HardenRunner

Stop CI/CD Supply Chain Attacks

Community
Free Forever
Best for open source repositories
Free
Unlimited Public Repositories
No Notifications
Community Support
Team
Per Developer
Best for private repositories
$20/Mo.
Unlimited Public & Private Repositories
Slack & Email Notifications
Priority Support
Enterprise
Custom
Best for enterprise
Custom
Volume Pricing
ARC Self-Hosted Runners

Plan Comparison

Community
Public Repository Supported
Prevent Secret and Code Exfiltration
Detect Compromised Build Tools & Dependencies
Detect Modification of Source Code
Disable sudo access
Insights page for CI/CD runs
No Notifications Support
Community Support
business
Public & Private Repository Supported
Prevent Secret and Code Exfiltration
Detect Compromised Build Tools & Dependencies
Detect Modification of Source Code
Disable sudo access
Insights page for CI/CD runs
Slack & Email Notifications Support
Priority Support
Feature
Community
Team
Supported Repository Types

Public repositories are visible to everyone on the internet and typically host open-source code. Private repositories are only accessible to specific users and typically host proprietary code

Public
Private & Public
Prevent Secret and Code Exfiltration

Harden-Runner can block traffic to remote endpoints that have not been explicitly authorized. This stops attackers from stealing credentials and sensitive data

Detect Compromised Build Tools & Dependencies

Harden-Runner monitors the behavior of build tools and dependencies. It flags deviations in baseline.

Detect Modification of Source Code

CI/CD jobs typically don't overwrite source code, this is a potential indicator of compromise. Malicious source code overwrites have caused major supply chain security breaches in the past.

Disable sudo access

Sudo allows the user to delegate privileges to run commands as a root or another user. Harden-Runner can disable sudo access in CI/CD

Insights page for CI/CD runs

For each GitHub Actions workflow run, Harden-Runner monitors run-time network, file, and process events and makes runtime insights available via the StepSecurity Web App.

Notifications

Harden-Runner can send important runtime CI/CD events to Slack and email workflow execution logs.

Support

Support channel to engage with the StepSecurity team

Community
Priority

Upcoming Solutions

GitHub Repository
Posture Management
Coming Soon
Policy Driven Secure GitHub Resource Creation
Track Governance Violations Against Industry Standards
Automated Remediations through Pull Requests

Testimonials

Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks.  StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.

Wenqi Glantz

SOFTWARE ARCHITECT

Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time

Jordan Harband

Open Source Maintainer

Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.

Christophe Tafani-Dereeper

Cloud Security Engineer

It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.

Ben Manes

Caffeine

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense

Liran Tal

GITHUB STAR, AND AUTHOR OF ESSENTIAL NODE.JS SECURITY

StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products

Szymon Maszke

CTO, InovIntell

Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks.  StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.

Wenqi Glantz

SOFTWARE ARCHITECT, ARISGLOBAL

Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time

Jordan Harband

Open Source Maintainer

Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.

Christophe Tafani-Dereeper

Cloud Security Engineer

It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.

Ben Manes

Caffeine

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense

Liran Tal

GITHUB STAR, AND AUTHOR OF ESSENTIAL NODE.JS SECURITY

StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products

Szymon Maszke

CTO, INOVINTELL

Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks.  StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.

Wenqi Glantz

SOFTWARE ARCHITECT

Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time

Jordan Harband

Open Source Maintainer

Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.

Christophe Tafani-Dereeper

Cloud Security Engineer

It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.

Ben Manes

Caffeine

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense

Liran Tal

GITHUB STAR, AND AUTHOR OF ESSENTIAL NODE.JS SECURITY

StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products

Szymon Maszke

CTO, INOVINTELL

Secure Software Development Scorecard

Track and improve OpenSSF Scorecard

Community
Free Forever
Best for individual open source repositories
Free
Repository View
No Notifications
Community Support
Enterprise
Custom
Best for enterprise
Custom
StepSecurity Dashboard
Slack & Email Notifications
Priority Support

Plan Comparison

Community
Public Repository Supported
Automation to increase scorecard scores
Maintainer authorization to use automation
Community Support
business
Public & Private Repository Supported
Automation to increase scorecard scores
Maintainer authorization to use automation
Security champion authorization to use automation
StepSecurity Dashboard for all repositories in organization
Scorecard score trend and analytics
Notifications
Priority Support
Feature
Community
Enterprise
Supported Repository Types

Public repositories are visible to everyone on the internet and typically host open-source code. Private repositories are only accessible to specific users and typically host proprietary code

Public
Private & Public
Automation to increase scorecard scores

StepSecurity provides automated security remediations to increase scorecard scores

Maintainer authorization to use automation

To prevent spamming maintainers, only project contributors are allowed to generate remediation pull requests for their repositories

Security champion authorization to use automation

A team of security champions could be authorized to create remediation pull requests across all repositories in their GitHub organization

StepSecurity Dashboard for all repositories in organization

StepSecurity Dashboard provides a single pane of view to consume findings from all repositories in an organization

Scorecard score trend and analytics

StepSecurity analytics empowers security stakeholders to analyze Scorecard scores across all repositories

Notifications

The platform can notify stakeholders for important events

Support

Support channel to engage with the StepSecurity team

Community
Priority

Frequently Asked Questions

Subscription Plans

Runtime CI/CD Security Using StepSecurity Harden-Runner

Community

Best for open source repositories
Free
Unlimited Repositories
Get Started for Free
Free Forever

Enterprise

Best for enterprise and private repositories
$
20
/ month
Per Developer
Get Started Today
7-Day Free Trial

Feature

Community

Enterprise

Supported Repository Types
Public
Private & Public
Prevent Secret and Code Exfiltration
Detect Compromised Build Tools & Dependencies
Detect Modification of Source Code
Disable sudo access
Insights page for CI/CD runs
Notifications
Slack & Email
Support
Community
Priority

Upcoming Solutions

GitHub Repository Posture Management

Policy Driven Secure GitHub Resource Creation
Track Governance Violations Against Industry Standards
Automated Remediations through Pull Requests

Get Early Beta Access ->

Frequently Asked Questions

Upcoming