# Changelog ### April 22, 2026 – Replace Maintained Actions: New Replacement Modes and Major-Version Restriction **Feature:** The **Replace Third-Party Actions with StepSecurity-Maintained Actions** policy in Policy-Driven PRs now supports two replacement modes and optional major-version matching. **Highlights:** * New **Replace selected actions** mode (opt-in, default) — only replace actions you explicitly select * New **Replace all, except exempted** mode (opt-out) — replace everything with a StepSecurity-maintained equivalent automatically, except for listed exemptions * New **Restrict replacement to same major version** toggle — only replace when the third-party action's major version tag matches the StepSecurity-maintained action's major version * Reduces the operational cost of maintaining a large action allowlist while preserving organization-specific flexibility [🔗 Replace Third-Party Actions with StepSecurity-Maintained Actions](https://docs.stepsecurity.io/orchestrate-security/policy-driven-prs#replace-third-party-actions-with-stepsecurity-maintained-actions) ### April 21, 2026 – Policy Store: Policy History and Audit Trail **Feature:** The Policy Store now records every change to a policy in a timeline-view audit trail, with side-by-side diffs for content edits. **Highlights:** * Timeline view of all policy changes — content edits, attachments, detachments, and scope modifications * Side-by-side diff view for YAML content changes, with added and removed lines highlighted * Attribution showing who made each change and when * Attachment-change events capture scope transitions (e.g., *specific workflows → entire repo*) so the full history is visible at a glance * Accessible from any policy's three-dot menu via **View history** * Designed to make policy-related changes easier to audit for security reviews and compliance [🔗 Policy Store — View policy history](https://docs.stepsecurity.io/harden-runner/policy-store#view-policy-history) ### April 20, 2026 – Harden-Runner Support for Third-Party GitHub Actions Runners **Feature:** Harden-Runner (v2.19.0) now supports the four major third-party GitHub Actions runner providers: **Depot**, **Blacksmith**, **Namespace**, and **Warp Build**. **Highlights:** * Same egress monitoring, runtime monitoring, and policy enforcement that Harden-Runner provides on GitHub-hosted runners * Integration is identical to GitHub-hosted runners — add `step-security/harden-runner` as the first step of each job; only the `runs-on` label changes * No provider-specific configuration required * Supports Policy Store, block mode with `allowed-endpoints`, and all standard Harden-Runner detections * Also in v2.19.0: system-defined detection rules for Lockdown Mode (e.g., runner-worker memory reads, a known secret-stealing technique) and Windows/macOS stability fixes [🔗 Harden-Runner — Third-Party GitHub Actions Runners](https://docs.stepsecurity.io/harden-runner#third-party-github-actions-runners) ### April 17, 2026 – Dev Machine Guard: Expanded Platform and Ecosystem Coverage **Feature:** Dev Machine Guard adds Windows support, a JetBrains IDE extension, Homebrew formulae coverage, and PyPI package detection — broadening supply-chain visibility on developer endpoints beyond macOS and npm. **Highlights:** * **Windows support** — Dev Machine Guard now runs on Windows developer endpoints alongside existing macOS coverage, giving security teams a unified view across the platforms their developers actually use * **JetBrains IDE extension** — native integration with IntelliJ IDEA, PyCharm, GoLand, WebStorm, and other JetBrains IDEs, complementing the existing VS Code extension * **Homebrew formulae support** — detects risky, typosquatted, or newly published Homebrew formulae installed on developer machines, closing a gap that npm-focused tools miss * **PyPI package detection** — extends package-level risk analysis to the Python ecosystem, surfacing suspicious PyPI installs with the same AI Package Analyst verdicts used for npm * Unifies developer-endpoint visibility across three package ecosystems (npm, PyPI, Homebrew) and the two most common developer IDEs (VS Code, JetBrains) [🔗 Dev Machine Guard](https://app.gitbook.com/o/Hhu8NwchzrRxmxplqEVj/s/Twdhew5C2AOSJZhpI0uC/) ### April 15, 2026 – Global Block List: Threat-Intelligence-Driven Automatic Blocking **Feature:** Harden-Runner (v2.18.0) now enforces a StepSecurity SOC-maintained Global Block List of IOC domains and IPs across every protected workflow — automatically, and even in audit mode. **Highlights:** * Outbound connections to known malicious domains and