Getting Started with Harden Runner

This guide walks you through the steps to set up and use Harden-Runner in your CI/CD workflows.

Note: You can automatically add Harden-Runner using Secure Workflow

Step 1: Add Harden-Runner to Your Workflow

To integrate Harden-Runner, follow these steps:

  • Open your GitHub Actions workflow file (e.g., .github/workflows/<workflow-name>.yml).

  • Add the following code as the first step in each job:

steps:
  - uses: step-security/harden-runner@v2 # v2.10.3
    with:
      egress-policy: audit

Step 2: Access Security Insights

Run your workflow. Once completed:

  • Review the workflow logs and the job markdown summary.

  • Look for a link to security insights and recommendations.

Screenshot of a GitHub Actions build log showing the successful execution of a StepSecurity Harden Runner job. The build process includes three completed steps: ✔ Set up job ✔ Pre Harden Runner ✔ Harden Runner  The log shows the command “Run step-security/harden-runner” with a specific commit SHA (@2e205a28d0e1da00c5f53b161f4067b052c61f34). Below, a highlighted message in green text directs the user to “View security insights and recommended policy” with a link to StepSecurity’s application dashboard (https://app.stepsecurity.io/...). The URL is enclosed in a red oval highlight
Github Actions build log

Click on the provided link (e.g., example link) to access the Process Monitor View, which displays:

  • Network events: Outbound network calls correlated with each step.

  • File events: File writes tracked during the job.

Screenshot of StepSecurity’s Network Events monitoring interface for a GitHub Actions workflow named “build.” The interface displays two allowed network events: 	1.	Checkout repository using actions/checkout via the git-remote-http process, connecting to GitHub.com over port 443. 	2.	Install dependencies using Python 3.11, connecting to PyPI.org over port 443.  Both actions have a “Status: Allowed” and corresponding timestamps (January 30, 2025, at 22:05:35 and 22:05:37). The left sidebar shows the “build” job as successful. The interface includes filtering options, a search bar, and an export button in the top-right corner. The “Network Events” tab is highlighted, and other tabs like Summary, File Write Events, Recommendations, and Controls are visible.
StepSecurity Insights Network Events page

Last updated

Was this helpful?