Changelog
Authentication Overhaul and Dev Machine Guard MDM Deployment
Feature: New authentication options for the StepSecurity API and a documented MDM deployment path for Dev Machine Guard on enterprise fleets.
Highlights:
Short-lived personal access tokens β Per-user, fine-grained bearer tokens with a maximum lifetime of 12 hours, for calling the StepSecurity API from scripts, CLIs, and the StepSecurity MCP server. Available from the top-right avatar menu under Short-lived tokens, or at app.stepsecurity.io/me/tokens
Fine-grained API keys (organization and tenant) β Scoped, long-lived service credentials bound to an organization or tenant, with permissions you select at creation time and expirations up to 1 year. Key value is shown once at creation; revocable at any time
OIDC federation for GitHub Actions β Trust policies that let workflows mint short-lived StepSecurity API tokens directly via OIDC, with no stored secret in the repository. Policies can be scoped on repository, branch, environment, and workflow file path. Available at both organization and tenant level
Embedded API reference (Swagger UI) β A new API reference tab on the StepSecurity API settings page, with the full OpenAPI 3.0 spec browsable and testable from the dashboard, plus a download link for use with code generators and Postman
Dev Machine Guard MDM deployment guides β A new MDM Deployment section under Installation Script, covering Windows and macOS fleet deployment patterns. Initial guides:
Windows via Microsoft Configuration Manager (SCCM) β full step-by-step guide for fleet rollout of the signed Dev Machine Guard MSI, including supersedence-based upgrades and Sigstore signature verification
macOS via Iru (formerly Kandji) β full step-by-step guide using Iru's Custom Script library item for daily execution of the loader script
Secure Registry: Cooldown Exemptions and Compromised Package Blocking
Feature: Two new controls in Secure Registry give customers finer-grained policy over which packages are blocked at install time.
Highlights:
Exempt packages from cooldown β allowlist specific packages (for example, internal scoped packages or trusted first-party publishers) so that new versions are served immediately, bypassing the configured cooldown window. Useful when an organization controls the publishing pipeline and does not need a vetting buffer for its own packages
Block compromised packages β deny installs of any package version flagged in StepSecurity's continuously updated compromised-packages database, even if the version is outside the cooldown window. Stops known-bad releases from reaching developer machines and CI/CD pipelines, regardless of cooldown configuration
Both controls are configurable per ecosystem and complement the existing Cooldown Period control that shipped at Secure Registry launch
New Control: Default branch should be protected
Feature: A new Source Code Integrity control evaluates whether each repository's default branch has branch protection enabled, surfacing unprotected default branches alongside the rest of the StepSecurity controls dashboard.
Highlights:
Flags repositories whose default branch has no branch protection rule, leaving it open to direct pushes, force pushes, and accidental deletion
Severity: High β an unprotected default branch bypasses code review and CI checks, and is a common precursor to supply chain incidents
Appears under Source Code Integrity in the All Controls view, with failed-check counts per repository
Aligns with the corresponding OpenSSF Scorecard check, so existing remediation guidance applies
Secure Registry: Authenticated Upstream Registry with Configurable Security Controls
Feature: Secure Registry is a new authenticated upstream registry that proxies package requests from developers, CI runners, and artifact repository managers, applying StepSecurity security controls before responses are returned.
Highlights:
New per-ecosystem Policy tab to toggle security controls. Cooldown Period available today; Compromised Packages and Typosquatting Protection coming soon
Cooldown Period blocks packages published within a configurable window (default 10 days), giving the community and StepSecurity's SOC time to vet new releases before they reach your environment
Three integration paths (JFrog Artifactory, Google Artifact Registry, and Direct npm (.npmrc)) covering teams with or without an existing artifact manager
Primary and Secondary API keys for zero-downtime rotation
New Policy Evaluations log records every request flowing through Secure Registry with per-control results, filterable by status, ecosystem, request type, package, version, and date range
Available for npm today; PyPI coming soon
Dev Machine Guard: System Packages with Linux Coverage and Risk Indicators
Feature: Dev Machine Guard expands OS-level package visibility beyond macOS Homebrew, adding Linux package detection across three formats and surfacing new risk indicators for unsigned and third-party packages.
