Discover how Hashgraph, leveraging StepSecurity's enterprise solution, revolutionized GitHub Actions security across its diverse CI/CD environments.
Industry: Web3 & Decentralized Infra
Runners: Self-Hosted & GitHub-Hosted
Hashgraph provides engineering and support for the core Hedera platform, enabling a sustainable, scalable, and secure decentralized infrastructure for building various applications and enterprise solutions. The company develops open-source tools and enterprise products for the Hedera ecosystem, including services for loyalty token management, bond issuances, NFT marketplaces, and peer-to-peer payments.
As a leader in Web3 and decentralized infrastructure, implementing robust CI/CD security measures is crucial for Hashgraph to maintain trust, prevent vulnerabilities, and ensure the reliability of its platform while enabling rapid innovation in a space that demands high-security standards.
Hashgraph relies heavily on GitHub Actions for continuous integration and deployment. Their CI/CD environment is complex, encompassing both GitHub-hosted and self-hosted runners across public and private repositories. While this setup provides the flexibility and scalability needed for their diverse projects, it also introduces significant security challenges.
In light of these challenges, Hashgraph identified several critical areas for improvement:
- Monitoring and controlling outbound traffic from CI/CD runners
- Preventing tampering with source code and build artifacts
- Securing third-party GitHub Actions Implementing robust GitHub Actions security controls across their organization
Recognizing the need for a comprehensive solution to address these concerns, Hashgraph turned to StepSecurity's enterprise-tier platform. This case study explores how Hashgraph leveraged StepSecurity to significantly enhance its security posture and streamline its CI/CD processes.
Hashgraph utilizes a mix of GitHub-hosted and self-hosted runners, with self-hosted runners managed through Actions Runner Controller (ARC). However, they faced several security challenges:
- Lacked a robust method to monitor and control outbound traffic from both types of runners
- Needed a way to detect and prevent source code and artifact tampering during the build process
- Required a unified security solution that could work across their diverse runner environment
StepSecurity Harden-Runner provided a comprehensive network and runtime security solution tailored for both GitHub-hosted and self-hosted runners.
Key features implemented:
- Real-time monitoring and control of outbound network traffic at both job and cluster levels
- Continuous integrity checking of source code and build artifacts
- Unified security policies and monitoring across all types of runners (GitHub-hosted and self-hosted)
- Comprehensive security coverage without impacting development workflow
- No code changes required to provide network visibility for self-hosted runners
- Egress traffic filtering across all workflow runs
- Security visibility into outbound traffic from all runners
- Ability to block malicious connections in real-time
- Detection and prevention of tampering attempts during builds
- Reduced risk of supply chain attacks and CI/CD credential exfiltration
- Detailed network, file, and process events available for forensic analysis of each job run
"StepSecurity provided an immediate large scale effect by providing a single pane-of-glass visibility into all traffic egressing from our GitHub Actions CI/CD infrastructure. This provided immediate real-world visibility and enhanced our ability to detect and respond to incidents."
- Joe Blanchard, CSO/CIO Hashgraph
Hashgraph needed a way to safely utilize third-party GitHub Actions without compromising security. They faced several risks:
- Many third-party actions were abandoned, leaving them vulnerable to unpatched security issues
- A significant number of actions were maintained by single developers who might not follow security best practices
- Hashgraph lacked visibility into the security posture and update frequency of these actions
- There was a risk of supply chain attacks through compromised or malicious third-party actions
StepSecurity offered:
- Inventory of all GitHub Actions in use across the entire GitHub organization.
- A comprehensive scoring system to evaluate the risk of third-party actions, considering factors like maintenance status, developer practices, runtime behavior, and known vulnerabilities.
- Drop-in replacements for risky third-party actions, maintained by StepSecurity with rigorous security standards.
- Reduced risk associated with third-party actions
- Seamless integration of secure StepSecurity Maintained alternatives
- Improved confidence in the security of the CI/CD pipeline
"Hashgraph was able to rapidly implement StepSecurity’s solution increasing our visibility into possible supply chain attacks. The easy to use tooling provided immediate impact to our operations."
- Joe Blanchard, CSO/CIO Hashgraph
Hashgraph sought to implement and automate best practices for GitHub Actions security. They faced several hurdles:
- Lack of visibility into security control adherence across the organization
- Manual implementation of security controls was time-consuming and error-prone
- Difficulty in tracking and improving security posture over time
StepSecurity provided a comprehensive suite of tools and automation for GitHub Actions security:
- Automated implementation of security best practices such as enforcing minimum token permissions and pinning actions
- A centralized dashboard offering visibility into security control adherence across the organization
- Automation to address security gaps through pull requests
- Continuous monitoring and reporting of security posture
- Strengthened overall security posture
- Reduced manual overhead in maintaining security best practices
- Consistent application of security controls across repositories Improved visibility and tracking of security metrics over time
- Faster remediation of security issues through automated pull requests
"StepSecurity has provided immediate impact to our development operation by providing easy to use tools to monitor and track security controls across our entire enterprise."
- Joe Blanchard, CSO/CIO Hashgraph
By implementing StepSecurity platform, Hashgraph has significantly enhanced the security of their GitHub Actions environment. From securing self-hosted runners to safeguarding against risks of third-party GitHub Actions, StepSecurity has provided comprehensive protection across the entire CI/CD pipeline.
"StepSecurity made an immediate impact to our GitHub Actions security by providing several innovative, cutting edge solutions which immediately provided massive insights into existing risks and leaks. Additionally the entire StepSecurity team has been a steadfast teammate in the continued cutting edge efforts to defend against current and future threats."
- Joe Blanchard, CSO/CIO Hashgraph
Google Automates GitHub Actions Security for their Open-Source Projects with StepSecurity
This case study talks about how Google leverages StepSecurity’s GitHub Actions security platform to harden their GitHub-hosted runners and automate various GitHub Actions security best practices in several of their open-source projects.
CISA Enforces Network Egress Control and CI/CD Infrastructure Security to Harden their GitHub-hosted Runners
CISA’s case study talks about how it leverages StepSecurity Harden-Runner 's network egress control and runtime security in over 175 GitHub repositories to prevent Codecov and SolarWinds-style attacks.