How should I reduce the number of Harden-Runner anomalous endpoint alerts

After enabling Harden-Runner in audit mode, you may see many "New Endpoint" detections. Here's how to bring alert volume under control.

Why You're Seeing Many Alerts

Harden-Runner builds a behavioral baseline for each job. Endpoints appear "anomalous" when they weren't in previous runs. Common causes:

• Baselines need several runs to capture full endpoint range

• CDNs rotate subdomains between runs

• Rare workflow triggers (releases, manual dispatch) hit endpoints not seen in regular CI

• Dependency updates introduce new network calls

Strategy 1: Let Baselines Stabilize

Run workflows 5-10 times after enabling Harden-Runner before evaluating alert volume. Baselines improve with more observations.

Strategy 2: Create Suppression Rules

When an endpoint is verified as legitimate, create a suppression rule to prevent recurring alerts.

1. Navigate to Harden-Runner → Detections

2. Select the anomalous endpoint alert

3. Click Create Suppression Rule

4. Confirm endpoint and scope (job-level or org-wide)

See Suppression Rules documentation for full options or follow this interactive demo to see how this works:

Use Wildcards for Dynamic Endpoints

For services that rotate subdomains, such as AWS or Azure CDNs, use wildcard patterns to prevent repetitive alerts.

Example: *.amazonaws.com

Configure these patterns directly within the suppression rule to ensure future variations are automatically covered.

Establish a Review Cadence

Schedule a weekly 15-minute review of new alerts:

• If the endpoint is expected and verified as safe, create or refine a suppression rule

• If the endpoint is unexpected, investigate and correlate with recent workflow or dependency changes

What Good Looks Like

Mature deployments typically see <5 new anomalous alerts per repo per week. Higher volume suggests baselines need more training runs.