Detections

Harden-Runner can monitor outbound runtime detections to help you stay informed about security risks in your GitHub Actions workflows. You can review all past runtime detections on the Detections page under the Harden-Runner menu.

The Detections page covers nine critical areas:

1. Secrets in Build Logs

2. Secrets in Artifacts

3. Outbound Calls Blocked

4. Anomalous Outbound Network Calls

5. Suspicious Outbound Network Calls

6. Source Code Overwritten

7. HTTPS Outbound Network Calls

8. Action Uses Imposter Commit

9. Suspicious Process Events

Each detection is linked to the relevant GitHub Actions workflow and run and includes direct links to the run and the insights URL that indicates where the detection happened.

Secrets in Build Logs

This section shows secrets (API keys, tokens, etc.) that were accidentally logged.

Secrets in Artifacts

Detects secrets found in generated artifacts

Outbound Calls Blocked

Shows network requests that were blocked to prevent security risks.

Anomalous Outbound Network Calls

Lists unusual or unexpected external network requests.

Suspicious Outbound Network Calls

Detects potentially malicious network requests during workflow execution

HTTPS Outbound Network Calls

Lists network requests made over HTTPS to prevent security risks.

Source Code Overwritten

Tracks files modified during workflows to detect unauthorized changes.

Action Uses Imposter Commit

List actions that use imposter commits

Suspicious Process Events

Lists process events that are flagged as suspicious.

How to Suppress a Detection

Suppressing a detection hides it from your active list without marking it as fixed. Use suppression when the detection is a false positive, not relevant, or represents an acceptable risk. Suppressed detections remain available under the “Suppressed” tab for future review, and can be unsuppressed if needed

Step 1: Click the three dots next to the item you want to suppress, then select “Suppress Detection.”

Step 2: Select a reason for suppressing the detection.

Step 3: Click "Suppress"

Step 4: Go to the “Suppressed” tab to view all suppressed detections

How to Resolve a Detection

Resolving a detection indicates that you have addressed the underlying issue. Use this option after taking corrective action, such as updating a workflow, fixing a configuration, or applying a patch. Resolved detections move out of the active list but remain in the system for audit and traceability.

Step 1: Click the three dots next to the item you want to resolve, then select “Resolve Detection.”

Step 2: Give a reason for resolving the detection.

Step 3: Click "Resolve"

Step 4: Go to the “Resolved” tab to view all resolved detections

Real-Time Security Alerts

StepSecurity delivers real-time alerts for runtime detections, ensuring you stay informed about potential security threats as they happen.

To minimize alert fatigue, notifications are sent only once per event, covering all repositories in your GitHub organization. This approach maintains visibility into security events without overwhelming your team.

Follow the instructions in Notification Settings to configure your alerts.

Lockdown Mode

Lockdown Mode provides automatic blocking of CI/CD jobs when critical security threats are detected in real-time.

Configuring Lockdown Mode

To enable Lockdown Mode for your workflows:

• Navigate to the Policy Store

• Create a new policy or edit an existing one

• Add the lockdown configuration using the following syntax:

lockdown-mode:
  enabled: true
  detections:
    - Privileged-Container
    - Runner-Worker-Memory-Read
    - Reverse-Shell

• Attach the policy to your desired scope (cluster, organization, repository, or workflow)

Supported Detection Types

Note: When lockdown mode is enabled and a threat is detected, the job will be immediately terminated and you will receive a notification with details about the blocked threat.