increased developer friction for third-party actions
  • No maintenance for best practice standards

With StepSecurity

  • Monitor network egress controls for runners
  • Identify security misconfigurations
  • Secure Internal Actions Marketplace
  • Standardized pipeline as code files