Harden Runner
Corporate laptops and production servers have strong security monitoring for compliance and risk reduction. However, CI/CD runners, which handle sensitive data like cloud secrets and production builds, often lack such protections, making them targets for supply chain attacks like SolarWinds and Codecov.
Traditional security tools struggle with CI/CD runners due to their short-lived nature and lack of workflow context.
Harden-Runner fills this gap by providing tailored security monitoring, ensuring CI/CD runners receive the same protection as other critical systems.
Security Incidents Detected
Threats in a CI/CD Environment
Compromised workflows, dependencies, and build tools pose two major threats:
Exfiltration of CI/CD credentials and source code
Tampering of source code, dependencies, or artifacts during the build process to inject backdoors
To mitigate these risks, Harden-Runner provides key security measures. The table below outlines its core functionalities and the threats they help prevent:
Security MeasureFunctionPast Breach Example
Network Traffic Control
Monitor and block outbound network traffic at the DNS, HTTPS (Layer 7), and network layers (Layers 3 and 4) to prevent exfiltration of code and CI/CD credentials
To prevent the Codecov breach scenario
Source Code Integrity Check
Detect if source code is being tampered during the build process to inject a backdoor
To detect the XZ Utils and SolarWinds incident scenarios
Dependency and Workflow Monitoring
Detect poisoned workflows and compromised dependencies that exhibit suspicious behavior
To detect Dependency confusion and Malicious dependencies scenarios
GitHub Token Permission Enforcement
Determine minimum GITHUB_TOKEN permissions by monitoring HTTPS calls to GitHub APIs
To set minimum GITHUB_TOKEN permissions to reduce the impact of exfiltration
Last updated
Was this helpful?