Recidiviz Streamlines CI/CD Security with StepSecurity

Company Background

Recidiviz is a technology non-profit that partners with criminal justice agencies to modernize their use of data and drive better outcomes for individuals and communities. Their team of product designers, engineers, and data scientists builds software for agency leaders and staff that help them safely reduce prison populations and support successful community reentry. Recidiviz has helped accelerate over 247K people out of the criminal justice system to date, saved states $1.3 billion in costs, and scaled its platform to cover 46% of the U.S. prison population. – and they’re just getting started. The engineering team at Recidiviz supports this mission by developing and operating a complex cloud infrastructure and data pipelines.

Dan Hansen, a Site Reliability Engineer at Recidiviz, focuses on platform reliability and developer experience. Peter Henggeler, Recidiviz’s Information Security Officer, oversees security and compliance. Together, Dan and Peter recently led an initiative to strengthen the security of the organization’s CI/CD workflows without slowing down development.

The Challenge

As Recidiviz grew, the team transitioned from GitHub’s hosted runners to RunsOn self-hosted GitHub Actions runners to better scale CI/CD and control costs. Workflows deploying infrastructure-as-code (IaC) and managing cloud resources meant these runners had access to sensitive secrets and production environments. Dan and Peter were particularly concerned about:

• Secure Access to Cloud Infrastructure: Ensuring that CI jobs (which apply IaC changes on merge) had the least privilege needed and could not misuse cloud credentials.

• Secret Exfiltration Risks: Preventing any malicious code or third-party GitHub Action from exfiltrating secrets or data during CI runs.

• Lack of Network Monitoring: GitHub Actions workflows lacked any egress monitoring by default – if a build process tried to call an unauthorized external server, they had no visibility or control over it.

“Without StepSecurity, we had no network monitoring in our CI; if something tried to phone home with our secrets, we wouldn’t know,”

- Dan Hansen, Site Reliability Engineer at Recidiviz.  

The team wanted to implement network-level security on their CI runners to catch anomalies and enforce least privilege access, but without hindering developer productivity.

They considered native solutions, like locking down network egress at the AWS level (since their runners run in AWS). However, doing that manually for each runner or job would be complex and “way too much work to do ourselves”. In practice, completely limiting egress at the cloud level wasn’t flexible enough for their CI needs. Recidiviz needed a solution purpose-built for CI/CD that could provide security and fit seamlessly into their GitHub Actions workflows.

Why StepSecurity

Recidiviz discovered StepSecurity Harden-Runner through a community Slack channel, where information about the tj-actions/changed-files compromise was shared. Dan was immediately intrigued by StepSecurity’s approach to CI/CD security. After researching alternatives, he found that no other solution combined network monitoring with built-in GitHub Actions security best practices in the way StepSecurity did.

Why StepSecurity stood out:

• Network-Level Monitoring: This was the top priority for Recidiviz. StepSecurity’s Harden-Runner acts like an “EDR for CI” – monitoring all outbound network calls from the runner. This capability was critical and not offered by GitHub natively or other tools they found.

• Built-in Hardening for GitHub Actions: StepSecurity provides a set of hardened best practices (like locking down default tokens and pinning 3^rd party actions) integrated into the GitHub Actions lifecycle. It wasn’t just monitoring; it also guided them to tighten configurations.

• Ease of Adoption (Orchestrated PRs): StepSecurity could automatically generate pull requests to Recidiviz’s repos to enable the Harden-Runner and apply recommended security settings. This level of automation meant minimal manual effort for Dan’s team.

• Avoiding DIY or Cloud-Only Solutions: The alternative – using AWS networking rules or building a custom monitoring solution – would have been cumbersome and incomplete. StepSecurity offered a ready solution that plugged directly into their CI pipelines, saving Recidiviz from months of engineering effort.

Dan recalled searching for similar products and coming up empty:  

“I could not find any competitors that did both network-level monitoring and had a hardened set of best practices to implement… none built into the GitHub Actions lifecycle.”

- Dan Hansen, Site Reliability Engineer at Recidiviz

For Recidiviz, StepSecurity was unique in addressing their exact needs for security and developer-friendly automation.

Implementation

Implementing StepSecurity was straightforward and fast. After an initial trial, the team deployed StepSecurity’s Harden-Runner across all their GitHub Actions workflows in audit (monitoring) mode. StepSecurity’s platform automatically scanned Recidiviz’s repositories and opened pull requests to add the Harden-Runner step and related security checks to each workflow.

Dan merged these automated PRs, instantly instrumenting dozens of CI workflows with the security agent.  

“Having the orchestrated PRs merged, which applied Harden-Runner to all of our workflows across all of our repositories, was a huge help,”

- Dan Hansen, Site Reliability Engineer at Recidiviz.

Recidiviz has many repositories maintained by many developers, so rolling out a new tool org-wide manually would have been impractical. With StepSecurity’s automation, one SRE (Dan) was able to implement a security upgrade across the entire organization with minimal effort.

They configured Harden-Runner to audit network traffic and behavior without blocking, initially. This allowed the tool to learn a baseline of normal egress calls for each job. Over a few weeks, StepSecurity’s dashboard flagged a handful of unexpected outbound calls (for example, from certain Python package installers in their workflows), which the team reviewed.  