IPs are blocked automatically, with no configuration change required * Enforcement applies even in `egress-policy: audit` mode — customers do not have to re-decide whether to block each IOC * List is curated by StepSecurity's 24×7 SOC based on active supply-chain attack investigations * Used to block exfiltration from the [pgserve npm compromise](https://www.stepsecurity.io/blog/pgserve-compromised-on-npm-malicious-versions-harvest-credentials) in real time * Blocked requests are labeled **Attack Blocked** in the Network Events view so customers can distinguish them from regular policy blocks * Also in v2.18.0: new `deploy-on-self-hosted-vm` input for installing the Harden-Runner agent directly on ephemeral self-hosted Linux VMs at workflow runtime * Further expanded in v2.19.0 (20 April 2026) — see above [🔗 Harden-Runner — Global Block List](https://docs.stepsecurity.io/harden-runner#global-block-list) ### April 15, 2026 – Workflow Run Policies: Harden-Runner Policy and Pinned-Actions Enforcement **Feature:** Two new policy enforcement capabilities have been added to Workflow Run Policies. **Highlights:** * **Harden-Runner Policy** — blocks workflow runs where the Harden-Runner action is missing or is not configured as the first step of a job. Supports Custom Actions for organizations that wrap Harden-Runner inside an internal bootstrap action * **Only allow pinned actions** toggle on the Allowed Actions Policy — blocks any action reference that is not pinned to a commit SHA, protecting against tag-overwrite attacks like the `tj-actions/changed-files` compromise * Wildcard support in the Allowed Actions Policy allowlist (e.g., `actions/*`) [🔗 Workflow Run Policies — Policies](https://docs.stepsecurity.io/workflow-run-policies/policies#harden-runner-policy) ### April 9, 2026 – Policy Store Integration in Harden-Runner Action **Feature:** Harden-Runner (v2.17.0) adds native Policy Store support via new `use-policy-store` and `api-key` inputs. **Highlights:** * Fetch and enforce security policies directly from the StepSecurity Policy Store at runtime * Policies can be attached at workflow, repository, organization, or ARC cluster level, with the most granular policy taking precedence * Preferred alternative to the existing `policy` input, which requires `id-token: write` permission * If no policy is found in the Policy Store, the action defaults to audit mode * Centralize egress policy management across hundreds of repositories without editing any workflow file [🔗 Policy Store](https://docs.stepsecurity.io/harden-runner/policy-store) ### March 12, 2026 – Dev Machine Guard Open Source Feature: Dev Machine Guard is now open source Highlights: * Provides visibility into what is actually running on developer machines in real time * Helps security teams detect suspicious processes, hidden tooling, and unexpected network activity on developer endpoints * Enables developers and organizations to independently verify the security posture of their development environments * Supports supply chain defense by exposing processes that could manipulate builds, credentials, or CI/CD interactions * Fully open source, enabling community auditing, transparency, and contributions * Complements StepSecurity’s CI/CD protections by extending visibility upstream to developer workstations [🔗 https://www.stepsecurity.io/blog/dev-machine-guard-is-now-open-source-see-whats-really-running-on-your-developer-machine](https://www.stepsecurity.io/blog/dev-machine-guard-is-now-open-source-see-whats-really-running-on-your-developer-machine) ### February 26, 2026 – Harden Runner Windows & macOS Support Feature: Harden Runner now supports GitHub Actions runners on Windows and macOS. Highlights: * Harden Runner delivers EDR-level runtime security across all three major GitHub Actions platforms: Linux, Windows, and macOS. * Cross-platform support includes network and process event monitoring out of the box, with no workflow configuration changes required. * Available in both Community Tier and Enterprise Tier; Windows and macOS monitoring remains free for public/open-source projects. * Same action and syntax as existing Harden Runner workflows — it now “just works” on Windows and macOS. 