Run your job without sudo access
PreviousView the name and path of every file written during the build processNextView process names and arguments
Last updated
Last updated
GitHub-hosted runner uses passwordless sudo for running jobs.
This means compromised build tools or dependencies can install attack tools
Harden-Runner monitors the use of sudo during Action workflow runs. If your job does not need sudo access, you see a policy recommendation to disable sudo in the insights page
When you set disable-sudo to true, the job steps run without sudo access to the GitHub-hosted Ubuntu VM. If a job attempts to use the sudo command, the CI will fail.
To access this feature switch to the Recommendations tab on your Insights page
