At StepSecurity, our mission has always been clear: make CI/CD pipelines secure by default. Today, we're proud to announce a major milestone—Harden-Runner has now been adopted by over 6,000 open-source projects, just 3 months after reaching the 5,000-project milestone
This isn’t just a vanity metric. It’s a testament to the growing recognition that securing CI/CD pipelines is not optional. With threats evolving and supply chain attacks on the rise, developers are turning to solutions like Harden-Runner to proactively protect their workflows.
CI/CD Security in the Wild: Harden-Runner Detects and Defends
Our growth in open-source adoption hasn’t happened in a vacuum. It’s happened because Harden-Runner consistently delivers real-world value, often catching threats others miss.
CVE-2025-30066: Compromise of tj-actions/changed-files
One of the most critical recent supply chain attacks targeted the popular GitHub Action tj-actions/changed-files, used by over 23,000 repositories. Attackers retroactively updated multiple tags to reference a malicious commit that dumped CI/CD secrets into public logs.
Harden-Runner was the first to detect this attack and alert the community. StepSecurity quickly provided detailed recovery guidance, including a secure, maintained drop-in replacement for the compromised Action. Harden-Runner was officially credited for discovering the incident in the CVE.
As soon as the compromised Action was used in a pipeline, Harden-Runner flagged unexpected outbound calls—triggering a rapid investigation and public disclosure. We immediately released step-security/changed-files, a secure alternative, and the GitHub security community rallied to contain the damage.
👉 Read the full incident summary
👉 Try our secure maintained replacement
Helping Improve Docker Documentation
Another example of Harden-Runner’s visibility came when it flagged unexplained network calls to an undocumented Docker domain:
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com
No EDR had caught this. No mention in Docker's allowlist documentation. But Harden-Runner surfaced it across multiple environments, and we escalated the issue to Docker. The result? Docker acknowledged and updated their documentation.
This wasn't just a bug fix—it was a win for developer visibility and CI/CD transparency.
What’s New: Expanded Capabilities Since 5,000 Projects
Since our last milestone blog at 5,000 projects, we've introduced several features to help teams get more from Harden-Runner:
Export Insights to Amazon S3
Security teams can now stream Harden-Runner security insights and detections directly into their S3 buckets, enabling real-time integration with SIEMs, incident response workflows, and long-term analysis platforms.
GitHub Checks
Harden-Runner insights are now integrated directly into the GitHub Checks UI, giving developers immediate visibility into anomalous network activity during pull requests. This eliminates the need to monitor security separately through emails or dashboards. This feature makes Harden-Runner detections visible in their existing developer workflow in the pull request UI, thereby empowering developers to triage Harden-Runner detections themselves.
👉 Learn more in the documentation
Integration with RunsOn for Optimized Self-Hosting
We’ve partnered with RunsOn, the cost-effective, high-performance platform for self-hosting GitHub runners on AWS. Harden-Runner now comes preinstalled in RunsOn base images, delivering real-time security insights out of the box.
New Harden-Runner Controls: disable-sudo-and-containers
We have evolved the disable-sudo option and introduced disable-sudo-and-containers. This not only disables sudo, but also removes access to Docker to limit possibility of privilege escalation.
We’ve also added runtime detections for sudo bypass attempts and are rolling out a lockdown mode to block further execution if compromise is detected.
Project Spotlight: Harden-Runner in Action
At StepSecurity, we’re proud to support the open-source ecosystem. With our Community Tier—free for all public and open-source repositories—anyone can secure their GitHub Actions workflows in just a few clicks. No paywall. No vendor lock-in.
Thousands of projects have already adopted Harden-Runner to detect threats, enforce least privilege, and improve CI/CD visibility. Here’s a spotlight on some of the most recent additions.
Open Source Projects on the Community Tier
The OpenTelemetry project is a cornerstone of observability in the cloud-native world. Several of its core repositories are now protected by Harden-Runner:
By using Harden-Runner on our Community Tier, OpenTelemetry benefits from proactive protections like runtime anomaly detection and outbound network control—without slowing down builds or contributors.
FreeCAD, a sophisticated parametric 3D modeler, is another recent adopter. With a complex CI/CD pipeline and a large contributor base, FreeCAD now benefits from runtime visibility into network and file system activity and least privilege enforcement for the GITHUB_TOKEN —all enabled completely for free through the Community Tier.
Enterprise-Grade Protection with Harden-Runner
While the Community Tier secures thousands of open-source projects, our Enterprise Tier empowers private organizations with advanced controls, team-level visibility, and deeper integrations.
Neon
Neon, the cloud-native Postgres company, turned to Harden-Runner to address a critical visibility gap in their GitHub Actions environment:
- Discovered what GitHub Actions were doing at runtime, not just in configuration
- Flagged unexpected outbound traffic in production workflows
- Enabled early detection of unsafe workflows without developer friction
“StepSecurity gave us visibility we hadn’t seen elsewhere. It’s now an integral part of how we secure our CI/CD pipelines.”
— Busra Kugler, Lead Security Engineer at Neon
Chainguard
Chainguard, a leader in software supply chain security, integrated Harden-Runner to put its security-by-design philosophy into action:
- Applied least privilege across tokens, network egress, and sudo usage
- Eliminated manual workflow reviews with automated runtime profiling
- Prevented risks from mutable tags and unmaintained actions via curated replacements
“Without StepSecurity, we’d spend far more time reviewing workflows. Now we get automatic visibility, consistency, and peace of mind.”
— Evan Gibler, Staff Security Engineer at Chainguard
Read the full Chainguard case study
What’s Next: The Future of CI/CD Security with Harden-Runner
Lockdown Mode
We are developing a new lockdown mode feature as part of our ongoing defense-in-depth strategy.
If Harden-Runner detects behavior indicative of compromise—such as attempts to restore sudo, or modify sensitive files—it will:
- Immediately halt further job execution
- Prevent potential exfiltration or persistence
- Contain threats before they can impact other parts of the pipeline
This adds a critical last line of defense—ensuring that even if earlier protections are bypassed, workflows don’t continue in an unsafe state.
We're just getting started. Expect more capabilities focused on indicator-of-compromise detection, CI/CD deception techniques, and deeper runtime controls to be rolled out in the coming months.
Let’s push CI/CD security forward—together
🔒 Not Using Harden-Runner Yet?
Now’s the perfect time to get started with Harden-Runner, use Secure Workflow—free on our Community Tier to automatically add Harden-Runner to your workflow file. Protect your GitHub Actions in just a few clicks.
Let’s push CI/CD security forward—together.