Highlights:
System Packages page (renamed from Brew Packages) consolidates OS-level package inventory across macOS and Linux developer endpoints in a single view
Linux package detection covers three formats:
rpm,snap, andflatpakNew Vendor and Maintainer metadata surfaces the publisher and contact for each Linux package
New Unsigned filter flags packages with no cryptographic signature, and the Third-party filter flags packages not distributed officially by the device's Linux distribution
Package detail view shows per-version device counts so version drift is immediately visible across the fleet
PyPI Support Across OSS Package Security
Feature: PyPI joins npm as a first-class ecosystem across StepSecurity's OSS Package Security capabilities. Package search and GitHub Checks now cover Python dependencies alongside JavaScript ones.
Highlights:
OSS Package Search (formerly NPM Package Search) now supports both npm and PyPI ecosystems, with package detection unified across pull requests, default branches, and developer machines
Two new GitHub Checks for PyPI dependencies:
PyPI Package Compromised Updates blocks PRs that introduce or update PyPI dependencies known to be compromised
PyPI Package Cooldown blocks PRs that introduce recently-published PyPI packages, with a configurable cooldown window
Backed by the same StepSecurity SOC threat intelligence and AI Package Analyst verdicts already in use for npm
A unified investigation surface for cross-ecosystem incidents that affect both npm and PyPI
Replace Maintained Actions: New Replacement Modes and Major-Version Restriction
Feature: The Replace Third-Party Actions with StepSecurity-Maintained Actions policy in Policy-Driven PRs now supports two replacement modes and optional major-version matching.
Highlights:
New Replace selected actions mode (opt-in, default) β only replace actions you explicitly select
New Replace all, except exempted mode (opt-out) β replace everything with a StepSecurity-maintained equivalent automatically, except for listed exemptions
New Restrict replacement to same major version toggle β only replace when the third-party action's major version tag matches the StepSecurity-maintained action's major version
Reduces the operational cost of maintaining a large action allowlist while preserving organization-specific flexibility
π Replace Third-Party Actions with StepSecurity-Maintained Actions
Policy Store: Policy History and Audit Trail
Feature: The Policy Store now records every change to a policy in a timeline-view audit trail, with side-by-side diffs for content edits.
Highlights:
Timeline view of all policy changes β content edits, attachments, detachments, and scope modifications
Side-by-side diff view for YAML content changes, with added and removed lines highlighted
Attribution showing who made each change and when
Attachment-change events capture scope transitions (e.g., specific workflows β entire repo) so the full history is visible at a glance
Accessible from any policy's three-dot menu via View history
Designed to make policy-related changes easier to audit for security reviews and compliance
Harden-Runner Support for Third-Party GitHub Actions Runners
Feature: Harden-Runner (v2.19.0) now supports the four major third-party GitHub Actions runner providers: Depot, Blacksmith, Namespace, and Warp Build.
Highlights:
Same egress monitoring, runtime monitoring, and policy enforcement that Harden-Runner provides on GitHub-hosted runners
Integration is identical to GitHub-hosted runners β add
step-security/harden-runneras the first step of each job; only theruns-onlabel changesNo provider-specific configuration required
Supports Policy Store, block mode with
allowed-endpoints, and all standard Harden-Runner detectionsAlso in v2.19.0: system-defined detection rules for Lockdown Mode (e.g., runner-worker memory reads, a known secret-stealing technique) and Windows/macOS stability fixes
Dev Machine Guard: Expanded Platform and Ecosystem Coverage
Feature: Dev Machine Guard adds Windows support, a JetBrains IDE extension, Homebrew formulae coverage, and PyPI package detection β broadening supply-chain visibility on developer endpoints beyond macOS and npm.
Highlights:
Windows support β Dev Machine Guard now runs on Windows developer endpoints alongside existing macOS coverage, giving security teams a unified view across the platforms their developers actually use
JetBrains IDE extension β native integration with IntelliJ IDEA, PyCharm, GoLand, WebStorm, and other JetBrains IDEs, complementing the existing VS Code extension
Homebrew formulae support β detects risky, typosquatted, or newly published Homebrew formulae installed on developer machines, closing a gap that npm-focused tools miss
PyPI package detection β extends package-level risk analysis to the Python ecosystem, surfacing suspicious PyPI installs with the same AI Package Analyst verdicts used for npm
Unifies developer-endpoint visibility across three package ecosystems (npm, PyPI, Homebrew) and the two most common developer IDEs (VS Code, JetBrains)
Global Block List: Threat-Intelligence-Driven Automatic Blocking
Feature: Harden-Runner (v2.18.0) now enforces a StepSecurity SOC-maintained Global Block List of IOC domains and IPs across every protected workflow β automatically, and even in audit mode.
Highlights:
Outbound connections to known malicious domains and IPs are blocked automatically, with no configuration change required
Enforcement applies even in
egress-policy: auditmode β customers do not have to re-decide whether to block each IOCList is curated by StepSecurity's 24Γ7 SOC based on active supply-chain attack investigations
Used to block exfiltration from the pgserve npm compromise in real time
Blocked requests are labeled Attack Blocked in the Network Events view so customers can distinguish them from regular policy blocks
Also in v2.18.0: new
deploy-on-self-hosted-vminput for installing the Harden-Runner agent directly on ephemeral self-hosted Linux VMs at workflow runtimeFurther expanded in v2.19.0 (20 April 2026) β see above
Workflow Run Policies: Harden-Runner Policy and Pinned-Actions Enforcement
Feature: Two new policy enforcement capabilities have been added to Workflow Run Policies.
Highlights:
Harden-Runner Policy β blocks workflow runs where the Harden-Runner action is missing or is not configured as the first step of a job. Supports Custom Actions for organizations that wrap Harden-Runner inside an internal bootstrap action
Only allow pinned actions toggle on the Allowed Actions Policy β blocks any action reference that is not pinned to a commit SHA, protecting against tag-overwrite attacks like the
tj-actions/changed-filescompromiseWildcard support in the Allowed Actions Policy allowlist (e.g.,
actions/*)
Policy Store Integration in Harden-Runner Action
Feature: Harden-Runner (v2.17.0) adds native Policy Store support via new use-policy-store and api-key inputs.
Highlights:
Fetch and enforce security policies directly from the StepSecurity Policy Store at runtime
Policies can be attached at workflow, repository, organization, or ARC cluster level, with the most granular policy taking precedence
Preferred alternative to the existing
policyinput, which requiresid-token: writepermissionIf no policy is found in the Policy Store, the action defaults to audit mode
Centralize egress policy management across hundreds of repositories without editing any workflow file
Dev Machine Guard Open Source
Feature: Dev Machine Guard is now open source
Highlights:
Provides visibility into what is actually running on developer machines in real time
Helps security teams detect suspicious processes, hidden tooling, and unexpected network activity on developer endpoints
Enables developers and organizations to independently verify the security posture of their development environments
Supports supply chain defense by exposing processes that could manipulate builds, credentials, or CI/CD interactions
Fully open source, enabling community auditing, transparency, and contributions
Complements StepSecurityβs CI/CD protections by extending visibility upstream to developer workstations
Harden Runner Windows & macOS Support
Feature: Harden Runner now supports GitHub Actions runners on Windows and macOS.
Highlights:
Harden Runner delivers EDR-level runtime security across all three major GitHub Actions platforms: Linux, Windows, and macOS.
Cross-platform support includes network and process event monitoring out of the box, with no workflow configuration changes required.
Available in both Community Tier and Enterprise Tier; Windows and macOS monitoring remains free for public/open-source projects.
Same action and syntax as existing Harden Runner workflows β it now βjust worksβ on Windows and macOS.
πhttps://www.stepsecurity.io/blog/harden-runner-now-supports-windows-and-macos-github-actions-runners
Apps & PATs Visibility
Feature: Launch of Apps & PATs β centralized visibility for GitHub Apps and Personal Access Tokens.
Highlights:
Provides organization-wide inventory of GitHub Apps and PAT usage
Helps security teams identify high-risk or overprivileged credentials
Detects dormant or unmanaged tokens that expand supply chain attack surface
Improves governance over third-party GitHub integrations
Supports least-privilege access enforcement beyond workflows
Strengthens identity-layer security in GitHub environments
StepSecurity Dark Mode
Feature: StepSecurity now supports Dark Mode across the platform UI.
Highlights:
Enables a more comfortable viewing experience for security and DevOps teams
Improves usability for long investigation and monitoring sessions
Supports modern UI accessibility preferences
Provides a consistent dark theme across dashboards, insights, and policy workflows
π https://www.stepsecurity.io/blog/stepsecurity-now-supports-dark-mode
StepSecurity Developer Machine Guard
Feature: Introduction of StepSecurity Dev Machine Guard β protecting developer machines from supply chain attacks.
Highlights:
Secures developer endpoints as a critical part of the software supply chain
Prevents compromised laptops, credentials, and local tooling from becoming an entry point into CI/CD systems
Extends StepSecurityβs protection beyond workflows into developer environments
Helps organizations detect risky developer machine posture before code reaches production
Complements CI/CD runtime enforcement with upstream endpoint defense
Designed for modern engineering teams facing increasing developer-targeted attacks
Harden-Runner Support for GitHub-Hosted Custom Runner Images
Feature: Support for baking StepSecurity Harden-Runner directly into GitHub-hosted custom VM images.
