Skip to main content

Enable Runtime Security (Self-hosted VM Runners)

To enable runtime security for self-hosted runners on Cloud VMs (e.g. EC2 instances), you can add the Harden-Runner agent to your runner image.

1
Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the Harden-Runner agent on your runner image (e.g. AMI). This is typically done using packer.
2
The Harden-Runner agent monitors each job run on the VM; you do NOT need to add the Harden-Runner GitHub Action to each job for audit mode. You do need to add the Harden-Runner GitHub Action for block mode.
3
Both ephemeral and persistent VM runners are supported.
4
You can access security insights and runtime detections under the Runtime Security tab in your dashboard.
info

Please email us at support@stepsecurity.io for instructions on how to install the Harden-Runner agent on your runner image. This agent is different than the one used for GitHub-hosted runners.

Demo

For a demo of a workflows running on self-hosted Cloud VMs (e.g. EC2) with Harden Runner integrated, follow these links:

Network Monitoring

  1. View this workflow file: https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/self-hosted-network-monitoring-hr.yml

    Notice that harden-runner Action is not added to this workflow, and that this workflow runs on a self-hosted EC2 runner.

  2. Check out an example run of this workflow here: https://github.com/step-security/github-actions-goat/actions/runs/6386599320

  3. Visit the workflow insights for this run here: https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6386599320 You can see the outbound traffic for each of the steps, without the need to add harden-runner to each job.

Even though you do not need to add Harden-Runner Action, the insights are exactly the same as with GitHub-Hosted runner.

Network Filtering with Harden Runner

To filter traffic to specific destinations in a job run in self-hosted VM runner, you use the harden-runner GitHub Action in block mode.

  1. View the workflow file: https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/self-hosted-network-filtering-hr.yml

    Notice that harden-runner Action is added and there is a list of allowed endpoints.

  2. Check out an example run of this workflow here: https://github.com/step-security/github-actions-goat/actions/runs/6386598192

  3. Visit the workflow insights for this run here: https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6386598192

    You will notice that the call to attacker.com was blocked in this case.

File Monitoring

  1. View this workflow file: https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/self-hosted-file-monitor-with-hr.yml

    Notice that harden-runner Action is not added to this workflow, and that this workflow runs on a self-hosted runner.

  2. Check out an example run of this workflow here: https://github.com/step-security/github-actions-goat/actions/runs/6386649358

  3. Visit the workflow insights for this run here: https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6386649358

    You can see that the file overwrite event is detected, without the need to add harden-runner to each job.