Introducing Harden-Runner for Kubernetes-Based Self-Hosted Actions Runners

Harden-Runner now supports Actions Runner Controller (ARC) based self-hosted GitHub Actions runners, and we are looking for more design partners to collaborate on shaping the future of the product.

Ashish Kurmi
March 29, 2023


We’re thrilled to announce that we’re taking Harden-Runner to the next level by supporting Kubernetes-based self-hosted GitHub Actions runners. As we embark on this exciting journey, we are actively seeking more design partners who use Kubernetes-based self-hosted GitHub Actions runners to collaborate with us and help shape the future of Harden-Runner. If you operate in a regulated space such as Healthcare, Fintech or process sensitive data such as Personally Identifiable Information (PII), Harden-Runner can tremendously improve your CI/CD security. As a design partner, you’ll get early access to the solution, and your feedback will help us shape the final product. If you’re interested in becoming a design partner for the Harden-Runner port to Kubernetes-based self-hosted runners, please get in touch with us.

Harden-Runner for GitHub Hosted Actions Runner

Harden-Runner is an open-source, purpose-built CI/CD runtime security agent for GitHub Actions. Earlier, it was only supported on Ubuntu based GitHub hosted Actions runners. Built based on learnings from past software supply chain attacks, it packs an impressive array of capabilities, such as preventing the exfiltration of credentials, detecting tampering of source code during builds, and spotting compromised dependencies & build tools. For each workflow execution, it provides an insight page that summarizes runtime security observations. It is currently used by more than 800 open-source repositories and several enterprise customers.

Why Actions Runner Controller (ARC) based self-hosted GitHub Actions Runners?

In our discussions with enterprises, we found that customers use self-hosted GitHub Actions runners primarily for security reasons. Self-hosted runners provide complete control of the runtime CI/CD environment. In addition, it can also work within customers’ private network environment. As GitHub Actions runners typically use highly sensitive secrets associated with cloud administrator IAM identities and software distribution accounts, some customers prefer self-hosted GitHub Actions as it doesn’t expose these secrets to another third-party. Other reasons are custom choices for hardware, operating system, and software tools for Actions Runners. Some customers also use self-hosted runners for cost reasons.  

Kubernetes has become the go-to platform for managing containerized applications at scale. As many such security conscious organizations already have platform teams for managing their Kubernetes infrastructure, Kubernetes has become the most common vehicle for hosting self-hosted GitHub Actions runners.

Harden-Runner for Actions Runner Controller (ARC) based self-hosted GitHub Actions runners

Harden-Runner Architecture

We have rearchitected Harden-Runner to be Kubernetes aware to work efficiently in this environment. It uses native Kubernetes capabilities to provide the same security guarantees like the agent-based model used for GitHub Hosted Actions Runners.


GitHub-Hosted Runner 

Self-Hosted Runner 

Audit File Events 

Linux Audit System 


Audit DNS and Network Events 

Linux Audit System & DNS Proxy 


Event Handler 

Harden-Runner Agent 

Harden-Runner K8S Resource 

Event Correlation with Action Steps 

StepSecurity Web API, Backend, and Frontend 


Run Insights 

One of the major benefits of using Harden-Runner in a Kubernetes-based self-hosted environment is that it uses eBPF to analyze runtime CI/CD behavior. This means that you won't need to make any changes to the workflow file or the runner pod container image, making it an “agentless” and hassle-free integration for enterprises. Once you deploy Harden-Runner in your Kubernetes cluster, you’ll have 100% runtime visibility for all Action workflow executions. You can optionally update the workflow file to enable additional defenses such as blocking traffic to unknown endpoints.

Call to action

We’ve already got a few basic end-to-end Harden-Runner scenarios working for self-hosted Actions runners. Currently, we’re in the process of adding more features to make it feature complete and improving reliability to make it a truly enterprise-grade product.  

If you’re interested in becoming a design partner for the Harden-Runner port to Kubernetes-based self-hosted runners, please fill out this form. We can’t wait to work with you to create a more secure and resilient CI/CD pipeline that will help you run your business more smoothly and safely than ever before.