StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Guides
    • How to enable network and runtime monitoring (Harden-Runner) for runners
    • How to restrict network connections to explicitly allowed endpoints
    • How do I authenticate with the StepSecurity app
    • How should I improve the security of third-party actions in my organization
    • How should I reduce the number of Harden-Runner anomalous endpoint alerts
    • How can developers see and fix StepSecurity findings without security’s help?
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Policy Driven PRs
    • Secure Workflow
    • Secure Repo
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Harden-Runner

Detections

PreviousAll DestinationsNextGitHub Checks

Last updated 2 months ago

Was this helpful?

Available for Enterprise Tier only

Harden-Runner can monitor outbound runtime detections to help you stay informed about security risks in your GitHub Actions workflows. You can review all past runtime detections on the Detections page under the Harden-Runner menu.

The Detections page covers five critical areas:

  1. Secrets in Build Logs

  2. Secrets in Artifacts

  3. Outbound Calls Blocked

  4. Anomalous Outbound Network Calls

  5. Source Code Overwritten

Each detection is linked to the relevant GitHub Actions workflow and run and includes direct links to the run and the insights URL that indicates where the detection happened.

  1. Secrets in Build Logs: This section shows secrets (API keys, tokens, etc.) that were accidentally logged.

Example: A Slack webhook URL was logged in load_tests_int.yml.

  1. Secrets in Artifacts: Detects secrets found in generated artifacts.

Example: A JWT token was found in jwt-artifact1

  1. Outbound Calls Blocked: Shows network requests that were blocked to prevent security risks.

Example: A workflow tried to access www.google.com, but it was blocked because it was not part of the baseline

  1. Anomalous Outbound Network Calls: Lists unusual or unexpected external network requests.

  1. Source Code Overwritten: Tracks files modified during workflows to detect unauthorized changes.

Example: go.mod was changed in int-release.yml

Real-Time Security Alerts

StepSecurity delivers real-time alerts for runtime detections, ensuring you stay informed about potential security threats as they happen.

To minimize alert fatigue, notifications are sent only once per event, covering all repositories in your GitHub organization. This approach maintains visibility into security events without overwhelming your team.

Follow the instructions in to configure your alerts.

Notification Settings
StepSecurity All Detections page showing secrets in build logs
StepSecurity Insights control page
StepSecurity All Detections page showing secrets in artifacts
StepSecurity Insights control page
StepSecurity All Detections page showing Outbound Calls Blocked
StepSecurity Insights Network Events page
StepSecurity All Detections page showing Anomalous Outbound Network Calls
StepSecurity All Detections page showing files with Source Code Overwritten
StepSecurity Insights File Write Events page
StepSecurity All Detections page showing secrets in build logs
StepSecurity Insights control page
StepSecurity All Detections page showing secrets in artifacts
tepSecurity Insights control page
StepSecurity All Detections page showing Outbound Calls Blocked
StepSecurity Insights Network Events page
StepSecurity All Detections page showing Anomalous Outbound Network Calls
StepSecurity All Detections page showing files with Source Code Overwritten
StepSecurity Insights File Write Events page