Harden-Runner is a purpose built security agent for CI/CD to detect and prevent malicious patterns observed during past software supply chain security breaches. It currently works for the GitHub-hosted and Actions Runner Controller (ARC) based self-hosted GitHub Actions runners.
Steps To Follow
If you are a new user, please follow the following steps to deploy and operationalize Harden-Runner. You can find detail about each step in the side bar.
- Depending upon your Harden-Runner license, follow the appropriate installation instructions.
- Access Harden-Runner insights available on the StepSecurity web application.
- [Optional] Enable
Blockmode for extra protection based on the auto-generated policy available on the insights page.
- [Optional] Analyze source code overwrite events.
- [Optional] Block sudo access in CI/CD.
- [Optional] Setup Slack and Email notifications.
Why monitor CI/CD runtime?
Compromised dependencies and build tools have led to several software supply chain breaches in the past. CI/CD platforms typically contain highly privileged secrets such as admin cloud management credentials, software publishing keys, etc. to automate software delivery. Consequences of a compromised CI/CD pipeline can have devastating impact. Harden-Runner monitors runtime behavior of CI/CD and detects deviations from the baseline.
Why not use existing EDR solutions for CI/CD?
EDR solutions are built for developer and production machines where runtime behavior is highly unpredictable. To an EDR solution, a source code overwrite event may not be very interesting. Whereeas CI/CD runtime behavior is highly predictable as it does the same thing again and again. Harden-Runner is specifically designed to detect malicious patterns from past software supply chain breaches in CI/CD.
How does Harden-Runner work?
Harden-Runner GitHub Action downloads and installs the open-source Harden-Runner Agent.
- It monitors file, process, and network activity during CI/CD run and enriches build logs with additiona runtime details.
- It blocks unallowed network calls when configured to run in
- The agent shares findings with the Stepsecurity backend where raw system events are stitched together to build a runtime insight page.
- The agent's build is reproducible. You can view the steps to reproduce the build here.
Click here to watch a short one-minute video demostrating key Harden-Runner capablities.