Changelog
November 11, 2025 – npm Package Search
Feature: Introduction of npm Package Search for PR-level visibility into when and where npm packages entered your codebase.
Highlights:
Provides instant search across all pull requests in your GitHub organizations to identify where an npm package was first introduced
Answers critical incident-response questions: Which repos are affected? Who added the package? When did it land? What’s the blast radius?
Tracks package lifecycle changes — even if a dependency was later removed, you can see when it existed, who added it, and how long it persisted
Enables correlation of developer activity, helping teams assess whether compromised developer machines or credentials may have played a role
Goes beyond traditional SCA by focusing not just on what you use today but how each dependency entered and evolved
Accelerates response to supply chain incidents like Shai-Hulud, Singularity, and eslint-config-prettier by instantly surfacing all PRs that introduced compromised package versions
Supports proactive dependency auditing to find deprecated, vulnerable, or policy-violating packages with full contextual history
Provides organization-wide blast-radius assessment to help teams prioritize remediation across multiple repositories
September 18, 2025 – StepSecurity Threat Intelligence
Feature: Launch of Threat Intelligence — real-time supply chain attack alerting for your SIEM.
Highlights:
Provides immediate alerts when a major supply chain incident occurs.
Integrates with SIEM/SOC tools for instant threat visibility
Includes a Threat Center dashboard for tracking active and historical incidents
September 5, 2025 – NPM Package Cooldown Check
Feature: Introduction of the NPM Package Cooldown Check GitHub PR-check.
Highlights:
Blocks use of newly published npm packages within a configurable cooldown period (default 48 hours)
Reduces exposure to malicious package takeovers and supply chain attacks
🔗 https://www.stepsecurity.io/blog/introducing-the-npm-package-cooldown-check
June 10, 2025 – Automated Replacement of Third-Party Actions
Feature: Automated pull requests to replace third-party GitHub Actions with StepSecurity-maintained ones.
Highlights:
Uses Policy-Driven Automation to enforce safer dependencies
Minimizes manual CI/CD maintenance and ensures supply chain consistency
May 29, 2025 – StepSecurity on AWS Marketplace
Feature: StepSecurity is now available on AWS Marketplace.
Highlights:
Simplified procurement and deployment
Integrates with AWS billing and governance systems
Ideal for enterprise adoption within AWS environments
🔗 https://www.stepsecurity.io/blog/stepsecurity-is-now-available-on-aws-marketplace
May 22, 2025 – StepSecurity Artifact Monitor
Feature: Introduction of the StepSecurity Artifact Monitor.
Highlights:
Detects unauthorized or malicious software releases within minutes
Monitors artifact registries (like npm) to catch releases that bypass CI/CD pipelines
Verifies provenance using commit SHAs, tags, and build metadata
Sends alerts via Slack, email, or SIEM integrations
May 13, 2025 – Workflow Run Policies
Feature: Launch of Workflow Run Policies — security guardrails for GitHub Actions.
Highlights:
Block non-compliant runs before execution
Enforce allowed Actions, runner labels, and organization rules
Detect and prevent secret exfiltration or compromised Actions
April 23, 2025 – Export Harden-Runner Insights to Amazon S3
Feature: New S3 Integration for exporting Harden-Runner insights and detections.
Highlights:
Streams telemetry to customer-owned S3 buckets
Enables long-term retention, custom analytics, and SIEM ingestion
Supports automation workflows using AWS infrastructure
🔗 https://www.stepsecurity.io/blog/export-harden-runner-security-insights-and-detections-to-amazon-s3
May 13, 2025 – StepSecurity Artifact Monitor
Feature: Introduction of the StepSecurity Artifact Monitor.
Highlights:
Detects unauthorized or malicious software releases within minutes
Monitors artifact registries like npm to catch releases outside CI/CD pipelines
March 26, 2025 – Policy-Driven Automated Pull Requests
Feature: Automated PRs for CI/CD Misconfiguration Remediation.
Highlights:
Automatically generates GitHub PRs or Issues when a workflow violates policy
Bridges detection and remediation in CI/CD environments
Reduces time-to-fix and enforces compliance across repos
February 27, 2025 – Integration with RunsOn
Feature: Integration with RunsOn for secure self-hosted GitHub Actions runners.
Highlights:
Provides pre-hardened AWS AMI images with StepSecurity tooling preinstalled
Simplifies setup of self-hosted runners while maintaining strict security
🔗 https://www.stepsecurity.io/blog/announcing-stepsecuritys-integration-with-runson
February 25, 2025 – New Features for GitHub Actions Security Best Practices
Feature: Enhancements to the “Secure Repo” capability — new features to enforce GitHub Actions security at scale.