🔗 ### January 29, 2026 – Apps & PATs Visibility Feature: Launch of Apps & PATs — centralized visibility for GitHub Apps and Personal Access Tokens. Highlights: * Provides organization-wide inventory of GitHub Apps and PAT usage * Helps security teams identify high-risk or overprivileged credentials * Detects dormant or unmanaged tokens that expand supply chain attack surface * Improves governance over third-party GitHub integrations * Supports least-privilege access enforcement beyond workflows * Strengthens identity-layer security in GitHub environments 🔗 ### January 20, 2026 – StepSecurity Dark Mode Feature: StepSecurity now supports Dark Mode across the platform UI. Highlights: * Enables a more comfortable viewing experience for security and DevOps teams * Improves usability for long investigation and monitoring sessions * Supports modern UI accessibility preferences * Provides a consistent dark theme across dashboards, insights, and policy workflows 🔗 ### January 13, 2026 – StepSecurity Developer Machine Guard Feature: Introduction of StepSecurity Dev Machine Guard — protecting developer machines from supply chain attacks. Highlights: * Secures developer endpoints as a critical part of the software supply chain * Prevents compromised laptops, credentials, and local tooling from becoming an entry point into CI/CD systems * Extends StepSecurity’s protection beyond workflows into developer environments * Helps organizations detect risky developer machine posture before code reaches production * Complements CI/CD runtime enforcement with upstream endpoint defense * Designed for modern engineering teams facing increasing developer-targeted attacks 🔗 ### December 16, 2025 – Harden-Runner Support for GitHub-Hosted Custom Runner Images Feature: Support for baking StepSecurity Harden-Runner directly into GitHub-hosted custom VM images. Highlights: * Enables organization-wide runtime protection by embedding Harden-Runner into GitHub-hosted custom runner images * Eliminates the need to add the Harden-Runner action to individual workflows * Provides persistent, default-on runtime security for every job running on the custom image * Removes workflow-level operational overhead for large organizations with hundreds or thousands of workflows * Reduces developer friction by making CI/CD runtime security transparent and automatic * Enables centralized lifecycle management of Harden-Runner through runner image updates * Ensures consistent policy enforcement across all workflows when combined with the Policy Store * Supports gradual migration with no conflicts if existing workflows still include the Harden-Runner action * Aligns CI/CD security with infrastructure-level security practices used for production systems 🔗 ### December 11, 2025 – StepSecurity on Azure Marketplace Feature: StepSecurity is now available on the Azure Marketplace, adding a new procurement and deployment path alongside AWS Marketplace availability. Highlights: * Purchase StepSecurity using existing Azure billing arrangements * Simplify vendor management with consolidated Azure invoices * Accelerate deployment inside Azure-hosted environments * Adopt StepSecurity’s CI/CD security for GitHub Actions with minimal configuration * Get end-to-end workflow visibility, automated egress control to prevent supply chain attacks, and enforcement of GitHub Actions security best practices [🔗 https://www.stepsecurity.io/blog/stepsecurity-is-now-available-on-azure-marketplace ](https://www.stepsecurity.io/blog/stepsecurity-is-now-available-on-azure-marketplace) ### November 11, 2025 – npm Package Search Feature: Introduction of npm Package Search for PR-level visibility into when and where npm packages entered your codebase. Highlights: * Provides instant search across all pull requests in your GitHub organizations to identify where an npm package was first introduced * Answers critical incident-response questions: Which repos are affected? Who added the package? When did it land? What’s the blast radius? * Tracks package lifecycle changes — even if a dependency was later removed, you can see when it existed, who added it, and how long it persisted * Enables correlation of developer activity, helping teams assess whether compromised developer machines or credentials may have played a role * Goes beyond traditional SCA by focusing not just on what you use today but how each dependency entered and evolved * Accelerates response to supply chain incidents like Shai-Hulud, Singularity, and eslint-config-prettier by instantly surfacing all PRs that introduced compromised package versions * Supports proactive dependency auditing to find deprecated, vulnerable, or policy-violating packages with full contextual history * Provides organization-wide blast-radius assessment to help teams prioritize remediation across multiple repositories 🔗 ### September 18, 2025 – StepSecurity Threat Intelligence Feature: Launch of Threat Intelligence — real-time supply chain attack alerting for your SIEM. Highlights: * Provides immediate alerts when a major supply chain incident occurs. * Integrates with SIEM/SOC tools for instant threat visibility * Includes a Threat Center dashboard for tracking active and historical incidents 🔗 ### September 5, 2025 – NPM Package Cooldown Check Feature: Introduction of the NPM Package Cooldown Check GitHub PR-check. Highlights: * Blocks use of newly published npm packages within a configurable cooldown period (default 48 hours) * Reduces exposure to malicious package takeovers and supply chain attacks 🔗 ### June 10, 2025 – Automated Replacement of Third-Party Actions Feature: Automated pull requests to replace third-party GitHub Actions with StepSecurity-maintained ones. Highlights: * Uses Policy-Driven Automation to enforce safer dependencies * Minimizes manual CI/CD maintenance and ensures supply chain consistency 🔗 ### May 29, 2025 – StepSecurity on AWS Marketplace Feature: StepSecurity is now available on AWS Marketplace. Highlights: * Simplified procurement and deployment * Integrates with AWS billing and governance systems * Ideal for enterprise adoption within AWS environments 🔗 ### May 22, 2025 – StepSecurity Artifact Monitor Feature: Introduction of the StepSecurity Artifact Monitor. Highlights: * Detects unauthorized or malicious software releases within minutes * Monitors artifact registries (like npm) to catch releases that bypass CI/CD pipelines * Verifies provenance using commit SHAs, tags, and build metadata * Sends alerts via Slack, email, or SIEM integrations 🔗 ### May 13, 2025 – Workflow Run Policies Feature: Launch of Workflow Run Policies — security guardrails for GitHub Actions. Highlights: * Block non-compliant runs before execution * Enforce allowed Actions, runner labels, and organization rules * Detect and prevent secret exfiltration or compromised Actions 🔗 ### April 23, 2025 – Export Harden-Runner Insights to Amazon S3 Feature: New S3 Integration for exporting Harden-Runner insights and detections. Highlights: * Streams telemetry to customer-owned S3 buckets * Enables long-term retention, custom analytics, and SIEM ingestion * Supports automation workflows using AWS infrastructure 🔗 ### May 13, 2025 – StepSecurity Artifact Monitor Feature: Introduction of the StepSecurity Artifact Monitor. Highlights: * Detects unauthorized or malicious software releases within minutes * Monitors artifact registries like npm to catch releases outside CI/CD pipelines 🔗 ### March 26, 2025 – Policy-Driven Automated Pull Requests Feature: Automated PRs for CI/CD Misconfiguration Remediation. Highlights: * Automatically generates GitHub PRs or Issues when a workflow violates policy * Bridges detection and remediation in CI/CD environments * Reduces time-to-fix and enforces compliance across repos 🔗 ### February 27, 2025 – Integration with RunsOn Feature: Integration with RunsOn for secure self-hosted GitHub Actions runners. Highlights: * Provides pre-hardened AWS AMI images with StepSecurity tooling preinstalled * Simplifies setup of self-hosted runners while maintaining strict security 🔗 ### February 25, 2025 – New Features for GitHub Actions Security Best Practices Feature: Enhancements to the “Secure Repo” capability — new features to enforce GitHub Actions security at scale. Highlights: * Support for pinning GitHub’s new “Immutable Actions” (semantic version pinning). * Introduced exemptions for pinning specific Actions or entire organisations. * Persistent user settings to apply best-practice preferences across multiple repositories automatically. 🔗 ### October 30, 2024 – Internal GitHub Actions Marketplace Feature: Launch of the Internal GitHub Actions Marketplace — a secure, enterprise-ready directory of vetted GitHub Actions. Highlights: * Provides a curated marketplace of approved third-party and first-party GitHub Actions * Ensures only vetted Actions are used in CI/CD pipelines, reducing supply chain risk * Includes Action Security Scores, networking behavior insights, and repository usage visibility * Offers StepSecurity-maintained secure clones of risky third-party Actions * Enforces guardrails through Compromised Actions and Allowed Actions policies * Eliminates the burden of maintaining forked Actions internally 🔗 ### September 19, 2024 – Harden-Runner Unified Network Egress Management Feature: Unified network egress insights and outbound endpoint management for GitHub Organizations and Actions Runner Controller (ARC) clusters. Highlights: * Adds a consolidated “All Observed Endpoints” view showing every outbound network destination contacted across all workflow runs * Provides