Kapiche secure their GitHub Actions software supply chain with StepSecurity

This case study shows how Kapiche is using StepSecurity Harden Runner to increase trust, transparency, and integrity of their build pipelines.


Industry: Technology
Runner Environment: GitHub-Hosted


Founded in 2016 and headquartered in Queensland, Australia, Kapiche is on a mission to help organizations understand and empathize with their customers at scale using their unique software. Kapiche is an AI-powered feedback analytics platform built to make sense of customer feedback data, empowering their customers to improve decision-making and positively impact their customer’s bottom line.

As a custodian of customer data, Kapiche has a very security conscious security culture and maintains a high bar for security.

Kapiche uses GitHub Actions CI/CD platform for their open source and private repositories to build and deploy their software. Like most enterprises, Kapiche relies on open-source build tools and dependencies to build their software.

The Challenge

In the recent past, there has been a sharp rise in software supply chain attacks, where software being consumed is tampered with to infiltrate organizations. These attacks have breached all types of organizations ranging from small startups to all the way to Fortune 500 companies and government agencies.

Many of these attacks went undetected for months, allowing bad actors to exfiltrate a trove of confidential data.

Kapiche needed an easy-to-use solution to help them detect potentially malicious build tools and dependencies in their CI/ CD pipeline.

The Solution

Kapiche discovered StepSecurity through the Open Source Security Foundation(OSSF) Scorecard project. Scorecard gives consumers of open-source projects an easy way to evaluate whether their dependencies are safe. The Scorecard project recommends StepSecurity’s SecureWorkflows open-source solution to remediate a few types of security issues discovered by the platform.

Kapiche realized the value of StepSecurity Harden Runner, which is a low friction security platform to increase the security of build pipelines. It is a purpose-built agent that monitors the build process to detect suspicious activities, such as source code overwrite and unexpected outbound calls.

Kapiche has enabled Harden Runner in all their public and private repositories to gain visibility into the build process and set policies to limit outbound access to allowed endpoints.

"Since enabling Harden Runner in our projects, we have much higher confidence and observability into what our build process is doing. This is just one step in a much broader piece of work we are doing to increase the trust in our supply chain security."

Cam Parry
Staff Site Reliability Engineer, Kapiche

The Outcome

Through the easy-to-use solution, StepSecurity enabled Kapiche to gain more visibility and confidence in their workflows and set policies to immediately detect malicious build tools and packages thereby reducing risk from supply chain attacks.

If an attack like SolarWinds or Codecov breach was to happen again, not only will it get detected immediately, StepSecurity Harden Runner will also prevent exfiltration of sensitive data and service credentials from the workflows.


Google Automates GitHub Actions Security for their Open-Source Projects with StepSecurity

This case study talks about how Google leverages StepSecurity’s GitHub Actions security platform to harden their GitHub-hosted runners and automate various GitHub Actions security best practices in several of their open-source projects.


CISA Enforces  Network Egress Control and CI/CD Infrastructure Security to Harden their GitHub-hosted Runners

CISA’s case study talks about how it leverages StepSecurity Harden-Runner 's network egress control and runtime security in over 175 GitHub repositories to prevent Codecov and SolarWinds-style attacks.