Showing 0 Items
This post details a vulnerability to bypass Harden-Runner’s disable-sudo policy, the assigned CVE, and the steps we’ve taken to mitigate and detect it.
Strengthen CI/CD security with policy-driven automated pull requests. Automatically remediate misconfigurations in your GitHub Action workflows.
The supply chain compromise of reviewdog GitHub Actions has been resolved. This post summarizes the incident, how it was discovered, and what you should do to protect your workflows
We have concluded our investigation into the tj-actions/changed-files compromise. This post explains how the attack worked, how we detected it, and what steps you should take to secure your CI/CD environment.
We’re excited to announce our integration with RunsOn, the modern way to self-host GitHub Actions runners at scale on AWS, with incredible cost savings and advanced features. With this partnership, StepSecurity Harden-Runner now seamlessly integrates with RunsOn, providing enhanced security and visibility for CI/CD pipelines.
The updates include support for pinning GitHub’s New Immutable Actions, exemptions for pinning specific GitHub Actions, and configuring preferences to use across multiple repositories.
Despite the sensitive roles CI/CD runners play (accessing source code, secrets, and deployment systems), compliance requirements often don’t explicitly call them out. As a result, security teams may focus on traditional servers and endpoints, while build runners go unmonitored. This blog will explain why that is changing.
Harden-Runner detected an unexpected outbound call from Docker across multiple customer environments. Surprisingly, it wasn’t listed in Docker’s allow list, and no EDR tool flagged it. Here’s how we identified it, reported it, and got it added to Docker’s documentation.