During the rollout, developer communication was key. The StepSecurity team provided documentation to help notify engineers about the new CI checks, but in practice there was little noise. By introducing Harden-Runner in monitoring mode, Recidiviz gained visibility without breaking any builds. Developers saw a non-blocking “Hardened Runner” check on their pull requests, which only failed if truly anomalous behavior was detected. This gentle introduction meant that no one’s workflow was disrupted, and developers grew confident knowing a safety net was watching the pipelines.

Notably, the security initiative didn’t come top-down in a way that alienated the engineering team. Peter observed that usually when a new security tool is introduced, developers may resist the change. In this case, because StepSecurity also improved reliability and provided helpful insights, it was well received.  

“Sometimes when I bring in a security tool, everyone’s kicking and screaming. This was different – a perfect project that sits between security and developer needs,”

- Peter Henggeler, Information Security Officer at Recidiviz.

In fact, the implementation was led by Dan on the SRE side, showing that the tool catered to developer experience as much as security.

Results

After adopting StepSecurity, Recidiviz quickly gained stronger security with virtually no hit to velocity. Some of the immediate benefits and results include:

• Network Visibility & Peace of Mind: For the first time, the team has full visibility into outbound network calls during CI runs. They can see exactly which external services each job contacts.  

“Before we had no network monitoring… just having it now gives us quite a bit of peace of mind. This visibility alone greatly reduces anxiety about hidden threats and supply chain attacks, especially given recent industry breaches via CI pipelines.”

- Dan Hansen, Site Reliability Engineer at Recidiviz

• Secure Baseline Established: StepSecurity Harden Runner helped identify a couple of unexpected behaviors (such as unneeded calls in dependency installation), which the team fixed or allowed. Soon, they saw no new detections, indicating a stable baseline of normal behavior. With the environment baseline learned, the team feels confident they can trust their workflows’ network behavior.

• Safer Use of Third-Party Actions: StepSecurity’s reports gave Dan visibility into all the GitHub Actions used across Recidiviz’s repositories – something they never had centralized before. They discovered a number of third-party Actions in use and have already deprecated or replaced several with higher-scoring, more secure alternatives. (StepSecurity scores GitHub Actions for risk, and even provides its own hardened forks of common Actions.) This proactive cleanup reduces the chance of using unmaintained or vulnerable Actions in CI.

• Fast, Organization-Wide Hardening: By merging the automated PRs, Recidiviz instantly applied security best practices (provided by StepSecurity) to every workflow. For example, workflows now use the Harden-Runner agent and have recommended least-privilege settings. Achieving this across all pipelines would have taken considerable time if done manually. Dan estimates that StepSecurity’s automation saved them many engineering hours and ensured no repo was left behind. It effectively standardized CI security across dozens of workflows overnight.

• No Performance Impact: Despite the extra security layer, builds continue to run smoothly. Developers haven’t reported slowdowns from the Harden-Runner checks. This was important to Recidiviz – they gained security at scale without sacrificing the quick feedback cycles that developers expect from CI/CD.

Crucially, these improvements position Recidiviz for compliance and future growth. With StepSecurity, they can demonstrate that controls are in place to monitor and prevent unauthorized data exfiltration in CI pipelines – a valuable capability for audits and stakeholder trust.

Developer Experience

Beyond the technical results, StepSecurity has also influenced Recidiviz’s developer experience and policies in positive ways:

• New “Hardened Runner” Check: Every pull request now includes a StepSecurity Hardened-Runner status check. Initially this check is informational (audit mode), but it adds an extra layer of assurance. Developers merging code can see that their CI run didn’t exhibit any abnormal behavior. It’s a subtle change, but it reinforces a culture of security awareness in daily development. Soon, once blocking mode is enabled, this check will prevent risky behavior automatically.

• Third-Party Action Approval Process: The security and SRE team introduced a lightweight process for using new GitHub Actions. If a developer wants to add a new third-party Action to a workflow, they now fill out a short request for the security team. The security team then evaluates the Action’s risk, aided by StepSecurity’s automated security score and insights, and decides whether to approve it. They also check if a StepSecurity-maintained version of the Action exists, which would be a safer choice. This process was inspired by the visibility StepSecurity provided – once Dan saw all the external Actions in use, it made sense to put a gate around adding new ones. The approval workflow ensures Recidiviz only uses well-vetted Actions in its pipelines going forward.

• Maintaining a Secure Catalog: Over time, Recidiviz is building an internal catalog of approved Actions and dependencies for CI. StepSecurity’s data helps keep this catalog up-to-date. Developers benefit from knowing which tools are cleared for use, and security has oversight without needing to block everything by default.

• Developer Experience Remains High: Importantly, these changes did not burden developers with extra work. Since nothing was being blocked yet and the PRs to add Harden-Runner were automated, engineers didn’t have to do anything special. By tackling potential issues in the background (and only involving developers when truly necessary, such as reviewing a new Action), the SRE and security team preserved the developers’ flow. This positive experience has made developers more receptive to security measures.  

Summary

Overall, the introduction of StepSecurity created a more controlled, compliant CI/CD workflow at Recidiviz, without the usual pain that security mandates can bring. Developers continue to ship code at speed, now confident that an intelligent watchdog is safeguarding their build process.

Recidiviz’s experience shows that with the right approach, security and developer velocity can go hand-in-hand. By adopting StepSecurity, the team gained robust CI/CD protection, better insight into their workflows, and greater confidence in their software supply chain – all while keeping their developers happy and productive. It’s a win-win that sets the stage for even more innovation, as Recidiviz continues its important work with a strengthened, secure foundation.

‍