Purpose built CI/CD security agent to prevent SolarWinds and Codecov style security attacks
Harden-Runner for Kubernetes based self-hosted GitHub Action Runners using Actions Runner Controller (ARC) in preview
Get a unified view of process, file, and network activity correlated with each step of the CI/ CD pipeline
View domain names and direct IP addresses called in each step.
Secure each job based on what it does. Get a policy recommendation based on previous job runs.
Set allowed endpoints based on previous pipeline runs.
Disable sudo based on whether sudo process calls were made in previous runs
CI/ CD pipelines have privileged credentials used for deployments
Block DNS exfiltration and outbound network calls using an allowed list.
Did you know that in the Codecov breach, credentials were exfiltrated from thousands of build servers for over 2 months?
Harden runner monitors each file write activity on the build server
If any source code file is overwritten by a different process, you get details of the file overwritten, and the process that overwrote the file.
Did you know that in the SolarWinds breach, source code was overwritten during the build process?
Compromised build tools and dependencies make outbound calls to their domains to exfiltrate secrets or metadata.
With Harden Runner you are immediately notified for a new blocked outbound call, so you can investigate the incident.
Did you know that in dependency confusion and package typosquatting attacks, credentials are typically stolen using DNS exfiltration?
Prevent compromised tools from installing attack tools, such as debuggers to look for credentials in memory.
Did you know that in the SolarWinds breach, the SUNSPOT malware granted itself debugging privileges to read another processes’ memory?
Get notifications via email or Slack when outbound calls are blocked, or source code is overwritten.
Harden Runner is open source on GitHub and the Harden Runner build is reproducible.
The GitHub repositories have a high OpenSSF Scorecard score, with branch protection and multiple reviewers required for pull requests.
Code commits to Harden Runner go through a series of tests, including SAST (static application security testing) using CodeQL.
Harden Runner App only has access to the build logs, and not to the source code.
Follow up on action items with ease with meeting recaps and notes sent automatically via email and Slack. Now every meeting is well documented and action oriented.