Public repositories are visible to everyone on the internet and typically host open-source code. Private repositories are only accessible to specific users and typically host proprietary code
Harden-Runner can block traffic to remote endpoints that have not been explicitly authorized. This stops attackers from stealing credentials and sensitive data
Harden-Runner monitors the behavior of build tools and dependencies. It flags deviations in baseline.
CI/CD jobs typically don't overwrite source code, this is a potential indicator of compromise. Malicious source code overwrites have caused major supply chain security breaches in the past.
Sudo allows the user to delegate privileges to run commands as a root or another user. Harden-Runner can disable sudo access in CI/CD
For each GitHub Actions workflow run, Harden-Runner monitors run-time network, file, and process events and makes runtime insights available via the StepSecurity Web App.
Harden-Runner can send important runtime CI/CD events to Slack and email workflow execution logs.
Support channel to engage with the StepSecurity team
Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks. StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.
Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time
Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.
It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.
I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense
StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products
Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks. StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.
Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time
Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.
It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.
I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense
StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products
Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks. StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.
Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time
Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.
It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.
I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense
StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products
Public repositories are visible to everyone on the internet and typically host open-source code. Private repositories are only accessible to specific users and typically host proprietary code
StepSecurity provides automated security remediations to increase scorecard scores
To prevent spamming maintainers, only project contributors are allowed to generate remediation pull requests for their repositories
A team of security champions could be authorized to create remediation pull requests across all repositories in their GitHub organization
StepSecurity Dashboard provides a single pane of view to consume findings from all repositories in an organization
StepSecurity analytics empowers security stakeholders to analyze Scorecard scores across all repositories
The platform can notify stakeholders for important events
Support channel to engage with the StepSecurity team
