At StepSecurity, our mission is unwavering: make CI/CD pipelines secure by default. Today, we’re excited to announce that Harden-Runner is now protecting over 7,000 open-source repositories—just barely two months after hitting the 6000th mark.
We’re now monitoring over 5 million jobs per week across workflows from community users and our enterprise customers. This reflects a growing understanding across the developer and security communities that CI/CD is the new frontier for supply chain security, and visibility into what runs during builds is no longer optional.
Why It Matters: Harden-Runner in a Threat-Filled Landscape
The software supply chain is under siege—from mutable tags and unmaintained Actions to sophisticated exfiltration techniques embedded in trusted projects. Developers need tools that provide real-time protection without breaking workflows or slowing teams down.
Harden-Runner does exactly that. It offers runtime monitoring and enforcement for GitHub Actions, detecting suspicious behavior as it happens—often before anyone else is aware.
CI/CD Security in the Wild: Harden-Runner Detects and Defends
Our growth in open-source adoption hasn’t happened in a vacuum. It’s happened because Harden-Runner consistently delivers real-world value, often catching threats others miss.
One such example is our early detection of the tj-actions supply chain breach, which exposed a chained compromise across popular GitHub Actions. This critical discovery only prevented potential damage for many projects.
Varun Sharma (CEO, StepSecurity) and Ashish Kurmi (CTO, StepSecurity) will be presenting the full story at Black Hat USA in their talk, “When ‘Changed Files’ Changed Everything: Uncovering and Responding to the tj-actions Supply Chain Breach.” If you’re attending, we’d love for you to stop by and chat.

Harden-Runner Detects New Traffic to release-assets.githubusercontent.com Across Multiple Customers
Harden-Runner detected unexpected outbound calls to release-assets.githubusercontent.com across multiple customers. This new domain had never appeared in workflow baselines and raised concerns of a potential platform compromise.
StepSecurity quickly correlated the activity, engaged GitHub Support, and confirmed it was a legitimate infrastructure change—not a breach. Harden-Runner baselines were immediately updated, and customers were advised to update egress rules.
What’s New: Expanded Capabilities Since 6,000 Projects
Since our last milestone blog at 6,000 projects, we've introduced several features to help teams get more from Harden-Runner:
Impostor Commit detection
We now alert you when a GitHub Action uses a tag that points to a commit that doesn’t exist in the action repo’s default branch. This helps you:
- Spot potentially compromised actions
- Audit projects with risky release practices
- Make informed decisions about trusting such actions
👉 Learn more in this blog post
Baseline Monitoring
We introduced baseline monitoring to detect unusual outbound network activity across jobs, repositories, ARC clusters, and even GitHub organizations. Each resource is assigned a Creating, Stable, or Unstable status to help teams identify anomalies faster.
Process Based Detections
We’ve recently expanded our detection capabilities to include process-based signals. These detections help identify high-risk behaviors on the runner, such as:
- Attempts to read runner worker memory
- Execution of reverse shells
- Launching of privileged containers
These additions enhance our ability to detect and block sophisticated attacks that go beyond network-based indicators.
GitLab Support
StepSecurity now supports GitLab self-hosted runners, giving GitLab users access to the same rich telemetry and policy enforcement that GitHub projects enjoy.
StepSecurity on AWS Marketplace
StepSecurity is now available on AWS Marketplace, making it easier for enterprises to procure and deploy CI/CD protections at scale.
Project Spotlight: Harden-Runner in Action
We’re proud to support the open-source ecosystem through our Community Tier—free for all public repositories.
Thousands of projects rely on Harden-Runner for threat detection, least privilege enforcement, and runtime visibility. Here are a few recent standouts:
WasmEdge : A high-performance WebAssembly runtime, WasmEdge uses Harden-Runner to secure its CI workflows with outbound network controls and behavioral monitoring.
Explore this interactive demo to see how WasmEdge leverages Harden-Runner to secure its GitHub workflow files:
Intel’s Open-source: Several of Intel’s open-source projects are now protected, including:
These repos form the building blocks for developer tooling and UI design, and Harden-Runner helps ensure their workflows stay locked down and observable.
Explore this interactive demo to see how Intel leverages Harden-Runner to secure its GitHub workflow files:
🔒 Not Using Harden-Runner Yet?
Now’s the perfect time to get started with Harden-Runner, use Secure Workflow—free on our Community Tier to automatically add Harden-Runner to your workflow file. Protect your GitHub Actions in just a few clicks.
Let’s push CI/CD security forward—together.