Highlights:
Support for pinning GitHub’s new “Immutable Actions” (semantic version pinning).
Introduced exemptions for pinning specific Actions or entire organisations.
Persistent user settings to apply best-practice preferences across multiple repositories automatically.
🔗 https://www.stepsecurity.io/blog/new-features-for-github-actions-security-best-practices
October 30, 2024 – Internal GitHub Actions Marketplace
Feature: Launch of the Internal GitHub Actions Marketplace — a secure, enterprise-ready directory of vetted GitHub Actions.
Highlights:
Provides a curated marketplace of approved third-party and first-party GitHub Actions
Ensures only vetted Actions are used in CI/CD pipelines, reducing supply chain risk
Includes Action Security Scores, networking behavior insights, and repository usage visibility
Offers StepSecurity-maintained secure clones of risky third-party Actions
Enforces guardrails through Compromised Actions and Allowed Actions policies
Eliminates the burden of maintaining forked Actions internally
🔗 https://www.stepsecurity.io/blog/implement-internal-github-actions-marketplace-with-stepsecurity
September 19, 2024 – Harden-Runner Unified Network Egress Management
Feature: Unified network egress insights and outbound endpoint management for GitHub Organizations and Actions Runner Controller (ARC) clusters.
Highlights:
Adds a consolidated “All Observed Endpoints” view showing every outbound network destination contacted across all workflow runs
Provides organization-wide and cluster-wide visibility into suspicious or unexpected endpoints
Allows engineers to inspect sample workflow runs associated with any endpoint for rapid investigation
Makes outbound endpoint data for public GitHub organizations accessible for open-source transparency
Introduces Unified Network Egress Management for ARC clusters, including per-cluster endpoint views
Enables default cluster-wide network egress policies to block unauthorized outbound calls without modifying workflows
Automatically generates tailored deployment instructions to activate default egress blocking per ARC cluster
Ensures secure-by-default networking, with workflow-level allowed-endpoints lists overriding defaults only when explicitly set
July 24, 2024 – Automatic Detection of Secrets in GitHub Actions Build Logs
Feature: Automated scanning of GitHub Actions build logs to identify exposed secrets.
Highlights:
Automatically downloads and analyzes completed workflow logs for secret exposure
Detects sensitive values such as API keys, passwords, private keys, and webhook URLs leaked during workflow execution
Flags violations in the “secrets should not be logged in the build log” control with masked secret previews and direct links to offending log lines
Provides enterprise-grade notifications via Slack, email, or Microsoft Teams
Displays an aggregated list of all “Secrets in build log” detections in the StepSecurity dashboard
Helps organizations prevent accidental credential leakage from tools like Azure CLI, AWS CLI, Google Cloud CLI, and misconfigured workflows
Demonstrated effectiveness during beta: uncovered real secret exposures across multiple GitHub organizations, prompting rapid remediation
February 20, 2024 – Harden-Runner HTTPS Outbound Request Monitoring
Feature: Support for monitoring outbound HTTPS requests from GitHub-hosted and self-hosted VM runners.
Highlights:
Adds visibility into HTTP methods and paths for outbound API calls made over HTTPS
Detects anomalous or suspicious GitHub API usage, such as attempts to exfiltrate CI/CD secrets by creating issues or pushing content to unauthorized repositories
Improves accuracy of recommended GITHUB_TOKEN permissions by analyzing actual API calls made during workflow execution
Introduces a new HTTPS Events tab in Harden-Runner insights, showing all monitored outbound HTTPS calls with method, path, and organization context
Flags suspicious requests — for example, POST or PUT requests made to GitHub organizations different from where the workflow is running
Powered by eBPF monitoring of SSL writes, avoiding the operational overhead and fragility of MITM proxy approaches
Easily enabled through the StepSecurity dashboard for Team and Enterprise plans, with optional Slack and email notifications for anomalous events
Fully supported in Harden-Runner v2.7.0 for GitHub-hosted and VM-based runners, with ARC (Kubernetes) support coming soon
🔗 https://www.stepsecurity.io/blog/monitor-outbound-https-requests-from-github-actions-runners
January 16, 2024 – GitHub Actions Advisor & StepSecurity Maintained Actions
Feature: Launch of GitHub Actions Advisor and StepSecurity Maintained Actions to help organizations assess and reduce the risk of third-party GitHub Actions.
