Announcing Anomalous Outbound Call Detection Using Machine Learning

Introduction

Last month, StepSecurity introduced Harden-Runner for self-hosted VM runners for enhanced CI/CD security. This month, StepSecurity raises the bar further with yet another enhancement of Harden-Runner. On popular demand, Harden-Runner, which is known to provide robust runtime security for GitHub Actions across GitHub-hosted and self-hosted runners, will now also detect anomalous outbound calls. This ML-powered feature will empower developers and security teams with real-time alerts during workflow runs, ensuring an additional layer of security without compromising usability. What’s more? For self-hosted runners, this feature will enable all workflows to be automatically monitored without changing any of the workflow files.

If you’re looking to enhance your GitHub Actions security, you've landed at the right place. Explore StepSecurity Harden-Runner to see how it helps to fortify your GitHub Actions.

Also Read: Celebrating 2,000+ GitHub Repositories Secured with Harden-Runner

Evolution of Harden-Runner: What’s Different?

Up until now, Harden-Runner offered two modes: an audit mode, providing visibility into outbound calls made during a GitHub Actions workflow run, and a block mode, enabling the specification of authorized outbound destinations while blocking unauthorized calls. As per the demand, we’re excited to introduce the anomaly detection feature in audit mode.

‍

How It Works

The anomaly detection feature creates a machine learning model of outbound network calls by analyzing the historical data of the same workflow in previous runs.  

After the model is trained, real-time notifications are triggered if a new anomalous outbound call occurs in a future run. These notifications can be seamlessly delivered through email and Slack, allowing developers and security teams to promptly review and investigate the legitimacy of the newly detected endpoint.

Here is a sample email notification.

‍

You can also detect such anomalous calls in the insights page for the GitHub Actions workflow run.

‍

Enabling the Feature

Follow these simple steps to enable this feature:

1. Install the StepSecurity Actions Security GitHub App.

2. Access the organization dashboard through the provided link.

3. In the settings tab, under "Notification Settings," find the new setting for "Notify when an anomalous outbound call is discovered."

4. Enable this feature by selecting the checkbox and saving the settings.

‍

For GitHub-hosted runners, add the Harden-Runner GitHub Action to your workflows to receive notifications about anomalous outbound calls. If using self-hosted runners, no additional action is required – all workflows are automatically monitored.

See it in Action in GitHub Actions Goat

As an educational initiative, GitHub Actions Goat simulates common security attacks and vulnerabilities in a GitHub Actions CI/CD environment. We've incorporated the anomaly detection feature into GitHub Actions Goat. To witness it in action, explore the dedicated workflow running on a GitHub-hosted runner, utilizing Harden-Runner in audit mode.

https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6948614815

Summary

StepSecurity is thrilled to enable enhanced GitHub Actions security with this new feature. The feature will allow DevOps teams and security teams to detect anomalies in real time and empower organizations to balance security and usability as per their requirements.

If you’re eager to explore the new anomaly detection feature, simply follow the steps above to enable it on the StepSecurity platform. Stay tuned for upcoming feature updates and if you have any questions, please feel free to contact our team.

‍