Detect tampering of source code during build

Harden-Runner monitors file writes and detects if any source code files are overwritten during a build.

Why is this important?

Source code overwrites are unexpected in a release build.
All source code files are monitored, including infrastructure-as-code (IaC) files such as Kubernetes manifests and Terraform configurations.
Notifications can be enabled to receive alerts when source code modifications occur.
No additional changes are needed for self-hosted runners to enable file monitoring.

How to Detect Source Code Overwrites

Step 1: Access the Workflow Runs

Navigate to Latest Workflow Runs under the Harden-Runner menu in your StepSecurity dashboard. If any files were overwritten, you’ll see an alert similar to this:

Step 2: View File Write Events

Click on the workflow insights
Go to the File Write Events tab
You’ll see a list of overwritten files, including their paths and timestamps.

For Enterprise Users Only

Enterprise-tier users get additional details such as:

The process that wrote to the file.

The arguments passed during the write operation.

Step 3: Investigate the Overwrite

Identify the file and its path.
Review the detection timestamp for when the overwrite occurred.
If unexpected, trigger a security review or rollback to a safe commit.

PreviousFilter outbound network traffic to allowed endpoints NextView outbound GitHub API calls at the job level

Last updated 8 days ago