# Baseline

Baseline monitoring is the practice of establishing what normal external network calls your CI/CD workflows typically make, and then monitoring for deviations that might indicate a security breach.

At its core, it helps answer the question: *“Is this job making expected and safe outbound network calls?”*

#### Baseline Status Categories <a href="#baseline-status-categories" id="baseline-status-categories"></a>

Each monitored resource, such as a job or repository, is evaluated for the predictability of its network activity. This evaluation helps uncover anomalies that could signal security issues.

Each resource can be in one of the following baseline states:

* Creating – The system is still collecting data to determine the resource’s baseline behavior.
* Stable – The resource’s network activity is predictable and consistent. A resource is considered stable once it has completed 100 runs without baseline changes.
* Unstable – The resource’s network activity is erratic and prone to triggering frequent alerts. If the baseline has changed within the last 50 runs, the resource is classified as unstable.

### Baseline Coverage at StepSecurity <a href="#baseline-coverage-at-stepsecurity" id="baseline-coverage-at-stepsecurity"></a>

StepSecurity applies baseline monitoring to two distinct resource types within your CI/CD environment:

#### Projects

Each GitLab project has its own network call profile, defined by outbound requests made during pipeline execution.

StepSecurity tracks these calls across runs to establish a baseline of normal behavior.

<figure><img src="/files/R3Rt5pgZcs9e07fp0IGD" alt=""><figcaption></figcaption></figure>

#### Servers

Servers represent the self-managed or shared runner hosts that execute CI/CD jobs.

Each server’s network activity is monitored to establish a baseline of expected outbound connections made during job execution.

This helps identify anomalies such as compromised runners, malicious scripts, or jobs connecting to unknown external domains.

<figure><img src="/files/d6QJLCrQalWhvzUQeplC" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/gitlab/harden-runner/baseline.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.