Harden Runner

Purpose built CI/CD security agent to prevent SolarWinds and Codecov style security attacks

Prevent exfiltration of sensitive data in CI/CD
Detect compromised build tools and open-source dependencies
Secure GitHub hosted as well as ARC runners

Stop CI/CD Software Supply Chain Attacks

Harden Runner prevents SolarWinds and Codecov style security attacks
Start 30-day free trial
Main Image

Enterprise Case Study

Kapiche improves their software supplychain security with StepSecurity.

"Since enabling Harden Runner in ourprojects, we have much higher confidence and observability into what our buildprocess is doing"

-Cam Parry

Staff Site Reliability Engineer

Read our case study

Kapiche improves their software supplychain security with StepSecurity.

"Since enabling Harden Runner in ourprojects, we have much higher confidence and observability into what our buildprocess is doing"

-Cam Parry

Staff Site Reliability Engineer

Read our case study

Kapiche improves their software supplychain security with StepSecurity.

"Since enabling Harden Runner in ourprojects, we have much higher confidence and observability into what our buildprocess is doing"

-Cam Parry

Staff Site Reliability Engineer

Read our case study

Kapiche improves their software supplychain security with StepSecurity.

"Since enabling Harden Runner in ourprojects, we have much higher confidence and observability into what our buildprocess is doing"

-Cam Parry

Staff Site Reliability Engineer

Read our case study

Kapiche improves their software supplychain security with StepSecurity.

"Since enabling Harden Runner in ourprojects, we have much higher confidence and observability into what our buildprocess is doing"

-Cam Parry

Staff Site Reliability Engineer

Read our case study

Kapiche improves their software supplychain security with StepSecurity.

"Since enabling Harden Runner in ourprojects, we have much higher confidence and observability into what our buildprocess is doing"

-Cam Parry

Staff Site Reliability Engineer

Read our case study
View all case studies

Kapiche improves their software supply chain security with StepSecurity.

"Since enabling Harden Runner in our projects, we have much higher confidence and observability into what our build process is doing"

-Cam Parry

Staff Site Reliability Engineer, Kapiche

Read case study

InovIntell secures their CI/ CD with Harden-Runner.

"StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products"

-Szymon Maszke

Chief Technical Officer, InovIntell

Read case study

See it in action

Testimonials

Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks.  StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.

Wenqi Glantz

SOFTWARE ARCHITECT

Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time

Jordan Harband

Open Source Maintainer

Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.

Christophe Tafani-Dereeper

Cloud Security Engineer

It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.

Ben Manes

Caffeine

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense

Liran Tal

GITHUB STAR, AND AUTHOR OF ESSENTIAL NODE.JS SECURITY

StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products

Szymon Maszke

CTO, InovIntell

Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks.  StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.

Wenqi Glantz

SOFTWARE ARCHITECT

Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time

Jordan Harband

Open Source Maintainer

Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.

Christophe Tafani-Dereeper

Cloud Security Engineer

It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.

Ben Manes

Caffeine

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense

Liran Tal

GITHUB STAR, AND AUTHOR OF ESSENTIAL NODE.JS SECURITY

StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products

Szymon Maszke

CTO, INOVINTELL

Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks.  StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind.

Wenqi Glantz

SOFTWARE ARCHITECT

Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time

Jordan Harband

Open Source Maintainer

Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies.

Christophe Tafani-Dereeper

Cloud Security Engineer

It was super easy to setup Harden-Runner and diagnose the issues it uncovered. We found some gremlins slowing down our build and can now avoid new ones sneaking back in. Really great work.

Ben Manes

Caffeine

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense

Liran Tal

GITHUB STAR, AND AUTHOR OF ESSENTIAL NODE.JS SECURITY

StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products

Szymon Maszke

CTO, INOVINTELL

Actions Runner Controller support in preview

Harden-Runner for Kubernetes based self-hosted GitHub Action Runners using Actions Runner Controller (ARC) in preview

Security insights

Get a unified view of process, file, and network activity correlated with each step of the CI/ CD pipeline

View domain names and direct IP addresses called in each step.

Policy recommendations

Secure each job based on what it does. Get a policy recommendation based on previous job runs.

Set allowed endpoints based on previous pipeline runs.

Disable sudo based on whether sudo process calls were made in previous runs

Prevent exfiltrationof credentials

CI/ CD pipelines have privileged credentials used for deployments

Block DNS exfiltration and outbound network calls using an allowed list.

Did you know that in the Codecov breach, credentials were exfiltrated from thousands of build servers for over 2 months?

Detect overwrite ofsource code  

Harden runner monitors each file write activity on the build server

If any source code file is overwritten by a different process, you get details of the file overwritten, and the process that overwrote the file.

Did you know that in the SolarWinds breach, source code was overwritten during the build process?

Detect compromised build tools and dependencies

Compromised build tools and dependencies make outbound calls to their domains to exfiltrate secrets or metadata.

With Harden Runner you are immediately notified for a new blocked outbound call, so you can investigate the incident.

Did you know that in dependency confusion and package typosquatting attacks, credentials are typically stolen using DNS exfiltration?

Run your job without sudo access

Prevent compromised tools from installing attack tools, such as debuggers to look for credentials in memory.

Did you know that in the SolarWinds breach, the SUNSPOT malware granted itself debugging privileges to read another processes’ memory?

Email and Slack alerts

Get notifications via email or Slack when outbound calls are blocked, or source code is overwritten.

Simulate attacks and see how Harden Runner prevents them

Security & Privacy

Harden Runner is open source on GitHub and the Harden Runner build is reproducible.

The GitHub repositories have a high OpenSSF Scorecard score, with branch protection and multiple reviewers required for pull requests.

Code commits to Harden Runner go through a series of tests, including SAST (static application security testing) using CodeQL.

Harden Runner App only has access to the build logs, and not to the source code.

GET STARTED

Step up your supply chain security

Free forever plan
No credit card required
Cancel anytime

13,000+ teams host great meetings with Dive

Get more done before, during, and after every meeting.

before meeting

Keep track of notes and progress

Follow up on action items with ease with meeting recaps and notes sent automatically via email and Slack. Now every meeting is well documented and action oriented.