8,000 Strong: Harden-Runner's Growing Impact on CI/CD Security

StepSecurity continues to pursue a clear goal: making CI/CD pipelines secure by default. We've now reached a significant milestone with Harden-Runner protecting more than 8,000 open-source repositories, an achievement that comes remarkably soon after passing the 7,000 mark.

Harden-Runner is essentially an EDR solution for CI/CD runners. Just as traditional EDR protects endpoints like laptops and servers by monitoring activity, detecting threats, and enforcing protections, Harden-Runner extends the same security model to CI/CD runners. It continuously observes workflows, inspects runtime behavior, and blocks malicious activity

Since our last milestone, we've not only expanded our protection but also shared our expertise with the global security community. This year, we had the honor of presenting at Black Hat USA 2025, where we detailed how Harden-Runner detected the tj-actions supply chain breach that affected over 23,000 repositories including those from GitHub, Meta, and Microsoft. Learn about our Black Hat presentation →

Our platform currently monitors over 8 million jobs weekly, spanning workflows from individual developers to Fortune 500 companies. This growth trajectory reveals something important: securing CI/CD infrastructure has shifted from a nice-to-have to an absolute necessity in modern software development.

Momentum Building: What's Driving This Rapid Expansion

The swift progression from 7,000 to 8,000 protected repositories signals a broader transformation in how engineering teams think about pipeline security. Organizations are transitioning from reactive incident response to proactive prevention.

Teams are choosing runtime protection that delivers immediate value without requiring workflow rewrites or adding friction to development velocity. The message is clear: developers want security that works with them, not against them.

The Stakes Keep Rising: Today's CI/CD Threat Reality

Attack vectors targeting build pipelines grow more sophisticated by the day. Threat actors have shifted focus from production systems to the factories that build them. Whether through poisoned dependencies, compromised Actions, or sophisticated exfiltration techniques, the software supply chain faces constant pressure.

Harden-Runner addresses this reality by providing continuous runtime monitoring that captures actual execution behavior. Static analysis tells you what might happen; we show you what is happening, as it happens.

Detection in the Wild: How Harden-Runner Protects Production Pipelines

Our runtime monitoring continues to prove its value by catching both security threats and infrastructure anomalies that would otherwise go unnoticed. Two recent detections highlight how Harden-Runner serves as an early warning system for the CI/CD ecosystem:

Unexpected Microsoft Defender Installation on Ubuntu Runners

Starting July 15, 2025, Harden-Runner detected anomalous network calls to Microsoft Defender endpoints across GitHub-hosted Ubuntu runners. Our intelligent baseline system immediately flagged these calls as unusual since they had never appeared in workflow patterns before. Through both our community and enterprise tiers, we identified that Microsoft Defender had been unintentionally deployed to Ubuntu infrastructure. GitHub confirmed our findings and corrected the configuration error. Without runtime monitoring, this change would have remained invisible, silently consuming resources and generating unexpected network traffic across thousands of workflows. Read the full story →

Suspicious Tag Movement in AWS GitHub Action

In August 2025, our Artifact Monitor detected unusual behavior in AWS's popular configure-aws-credentials action, used by over 225,000 repositories. The v4.3.0 tag was created, deleted, and recreated pointing to a different commit within hours. While tag movements like this have been used in actual supply chain attacks (as seen in the tj-actions and reviewdog compromises earlier this year), our automated monitoring flagged this immediately for investigation. The AWS team confirmed it was a legitimate hotfix for a broken release, but the incident demonstrated how our detection systems catch the same patterns that attackers use for malicious tag tampering. Read the full investigation →

Defending Against the Package Compromise Surge

The recent wave of npm package compromises has put the entire JavaScript ecosystem on high alert. In just the past three months, we've witnessed an alarming surge in supply chain attacks:

Recent Major Incidents (Past 3 Months)

• September 2025: 20+ Popular NPM Packages Compromised - chalk, debug, strip-ansi, and others compromised via maintainer account takeover

• September 2025: GhostAction Campaign - Over 3,000 secrets stolen through malicious GitHub workflows

• August 2025: NX Build System Package Compromised - Popular build tool infected with data-stealing malware

• August 2025: ESLint-Config-Prettier Attack - Widely-used code formatting package showed signs of compromise

• July 2025: is-package Compromise - Another npm supply chain attack targeting the JavaScript ecosystem

• July 2025: num2words PyPI Package Attack - Python package registry also targeted, showing cross-ecosystem threats

These attacks share common patterns: they exfiltrate secrets, hijack cryptocurrency transactions, and often remain undetected for hours or days. Traditional security tools miss them because the malicious code executes within legitimate build processes using trusted domains.

