Harden Runner is a purpose built CI/CD security agent to prevent SolarWinds and Codecov style security attacks
Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks. StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.
Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time
Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.
It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.
I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense
StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products
Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks. StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.
Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time
Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.
It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.
I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense
StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products
Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks. StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.
Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time
Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.
It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.
I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense
StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products
Get a unified view of process, file, and network activity correlated with each step of the CI/ CD pipeline
View domain names and direct IP addresses called in each step.
Secure each job based on what it does. Get a policy recommendation based on previous job runs.
Set allowed endpoints based on previous pipeline runs.
Disable sudo based on whether sudo process calls were made in previous runs
CI/ CD pipelines have privileged credentials used for deployments
Block DNS exfiltration and outbound network calls using an allowed list.
Did you know that in the Codecov breach, credentials were exfiltrated from thousands of build servers for over 2 months?
Harden runner monitors each file write activity on the build server
If any source code file is overwritten by a different process, you get details of the file overwritten, and the process that overwrote the file.
Did you know that in the SolarWinds breach, source code was overwritten during the build process?
Compromised build tools and dependencies make outbound calls to their domains to exfiltrate secrets or metadata.
With Harden Runner you are immediately notified for a new blocked outbound call, so you can investigate the incident.
Did you know that in dependency confusion and package typosquatting attacks, credentials are typically stolen using DNS exfiltration?
Prevent compromised tools from installing attack tools, such as debuggers to look for credentials in memory.
Did you know that in the SolarWinds breach, the SUNSPOT malware granted itself debugging privileges to read another processes’ memory?
Get notifications via email or Slack when outbound calls are blocked, or source code is overwritten.
Harden Runner is open source on GitHub and the Harden Runner build is reproducible.
The GitHub repositories have a high OpenSSF Scorecard score, with branch protection and multiple reviewers required for pull requests.
Code commits to Harden Runner go through a series of tests, including SAST (static application security testing) using CodeQL.
Harden Runner App only has access to the build logs, and not to the source code.
.svg)
Follow up on action items with ease with meeting recaps and notes sent automatically via email and Slack. Now every meeting is well documented and action oriented.
.png)
.svg)