organization-wide and cluster-wide visibility into suspicious or unexpected endpoints * Allows engineers to inspect sample workflow runs associated with any endpoint for rapid investigation * Makes outbound endpoint data for public GitHub organizations accessible for open-source transparency * Introduces Unified Network Egress Management for ARC clusters, including per-cluster endpoint views * Enables default cluster-wide network egress policies to block unauthorized outbound calls without modifying workflows * Automatically generates tailored deployment instructions to activate default egress blocking per ARC cluster * Ensures secure-by-default networking, with workflow-level allowed-endpoints lists overriding defaults only when explicitly set 🔗 ### July 24, 2024 – Automatic Detection of Secrets in GitHub Actions Build Logs Feature: Automated scanning of GitHub Actions build logs to identify exposed secrets. Highlights: * Automatically downloads and analyzes completed workflow logs for secret exposure * Detects sensitive values such as API keys, passwords, private keys, and webhook URLs leaked during workflow execution * Flags violations in the “secrets should not be logged in the build log” control with masked secret previews and direct links to offending log lines * Provides enterprise-grade notifications via Slack, email, or Microsoft Teams * Displays an aggregated list of all “Secrets in build log” detections in the StepSecurity dashboard * Helps organizations prevent accidental credential leakage from tools like Azure CLI, AWS CLI, Google Cloud CLI, and misconfigured workflows * Demonstrated effectiveness during beta: uncovered real secret exposures across multiple GitHub organizations, prompting rapid remediation 🔗 ### February 20, 2024 – Harden-Runner HTTPS Outbound Request Monitoring Feature: Support for monitoring outbound HTTPS requests from GitHub-hosted and self-hosted VM runners. Highlights: * Adds visibility into HTTP methods and paths for outbound API calls made over HTTPS * Detects anomalous or suspicious GitHub API usage, such as attempts to exfiltrate CI/CD secrets by creating issues or pushing content to unauthorized repositories * Improves accuracy of recommended GITHUB\_TOKEN permissions by analyzing actual API calls made during workflow execution * Introduces a new HTTPS Events tab in Harden-Runner insights, showing all monitored outbound HTTPS calls with method, path, and organization context * Flags suspicious requests — for example, POST or PUT requests made to GitHub organizations different from where the workflow is running * Powered by eBPF monitoring of SSL writes, avoiding the operational overhead and fragility of MITM proxy approaches * Easily enabled through the StepSecurity dashboard for Team and Enterprise plans, with optional Slack and email notifications for anomalous events * Fully supported in Harden-Runner v2.7.0 for GitHub-hosted and VM-based runners, with ARC (Kubernetes) support coming soon 🔗 ### January 16, 2024 – GitHub Actions Advisor & StepSecurity Maintained Actions Feature: Launch of GitHub Actions Advisor and StepSecurity Maintained Actions to help organizations assess and reduce the risk of third-party GitHub Actions. Highlights: * Introduces GitHub Actions Advisor, providing automated security scores for public Actions based on six attributes: maintenance status, vulnerabilities, popularity, branch protection, license, and security policy * Surfaces networking behavior for Actions using runtime data from Harden-Runner to identify outbound calls to suspicious endpoints * Helps security and DevOps teams understand risk across all Actions used in their GitHub organization * Eliminates tedious manual reviews and forks of low-quality or abandoned Actions * Launches StepSecurity Maintained Actions, secure forks maintained by StepSecurity with manual and automated review, upstream updates, and applied security best practices * Dramatically reduces risk and operational workload while improving developer velocity by enabling safe use of previously unapproved third-party Actions * Fully integrated into the StepSecurity Platform, enabling visibility into security scores and available maintained Actions across repositories 🔗 ### January 14, 2024 – GitHub Actions Workflow Orchestration Feature: Introduction of Workflow Orchestration for standardized GitHub Actions deployment across repositories. Highlights: * Automates rollout of approved GitHub Actions workflows using pre-defined workflow templates * Ensures consistent adoption of security best practices and DevOps standards across all repositories * Generates automated pull requests to add or update workflows based on centrally managed templates * Supports orchestration of workflows for secure deployments, linters, security tools, and StepSecurity Maintained Actions * Enables template management through the StepSecurity dashboard, with seamless linking to a designated template repository * Provides curated recommendations per target repository, allowing teams to select and apply appropriate workflows * Fully supports private repositories using fine-grained Personal Access Tokens (PATs) for secure automation 🔗 ### October 18, 2023 – Orchestration Platform for Private Repositories Feature: Launch of StepSecurity’s orchestration platform for securing GitHub Actions workflows in private repositories. Highlights: * Brings the full power of StepSecurity’s orchestration capabilities—trusted by 700+ open-source projects—to private repositories * Automates GitHub Actions security hardening, including SAST, SCA, OpenSSF Scorecard, Dependabot config, Harden-Runner, pre-commit hooks, and more * Provides consistent application of security controls across CI/CD pipelines with minimal developer effort * Adds support for analyzing private repositories via fine-grained Personal Access Tokens (PATs) * Automatically generates pull requests to apply missing security tools, enforce least-privilege GITHUB\_TOKEN permissions, pin Actions, and strengthen CI/CD configurations * Includes flexible pricing: free for open-source projects, and first five PRs free for private repositories * Enables organizations to secure sensitive internal workflows with the same automated best-practice enforcement used across the open-source ecosystem 🔗 ### October 5, 2023 – Harden-Runner Support for Self-Hosted VM Runners Feature: Launch of Harden-Runner for self-hosted VM-based GitHub Actions runners. Highlights: * Extends Harden-Runner’s CI/CD runtime security to self-hosted VM runners used on platforms like AWS EC2, Azure VMs, and Google Compute Engine * Supports both persistent and ephemeral VM runners with zero workflow file changes required * Deploys by adding the Harden-Runner agent to the VM image (such as an AMI), automatically monitoring all workflows executed on that runner * Leverages the same battle-tested technology used across 1,600+ open-source projects and millions of workflow runs on GitHub-hosted runners * Provides eBPF-powered runtime monitoring, detecting network activity, file tampering, compromised dependencies, and credential exfiltration attempts * Includes CI/CD-native outbound network filtering, allowing teams to define authorized destinations and block unwanted traffic * Offers policy recommendations based on historical workflow behavior to help teams define precise allowlists * Unified with StepSecurity’s security dashboard, enabling centralized management of GitHub Actions security across GitHub-hosted, Kubernetes-based, and VM-based runners 🔗 ### June 6, 2023 – Harden-Runner Runtime Detections UI Feature: Introduction of a unified Runtime Detections UI for viewing historical CI/CD security detections. Highlights: * Adds a centralized dashboard displaying all past Harden-Runner threat detections across GitHub Actions workflows * Surfaces two critical detection types: * Blocked outbound calls — triggered when workflows attempt to contact non-allowed endpoints * Source code overwrite detections — alerts when multiple processes modify source files during a run, indicating potential supply chain attacks * Provides direct links to the specific workflow run, insights page, and exact step where the detection occurred * Enhances visibility and auditability beyond Slack or email notifications previously used for detection alerts * Accessible only to members of GitHub organizations that have installed the Harden-Runner App (requires only read access to the Actions API) * Strengthens organizations’ ability to investigate anomalies, validate policy effectiveness, and monitor CI/CD runtime security posture 🔗 ### May 25, 2023 – Wildcard Domain Support for Harden-Runner Egress Policies Feature: Introduction of wildcard domain support in Harden-Runner’s egress policy block mode. Highlights: * Allows wildcard domains in the allowed-endpoints list, simplifying the management of outbound network rules * Enhances flexibility and reduces configuration overhead for complex environments with dynamic or region-specific endpoints * Eliminates the need to enumerate individual subdomains — a single wildcard rule (for example, \*.data.mcr.microsoft.com:443) now covers all variants * Particularly useful for scenarios like