Harden Runner

Corporate laptops and production servers have strong security monitoring for compliance and risk reduction. However, CI/CD runners, which handle sensitive data like cloud secrets and production builds, often lack such protections, making them targets for supply chain attacks like SolarWinds and Codecov.

Traditional security tools struggle with CI/CD runners due to their short-lived nature and lack of workflow context.

Harden-Runner fills this gap by providing tailored security monitoring, ensuring CI/CD runners receive the same protection as other critical systems.

Security Incidents Detected

• Harden-Runner Detected the tj-actions/changed-files compromise (CVE-2025-30066)

• Harden-Runner Detected a CI/CD Supply Chain Attack in Google’s Open-Source Project Flank

• Harden-Runner Detected a CI/CD Supply Chain Attack in Microsoft’s Open-Source Project Azure Karpenter Provider in Real-Time

• Harden-Runner Detected Anomalous Traffic to api.ipify.org Across Multiple Customers

• Harden-Runner Flagged an Anomalous Outbound Call, Leading to a Docker Documentation Update

Threats in a CI/CD Environment

Compromised workflows, dependencies, and build tools pose two major threats:

1. Exfiltration of CI/CD credentials and source code

2. Tampering of source code, dependencies, or artifacts during the build process to inject backdoors

To mitigate these risks, Harden-Runner provides key security measures. The table below outlines its core functionalities and the threats they help prevent: