Secure your CI/CD Environment

A prime target for cyber threats, CI/CD has unparalleled access to source code, build artifacts, and cloud deployments. The rise in incidents, coupled with CI/CD security guidance from CISA and NSA, highlight the urgency for robust security controls.

CI/CD breaches are no longer exceptions, they're becoming norms
Compromised CI/CD means open doors to corporate treasures and data
CI/CD's unique attack surface requires tailored protection strategies

Explore Open Source Projects Using StepSecurity

Google

Microsoft

Mastercard

Node.js

DataDog

Kubernetes

Adobe

Intel

Google

Microsoft

Mastercard

Node.js

DataDog

Kubernetes

Adobe

Intel

Runtime Security for Actions Runner Controller (ARC) Managed Kubernetes Runners

Protect against SolarWinds and Codecov-style CI/CD attacks in self-hosted ARC environments with cutting-edge eBPF technology

Security Observability: Gain insight into network and file events for all GitHub Actions workflow runs without any code changes
Secure By Default: Secure all GitHub Actions workflow runs on your ARC runners from day 1 with secure by default policies
Runtime Security Policies: Set ARC Kubernetes cluster-level and finely-tuned job-level egress network policies, intelligently derived from historical workflow runs
GitHub Actions Runner Controller security summary

Zero Effort Security Observability

Demo of Zero Effort Security Observability

Gain in-depth runtime security insights into all GitHub Actions workflow runs

100% Coverage: Gain an integrated view of network and file events through our process monitor aligned with each step of every job for all workflow runs
No code or pipeline changes: eBPF powered Harden-Runner enables security observability without code, pipeline or repository changes
Forensic Readiness: The retention of this crucial data proves invaluable for subsequent forensic analysis, enabling you to dissect and understand past security incidents at any time

Secure By Default

Enable ARC Kubernetes cluster wide secure by default policies

Protect all workflow executions: Deploy ARC Kubernetes cluster-wide secure by default policies that automatically protect all workflow executions
Kubernetes native security: Kubernetes-native architecture ensures security by default policies without requiring any code or pipeline changes
Default network security: Block traffic to unknown destinations by enforcing stringent, default egress network policies.
secure by default demo

CI/CD Native Network Firewall

Demo showing prevention of exfiltration of code and CI/CD credentials

Prevent Codecov style CI/CD security attacks by enabling auto-generated block policies on outbound traffic to ensure only allowed endpoints are accessible

Advanced Network Firewall: Manage network traffic at the DNS and network layers to prevent exfiltration of code and CI/CD credentials
Auto-generated policies: Receive granular policy recommendations based on historical workflow runs, facilitating a streamlined rollout and enhancing the ease of compromise detection
Policy As Code: Seamlessly store and manage your security policies directly within GitHub Actions workflow files, promoting transparency, traceability, and streamlined policy enforcement

Real-Time File Integrity Monitoring

Defend against SolarWinds style CI/CD security attacks by monitoring GitHub Actions workflow runs for tampering of source code files and build artifacts

File integrity monitoring: Protect against SolarWinds-type CI/CD security threats by Kubernetes native file integrity monitoring
Protect source code and build: Monitor source code files and build artifacts to detect if a backdoor has been added during the build process.
Security alerts:: Get file and build tampering alerts and view all past detections in the runtime detections dashboard
Demo showing defense against tampering of release builds

Enterprise Case Study

Kapiche company logo

Kapiche improves their GitHub Actions security with StepSecurity.

"Since enabling Harden-Runner in our projects, we have much higher confidence and observability into what our build process is doing"

-Cam Parry

Staff Site Reliability Engineer, Kapiche

Read case study
InovIntell company logo

InovIntell secures their CI/CD with Harden-Runner.

"StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products"

-Szymon Maszke

Chief Technical Officer, InovIntell

Read case study

Testimonials

Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks.  StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.

Wenqi Glantz

SOFTWARE ARCHITECT

Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.

Christophe Tafani-Dereeper

Cloud Security Engineer

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense

Liran Tal

GITHUB STAR, AND AUTHOR OF ESSENTIAL NODE.JS SECURITY

Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks.  StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.

Wenqi Glantz

SOFTWARE ARCHITECT, ARISGLOBAL

Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.

Christophe Tafani-Dereeper

Cloud Security Engineer

It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.

Ben Manes

Caffeine

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense

Liran Tal

GITHUB STAR, AND AUTHOR OF ESSENTIAL NODE.JS SECURITY

Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks.  StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.

Wenqi Glantz

SOFTWARE ARCHITECT

Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time

Jordan Harband

Open Source Maintainer

Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.

Christophe Tafani-Dereeper

Cloud Security Engineer

It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.

Ben Manes

Caffeine

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense

Liran Tal

GITHUB STAR, AND AUTHOR OF ESSENTIAL NODE.JS SECURITY

GET STARTED

Step Up Your Actions Runner Controller Security

dot for displaying lists

30 day free trial

dot for displaying lists

No credit card required

dot for displaying lists

Cancel anytime

StepSecurity uses cookies to improve your experience and analyze traffic. By using our website, you agree to our privacy policy

Accept