Harden-Runner provides multiple layers of defense against these package compromises:

Runtime Detection: When compromised packages execute in your CI/CD, Harden-Runner immediately detects anomalous behavior like unexpected network calls to attacker infrastructure or attempts to read sensitive environment variables.

Behavioral Baselines: Even sophisticated attacks that use legitimate-looking domains get caught because they deviate from established workflow patterns. When a build process suddenly starts making calls it's never made before, we alert immediately.

Securing the AI-Powered Future: Harden-Runner Meets Coding Agents

As AI coding assistants like GitHub Copilot and Claude Code gain the ability to create branches, open pull requests, and execute code, a critical security gap emerges: organizations have no visibility into what these autonomous agents actually do in CI/CD pipelines. Traditional security tools can’t differentiate between normal agent behavior and potential misuse or manipulation.

Harden-Runner closes this gap by providing runtime monitoring for AI-powered workflows, delivering real-time visibility into every action taken by agent-generated code — from file access and process execution to network connections. As projects like GitHub Next’s Continuous AI expand this ecosystem, Harden-Runner helps teams embrace AI-driven productivity while maintaining strong security controls.

Learn more about securing AI in CI/CD:

• When AI Meets CI/CD: Hidden Security Risks →

• Securing GitHub Copilot in GitHub Actions →

• Securing Claude Code in GitHub Actions →

• Securing Gemini in GitHub Actions →

Community Showcase: Projects Leading the Way

Through our free Community Tier, we support open-source projects that form the backbone of modern development. Among the 8,000+ repositories now protected by Harden-Runner, we're particularly proud to secure critical infrastructure projects that millions of developers depend on daily.

Kubernetes: The world's leading container orchestration platform trusts Harden-Runner to secure its CI/CD workflows. With its massive ecosystem of contributors and complex build processes, Kubernetes uses our runtime monitoring to ensure that every workflow execution remains transparent and secure. This protection extends across multiple Kubernetes sub-projects, safeguarding the infrastructure that powers cloud-native applications worldwide.

Explore this interactive demo to see how Kubernetes leverages Harden-Runner to secure its GitHub workflow files:

Ruby: The Ruby programming language project has integrated Harden-Runner to protect its development pipeline. As a foundational technology powering frameworks like Rails and countless web applications, Ruby's security is paramount. Harden-Runner provides the Ruby team with real-time visibility into their CI/CD operations, helping maintain the integrity of a language ecosystem that serves millions of developers.

These adoptions demonstrate that even the most security-conscious projects recognize the value of runtime monitoring. When projects of this caliber choose Harden-Runner, it validates our approach to CI/CD security and reinforces our commitment to protecting the open-source ecosystem.

Looking Forward: Lessons from Scale

This 8,000-repository milestone represents validation that the community recognizes CI/CD security as foundational, not optional. Key insights from this growth phase include:

• Security without sacrifice: Teams refuse to choose between protection and productivity

• Transparency creates trust: When developers see their pipeline's actual behavior, security becomes obvious rather than imposed

• Universal need: From solo maintainers to enterprise teams, everyone faces the same fundamental challenge of securing their build process

Take Action: Start Protecting Your Pipelines

🔒 Ready to Secure Your Workflows?

Join thousands of repositories already benefiting from Harden-Runner's protection. Our Secure Workflow tool, available free through our Community Tier, automatically integrates Harden-Runner into your GitHub Actions with minimal setup.

No matter your scale, Harden-Runner delivers the visibility and control modern CI/CD demands.

Become part of the next wave, follow this interactive demo to see how to add Harden-Runner to your workflow:

Together, we're building a future where secure CI/CD isn't exceptional but expected.

‍