Harden-Runner
PreviousActions should be pinned to a full-length commit SHANextWhy Implement Network and Runtime Security for Runners
Last updated
CI/CD pipelines hold sensitive secrets, signing keys, and production access—making them prime targets for attackers. If compromised, they can inject backdoors or steal credentials. Major breaches prove the risks:
SolarWinds (2020): Attackers embedded a backdoor in software updates due to lack of CI/CD visibility, affecting 18,000+ customers.
Codecov (2021): A modified CI script silently exfiltrated credentials for months, leading to widespread breaches.
Harden-Runner is a security layer for CI/CD pipelines that monitors, restricts, and alerts on suspicious activity within CI runners. It helps prevent breaches like SolarWinds and Codecov by:
Network Egress Filtering: Blocks unauthorized outbound traffic, preventing data exfiltration (e.g., Codecov-style attacks).
File Integrity Monitoring: Detects unauthorized code or artifact modifications, preventing hidden backdoors.
Process Monitoring: Tracks all executed processes, flagging rogue scripts or privilege escalation attempts.
Least-Privilege Enforcement: Analyzes API calls to enforce minimal GitHub token permissions, reducing exposure.
Compliance Support: Provides audit logs to meet PCI-DSS, SOC 2, and ISO 27001 security requirements.
Harden-Runner is not just theoretical—it has caught real-world CI/CD attacks before they escalated:
A researcher exploited a GitHub Actions workflow to steal a GitHub token with write access.
Harden-Runner detected the attack in real-time, blocking the outbound request and alerting maintainers.
Prevented what could have been a serious supply-chain breach of a Google-maintained tool.
A security researcher exploited a vulnerability in a GitHub Actions workflow for a Microsoft open-source project.
The attacker obtained an ID-token:write GitHub Actions token, which could have been used to access cloud resources.
Harden-Runner flagged the suspicious outbound call, allowing Microsoft’s security team to respond within an hour.
Microsoft officially acknowledged Harden-Runner’s role in identifying and stopping the attack.
