Harden Runner

Corporate laptops and production servers have strong security monitoring for compliance and risk reduction. However, CI/CD runners, which handle sensitive data like cloud secrets and production builds, often lack such protections, making them targets for supply chain attacks like SolarWinds and Codecov.

Traditional security tools struggle with CI/CD runners due to their short-lived nature and lack of workflow context.

Harden-Runner fills this gap by providing tailored security monitoring, ensuring CI/CD runners receive the same protection as other critical systems.

Security Incidents Detected

Threats in a CI/CD Environment

Compromised workflows, dependencies, and build tools pose two major threats:

  1. Exfiltration of CI/CD credentials and source code

  2. Tampering of source code, dependencies, or artifacts during the build process to inject backdoors

To mitigate these risks, Harden-Runner provides key security measures. The table below outlines its core functionalities and the threats they help prevent:

Security MeasureFunctionPast Breach Example

Network Traffic Control

Monitor and block outbound network traffic at the DNS, HTTPS (Layer 7), and network layers (Layers 3 and 4) to prevent exfiltration of code and CI/CD credentials

To prevent the Codecov breach scenario

Source Code Integrity Check

Detect if source code is being tampered during the build process to inject a backdoor

To detect the XZ Utils and SolarWinds incident scenarios

Dependency and Workflow Monitoring

Detect poisoned workflows and compromised dependencies that exhibit suspicious behavior

To detect Dependency confusion and Malicious dependencies scenarios

GitHub Token Permission Enforcement

Determine minimum GITHUB_TOKEN permissions by monitoring HTTPS calls to GitHub APIs

To set minimum GITHUB_TOKEN permissions to reduce the impact of exfiltration

Last updated

Was this helpful?