Highlights:
Enables organization-wide runtime protection by embedding Harden-Runner into GitHub-hosted custom runner images
Eliminates the need to add the Harden-Runner action to individual workflows
Provides persistent, default-on runtime security for every job running on the custom image
Removes workflow-level operational overhead for large organizations with hundreds or thousands of workflows
Reduces developer friction by making CI/CD runtime security transparent and automatic
Enables centralized lifecycle management of Harden-Runner through runner image updates
Ensures consistent policy enforcement across all workflows when combined with the Policy Store
Supports gradual migration with no conflicts if existing workflows still include the Harden-Runner action
Aligns CI/CD security with infrastructure-level security practices used for production systems
StepSecurity on Azure Marketplace
Feature: StepSecurity is now available on the Azure Marketplace, adding a new procurement and deployment path alongside AWS Marketplace availability.
Highlights:
Purchase StepSecurity using existing Azure billing arrangements
Simplify vendor management with consolidated Azure invoices
Accelerate deployment inside Azure-hosted environments
Adopt StepSecurityβs CI/CD security for GitHub Actions with minimal configuration
Get end-to-end workflow visibility, automated egress control to prevent supply chain attacks, and enforcement of GitHub Actions security best practices
π https://www.stepsecurity.io/blog/stepsecurity-is-now-available-on-azure-marketplace
npm Package Search
Feature: Introduction of npm Package Search for PR-level visibility into when and where npm packages entered your codebase.
Highlights:
Provides instant search across all pull requests in your GitHub organizations to identify where an npm package was first introduced
Answers critical incident-response questions: Which repos are affected? Who added the package? When did it land? Whatβs the blast radius?
Tracks package lifecycle changes β even if a dependency was later removed, you can see when it existed, who added it, and how long it persisted
Enables correlation of developer activity, helping teams assess whether compromised developer machines or credentials may have played a role
Goes beyond traditional SCA by focusing not just on what you use today but how each dependency entered and evolved
Accelerates response to supply chain incidents like Shai-Hulud, Singularity, and eslint-config-prettier by instantly surfacing all PRs that introduced compromised package versions
Supports proactive dependency auditing to find deprecated, vulnerable, or policy-violating packages with full contextual history
Provides organization-wide blast-radius assessment to help teams prioritize remediation across multiple repositories
StepSecurity Threat Intelligence
Feature: Launch of Threat Intelligence β real-time supply chain attack alerting for your SIEM.
Highlights:
Provides immediate alerts when a major supply chain incident occurs.
Integrates with SIEM/SOC tools for instant threat visibility
Includes a Threat Center dashboard for tracking active and historical incidents
NPM Package Cooldown Check
Feature: Introduction of the NPM Package Cooldown Check GitHub PR-check.
Highlights:
Blocks use of newly published npm packages within a configurable cooldown period (default 48 hours)
Reduces exposure to malicious package takeovers and supply chain attacks
π https://www.stepsecurity.io/blog/introducing-the-npm-package-cooldown-check
Automated Replacement of Third-Party Actions
Feature: Automated pull requests to replace third-party GitHub Actions with StepSecurity-maintained ones.
Highlights:
Uses Policy-Driven Automation to enforce safer dependencies
Minimizes manual CI/CD maintenance and ensures supply chain consistency
StepSecurity on AWS Marketplace
Feature: StepSecurity is now available on AWS Marketplace.
Highlights:
Simplified procurement and deployment
Integrates with AWS billing and governance systems
Ideal for enterprise adoption within AWS environments
π https://www.stepsecurity.io/blog/stepsecurity-is-now-available-on-aws-marketplace
StepSecurity Artifact Monitor
Feature: Introduction of the StepSecurity Artifact Monitor.
Highlights:
Detects unauthorized or malicious software releases within minutes
Monitors artifact registries (like npm) to catch releases that bypass CI/CD pipelines
Verifies provenance using commit SHAs, tags, and build metadata
Sends alerts via Slack, email, or SIEM integrations
Workflow Run Policies
Feature: Launch of Workflow Run Policies β security guardrails for GitHub Actions.
Highlights:
Block non-compliant runs before execution
Enforce allowed Actions, runner labels, and organization rules
Detect and prevent secret exfiltration or compromised Actions
Export Harden-Runner Insights to Amazon S3
Feature: New S3 Integration for exporting Harden-Runner insights and detections.
