# How should I reduce the number of Harden-Runner anomalous endpoint alerts

After enabling Harden-Runner in audit mode, you may see many "New Endpoint" detections. Here's how to bring alert volume under control.

### Why You're Seeing Many Alerts

Harden-Runner builds a behavioral baseline for each job. Endpoints appear "anomalous" when they weren't in previous runs. Common causes:

* Baselines need several runs to capture full endpoint range
* CDNs rotate subdomains between runs
* Rare workflow triggers (releases, manual dispatch) hit endpoints not seen in regular CI
* Dependency updates introduce new network calls

### Strategy 1: Let Baselines Stabilize

Run workflows 5-10 times after enabling Harden-Runner before evaluating alert volume. Baselines improve with more observations.

### Strategy 2: Create Suppression Rules

When an endpoint is verified as legitimate, create a suppression rule to prevent recurring alerts.

1. Navigate to Harden-Runner → Detections
2. Select the anomalous endpoint alert
3. Click Create Suppression Rule
4. Confirm endpoint and scope (job-level or org-wide)

 See [Suppression Rules](https://docs.stepsecurity.io/harden-runner/suppression-rules) documentation for full options or follow this interactive demo to see how this works:

{% embed url="<https://app.storylane.io/share/5tfnt9qfpsqm>" %}

#### Use Wildcards for Dynamic Endpoints

For services that rotate subdomains, such as AWS or Azure CDNs, use wildcard patterns to prevent repetitive alerts.

Example: `*.amazonaws.com`

Configure these patterns directly within the suppression rule to ensure future variations are automatically covered.

#### Establish a Review Cadence

Schedule a weekly 15-minute review of new alerts:

* If the endpoint is expected and verified as safe, create or refine a suppression rule
* If the endpoint is unexpected, investigate and correlate with recent workflow or dependency changes

### What Good Looks Like

Mature deployments typically see <5 new anomalous alerts per repo per week. Higher volume suggests baselines need more training runs.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/guides/how-should-i-reduce-the-number-of-harden-runner-anomalous-endpoint-alerts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.