Highlights:
Introduces GitHub Actions Advisor, providing automated security scores for public Actions based on six attributes: maintenance status, vulnerabilities, popularity, branch protection, license, and security policy
Surfaces networking behavior for Actions using runtime data from Harden-Runner to identify outbound calls to suspicious endpoints
Helps security and DevOps teams understand risk across all Actions used in their GitHub organization
Eliminates tedious manual reviews and forks of low-quality or abandoned Actions
Launches StepSecurity Maintained Actions, secure forks maintained by StepSecurity with manual and automated review, upstream updates, and applied security best practices
Dramatically reduces risk and operational workload while improving developer velocity by enabling safe use of previously unapproved third-party Actions
Fully integrated into the StepSecurity Platform, enabling visibility into security scores and available maintained Actions across repositories
January 14, 2024 – GitHub Actions Workflow Orchestration
Feature: Introduction of Workflow Orchestration for standardized GitHub Actions deployment across repositories.
Highlights:
Automates rollout of approved GitHub Actions workflows using pre-defined workflow templates
Ensures consistent adoption of security best practices and DevOps standards across all repositories
Generates automated pull requests to add or update workflows based on centrally managed templates
Supports orchestration of workflows for secure deployments, linters, security tools, and StepSecurity Maintained Actions
Enables template management through the StepSecurity dashboard, with seamless linking to a designated template repository
Provides curated recommendations per target repository, allowing teams to select and apply appropriate workflows
Fully supports private repositories using fine-grained Personal Access Tokens (PATs) for secure automation
🔗 https://www.stepsecurity.io/blog/streamline-your-github-actions-workflows-with-stepsecurity
October 18, 2023 – Orchestration Platform for Private Repositories
Feature: Launch of StepSecurity’s orchestration platform for securing GitHub Actions workflows in private repositories.
Highlights:
Brings the full power of StepSecurity’s orchestration capabilities—trusted by 700+ open-source projects—to private repositories
Automates GitHub Actions security hardening, including SAST, SCA, OpenSSF Scorecard, Dependabot config, Harden-Runner, pre-commit hooks, and more
Provides consistent application of security controls across CI/CD pipelines with minimal developer effort
Adds support for analyzing private repositories via fine-grained Personal Access Tokens (PATs)
Automatically generates pull requests to apply missing security tools, enforce least-privilege GITHUB_TOKEN permissions, pin Actions, and strengthen CI/CD configurations
Includes flexible pricing: free for open-source projects, and first five PRs free for private repositories
Enables organizations to secure sensitive internal workflows with the same automated best-practice enforcement used across the open-source ecosystem
🔗https://www.stepsecurity.io/blog/github-actions-security-automation-for-private-repositories
October 5, 2023 – Harden-Runner Support for Self-Hosted VM Runners
Feature: Launch of Harden-Runner for self-hosted VM-based GitHub Actions runners.
Highlights:
Extends Harden-Runner’s CI/CD runtime security to self-hosted VM runners used on platforms like AWS EC2, Azure VMs, and Google Compute Engine
Supports both persistent and ephemeral VM runners with zero workflow file changes required
Deploys by adding the Harden-Runner agent to the VM image (such as an AMI), automatically monitoring all workflows executed on that runner
Leverages the same battle-tested technology used across 1,600+ open-source projects and millions of workflow runs on GitHub-hosted runners
Provides eBPF-powered runtime monitoring, detecting network activity, file tampering, compromised dependencies, and credential exfiltration attempts
Includes CI/CD-native outbound network filtering, allowing teams to define authorized destinations and block unwanted traffic
Offers policy recommendations based on historical workflow behavior to help teams define precise allowlists
Unified with StepSecurity’s security dashboard, enabling centralized management of GitHub Actions security across GitHub-hosted, Kubernetes-based, and VM-based runners
🔗 https://www.stepsecurity.io/blog/ci-cd-security-for-self-hosted-vm-runners
June 6, 2023 – Harden-Runner Runtime Detections UI
Feature: Introduction of a unified Runtime Detections UI for viewing historical CI/CD security detections.
Highlights:
Adds a centralized dashboard displaying all past Harden-Runner threat detections across GitHub Actions workflows
Surfaces two critical detection types:
Blocked outbound calls — triggered when workflows attempt to contact non-allowed endpoints
Source code overwrite detections — alerts when multiple processes modify source files during a run, indicating potential supply chain attacks
Provides direct links to the specific workflow run, insights page, and exact step where the detection occurred
Enhances visibility and auditability beyond Slack or email notifications previously used for detection alerts
Accessible only to members of GitHub organizations that have installed the Harden-Runner App (requires only read access to the Actions API)
Strengthens organizations’ ability to investigate anomalies, validate policy effectiveness, and monitor CI/CD runtime security posture
May 25, 2023 – Wildcard Domain Support for Harden-Runner Egress Policies
Feature: Introduction of wildcard domain support in Harden-Runner’s egress policy block mode.
