Detections

Harden-Runner can monitor outbound runtime detections to help you stay informed about security risks in your GitHub Actions workflows. You can review all past runtime detections on the Detections page under the Harden-Runner menu.

The Detections page covers five critical areas:

1. Secrets in Build Logs

2. Secrets in Artifacts

3. Outbound Calls Blocked

4. Anomalous Outbound Network Calls

5. Source Code Overwritten

6. HTTPS Outbound Network Calls

7. Action Uses Imposter Commit

8. Suspicious Process Events

Each detection is linked to the relevant GitHub Actions workflow and run and includes direct links to the run and the insights URL that indicates where the detection happened.

1. Secrets in Build Logs: This section shows secrets (API keys, tokens, etc.) that were accidentally logged.

1. Secrets in Artifacts: Detects secrets found in generated artifacts

1. Outbound Calls Blocked: Shows network requests that were blocked to prevent security risks.

1. Anomalous Outbound Network Calls: Lists unusual or unexpected external network requests.

1. Source Code Overwritten: Tracks files modified during workflows to detect unauthorized changes.

1. HTTPS Outbound Network Calls: Lists network requests made over HTTPS to prevent security risks.

1. Action Uses Imposter Commit: List actions that use imposter commits

1. Suspicious Process Events: Lists process events that are flagged as suspicious.

Real-Time Security Alerts

StepSecurity delivers real-time alerts for runtime detections, ensuring you stay informed about potential security threats as they happen.

To minimize alert fatigue, notifications are sent only once per event, covering all repositories in your GitHub organization. This approach maintains visibility into security events without overwhelming your team.

Follow the instructions in Notification Settings to configure your alerts.