Why Implement Network and Runtime Security for Runners

There are two main threats from compromised workflows, dependencies, and build tools in a CI/CD environment:

Exfiltration of CI/CD credentials and source code
Tampering of source code, dependencies, or artifacts during the build to inject a backdoor

Harden-Runner enhances security by monitoring and restricting process, file, and network activity, helping to mitigate these threats.

Security Measures

The table below outlines the key security measures provided by Harden-Runner, their function, and the threats they help prevent:

Security Measure

Function

Past Breach Example

Network Traffic Control

Monitor and block outbound network traffic at the DNS, HTTPS (Layer 7), and network layers (Layers 3 and 4) to prevent exfiltration of code and CI/CD credentials

To prevent the scenario

Source Code Integrity Check

Detect if source code is being tampered during the build process to inject a backdoor

To detect the and scenarios

Dependency and Workflow Monitoring

Detect poisoned workflows and compromised dependencies that exhibit suspicious behavior

To detect and scenarios

GitHub Token Permission Enforcement

Determine minimum GITHUB_TOKEN permissions by monitoring HTTPS calls to GitHub APIs

To set to reduce the impact of exfiltration

PreviousHarden-Runner NextEnable Runtime Security

Last updated 19 days ago