Highlights:
Allows wildcard domains in the allowed-endpoints list, simplifying the management of outbound network rules
Enhances flexibility and reduces configuration overhead for complex environments with dynamic or region-specific endpoints
Eliminates the need to enumerate individual subdomains — a single wildcard rule (for example, *.data.mcr.microsoft.com:443) now covers all variants
Particularly useful for scenarios like pulling container images from Microsoft Container Registry, where content-delivery endpoints vary by region
Strengthens CI/CD security by maintaining strict block-mode egress controls while reducing friction for legitimate workflows
Feature developed directly from community feedback (Issue #236), demonstrating StepSecurity’s commitment to user-driven enhancements
April 4, 2023 – Harden-Runner Policy Store
Feature: Introduction of the Policy Store for managing Harden-Runner policies outside workflow files.
Highlights:
Enables teams to define and manage Harden-Runner policies directly in the StepSecurity dashboard, without modifying workflow YAML
Supports configuration of network egress restrictions, sudo access controls, and code-tampering detection policies through a centralized UI
Allows workflows to reference policies using a simple policy attribute, reducing duplication and operational overhead
Eliminates the need to store policy definitions inside workflow files, improving maintainability and simplifying policy updates
Requires only id-token: write permissions for Harden-Runner to authenticate and fetch policy details securely
Provides an intuitive interface to create, update, and apply policies across jobs and repositories
Improves developer experience and enables more scalable governance of CI/CD security controls
🔗 https://www.stepsecurity.io/blog/introducing-harden-runner-policy-store
March 29, 2023 – Harden-Runner Support for Kubernetes-Based Self-Hosted Runners (ARC)
Feature: Launch of Harden-Runner for Kubernetes-based self-hosted GitHub Actions runners using Actions Runner Controller (ARC).
Highlights:
Extends Harden-Runner beyond GitHub-hosted Ubuntu runners to fully support ARC-managed Kubernetes self-hosted runners
Provides runtime CI/CD security using eBPF for file, DNS, and network event auditing without requiring workflow or container image changes
Delivers 100% runtime visibility across all workflow executions in Kubernetes environments
Maintains Harden-Runner’s core protections — preventing credential exfiltration, detecting source-code tampering, and identifying compromised dependencies or build tools
Re-architected to use Kubernetes-native resources for event handling, correlation, and insights
Offers agentless, operationally simple deployment for enterprise self-hosted CI/CD environments
Ideal for organizations requiring private-network runners, custom operating environments, or enhanced security around sensitive secrets and cloud admin identities
September 29, 2022 – Harden-Runner v1.5.0: Automatic Cache Endpoint Detection
Feature: Automatic detection of GitHub Actions cache endpoints in Harden-Runner.
Highlights:
Harden-Runner now auto-detects GitHub Actions cache endpoints during workflow execution
Removes the need to manually specify cache endpoints in the allowed-endpoints list when using block mode
Improves developer experience by preventing accidental blocking of cache traffic, especially in forks and reusable workflows where cache endpoints differ
Ensures seamless operation across repositories by dynamically identifying Azure Blob storage endpoints used by GitHub Actions caching
Maintains backward compatibility — workflows that explicitly list cache endpoints will continue to work without modification
Enhances Harden-Runner’s overall usability for users securing their CI/CD pipelines through outbound network restrictions
🔗 https://www.stepsecurity.io/blog/harden-runner-github-action-now-auto-detects-cache-endpoints
August 14, 2022 – Harden-Runner: Source Code Tampering Detection for GitHub Actions
Feature: Introduction of Harden-Runner, a GitHub Actions security agent designed to detect unauthorized source code modification during the build process.
Highlights:
Detects tampering of source code during CI/CD builds — the same attack vector used in the SolarWinds supply chain compromise
Leverages the Linux Audit Framework on GitHub-hosted Ubuntu runners to monitor file modifications at runtime
Surfaces detections directly in GitHub Actions as error annotations, including syscall details and the modifying executable
Provides CI/CD runtime visibility that traditional countermeasures (branch protection, code review, and code signing) cannot offer
Easy to adopt—added as the first step in any GitHub Actions workflow
Already used in 500+ repositories, including public open-source projects from Google, Microsoft, Automattic, and the broader developer ecosystem
Available on the GitHub Marketplace, with hands-on scenarios provided through the Supply Chain Goat project
Last updated
Was this helpful?