pulling container images from Microsoft Container Registry, where content-delivery endpoints vary by region * Strengthens CI/CD security by maintaining strict block-mode egress controls while reducing friction for legitimate workflows * Feature developed directly from community feedback (Issue #236), demonstrating StepSecurity’s commitment to user-driven enhancements 🔗 ### April 4, 2023 – Harden-Runner Policy Store Feature: Introduction of the Policy Store for managing Harden-Runner policies outside workflow files. Highlights: * Enables teams to define and manage Harden-Runner policies directly in the StepSecurity dashboard, without modifying workflow YAML * Supports configuration of network egress restrictions, sudo access controls, and code-tampering detection policies through a centralized UI * Allows workflows to reference policies using a simple policy attribute, reducing duplication and operational overhead * Eliminates the need to store policy definitions inside workflow files, improving maintainability and simplifying policy updates * Requires only id-token: write permissions for Harden-Runner to authenticate and fetch policy details securely * Provides an intuitive interface to create, update, and apply policies across jobs and repositories * Improves developer experience and enables more scalable governance of CI/CD security controls 🔗 ### March 29, 2023 – Harden-Runner Support for Kubernetes-Based Self-Hosted Runners (ARC) Feature: Launch of Harden-Runner for Kubernetes-based self-hosted GitHub Actions runners using Actions Runner Controller (ARC). Highlights: * Extends Harden-Runner beyond GitHub-hosted Ubuntu runners to fully support ARC-managed Kubernetes self-hosted runners * Provides runtime CI/CD security using eBPF for file, DNS, and network event auditing without requiring workflow or container image changes * Delivers 100% runtime visibility across all workflow executions in Kubernetes environments * Maintains Harden-Runner’s core protections — preventing credential exfiltration, detecting source-code tampering, and identifying compromised dependencies or build tools * Re-architected to use Kubernetes-native resources for event handling, correlation, and insights * Offers agentless, operationally simple deployment for enterprise self-hosted CI/CD environments * Ideal for organizations requiring private-network runners, custom operating environments, or enhanced security around sensitive secrets and cloud admin identities 🔗 ### September 29, 2022 – Harden-Runner v1.5.0: Automatic Cache Endpoint Detection Feature: Automatic detection of GitHub Actions cache endpoints in Harden-Runner. Highlights: * Harden-Runner now auto-detects GitHub Actions cache endpoints during workflow execution * Removes the need to manually specify cache endpoints in the allowed-endpoints list when using block mode * Improves developer experience by preventing accidental blocking of cache traffic, especially in forks and reusable workflows where cache endpoints differ * Ensures seamless operation across repositories by dynamically identifying Azure Blob storage endpoints used by GitHub Actions caching * Maintains backward compatibility — workflows that explicitly list cache endpoints will continue to work without modification * Enhances Harden-Runner’s overall usability for users securing their CI/CD pipelines through outbound network restrictions 🔗 ### August 14, 2022 – Harden-Runner: Source Code Tampering Detection for GitHub Actions Feature: Introduction of Harden-Runner, a GitHub Actions security agent designed to detect unauthorized source code modification during the build process. Highlights: * Detects tampering of source code during CI/CD builds — the same attack vector used in the SolarWinds supply chain compromise * Leverages the Linux Audit Framework on GitHub-hosted Ubuntu runners to monitor file modifications at runtime * Surfaces detections directly in GitHub Actions as error annotations, including syscall details and the modifying executable * Provides CI/CD runtime visibility that traditional countermeasures (branch protection, code review, and code signing) cannot offer * Easy to adopt—added as the first step in any GitHub Actions workflow * Already used in 500+ repositories, including public open-source projects from Google, Microsoft, Automattic, and the broader developer ecosystem * Available on the GitHub Marketplace, with hands-on scenarios provided through the Supply Chain Goat project 🔗 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stepsecurity.io/changelog.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.