Highlights:
Streams telemetry to customer-owned S3 buckets
Enables long-term retention, custom analytics, and SIEM ingestion
Supports automation workflows using AWS infrastructure
π https://www.stepsecurity.io/blog/export-harden-runner-security-insights-and-detections-to-amazon-s3
StepSecurity Artifact Monitor
Feature: Introduction of the StepSecurity Artifact Monitor.
Highlights:
Detects unauthorized or malicious software releases within minutes
Monitors artifact registries like npm to catch releases outside CI/CD pipelines
Policy-Driven Automated Pull Requests
Feature: Automated PRs for CI/CD Misconfiguration Remediation.
Highlights:
Automatically generates GitHub PRs or Issues when a workflow violates policy
Bridges detection and remediation in CI/CD environments
Reduces time-to-fix and enforces compliance across repos
Integration with RunsOn
Feature: Integration with RunsOn for secure self-hosted GitHub Actions runners.
Highlights:
Provides pre-hardened AWS AMI images with StepSecurity tooling preinstalled
Simplifies setup of self-hosted runners while maintaining strict security
π https://www.stepsecurity.io/blog/announcing-stepsecuritys-integration-with-runson
New Features for GitHub Actions Security Best Practices
Feature: Enhancements to the βSecure Repoβ capability β new features to enforce GitHub Actions security at scale.
Highlights:
Support for pinning GitHubβs new βImmutable Actionsβ (semantic version pinning).
Introduced exemptions for pinning specific Actions or entire organisations.
Persistent user settings to apply best-practice preferences across multiple repositories automatically.
π https://www.stepsecurity.io/blog/new-features-for-github-actions-security-best-practices
Internal GitHub Actions Marketplace
Feature: Launch of the Internal GitHub Actions Marketplace β a secure, enterprise-ready directory of vetted GitHub Actions.
Highlights:
Provides a curated marketplace of approved third-party and first-party GitHub Actions
Ensures only vetted Actions are used in CI/CD pipelines, reducing supply chain risk
Includes Action Security Scores, networking behavior insights, and repository usage visibility
Offers StepSecurity-maintained secure clones of risky third-party Actions
Enforces guardrails through Compromised Actions and Allowed Actions policies
Eliminates the burden of maintaining forked Actions internally
π https://www.stepsecurity.io/blog/implement-internal-github-actions-marketplace-with-stepsecurity
Harden-Runner Unified Network Egress Management
Feature: Unified network egress insights and outbound endpoint management for GitHub Organizations and Actions Runner Controller (ARC) clusters.
Highlights:
Adds a consolidated βAll Observed Endpointsβ view showing every outbound network destination contacted across all workflow runs
Provides organization-wide and cluster-wide visibility into suspicious or unexpected endpoints
Allows engineers to inspect sample workflow runs associated with any endpoint for rapid investigation
Makes outbound endpoint data for public GitHub organizations accessible for open-source transparency
Introduces Unified Network Egress Management for ARC clusters, including per-cluster endpoint views
Enables default cluster-wide network egress policies to block unauthorized outbound calls without modifying workflows
Automatically generates tailored deployment instructions to activate default egress blocking per ARC cluster
Ensures secure-by-default networking, with workflow-level allowed-endpoints lists overriding defaults only when explicitly set
Automatic Detection of Secrets in GitHub Actions Build Logs
Feature: Automated scanning of GitHub Actions build logs to identify exposed secrets.
Highlights:
Automatically downloads and analyzes completed workflow logs for secret exposure
Detects sensitive values such as API keys, passwords, private keys, and webhook URLs leaked during workflow execution
Flags violations in the βsecrets should not be logged in the build logβ control with masked secret previews and direct links to offending log lines
Provides enterprise-grade notifications via Slack, email, or Microsoft Teams
Displays an aggregated list of all βSecrets in build logβ detections in the StepSecurity dashboard
Helps organizations prevent accidental credential leakage from tools like Azure CLI, AWS CLI, Google Cloud CLI, and misconfigured workflows
Demonstrated effectiveness during beta: uncovered real secret exposures across multiple GitHub organizations, prompting rapid remediation
Harden-Runner HTTPS Outbound Request Monitoring
Feature: Support for monitoring outbound HTTPS requests from GitHub-hosted and self-hosted VM runners.
Highlights:
Adds visibility into HTTP methods and paths for outbound API calls made over HTTPS
Detects anomalous or suspicious GitHub API usage, such as attempts to exfiltrate CI/CD secrets by creating issues or pushing content to unauthorized repositories
Improves accuracy of recommended GITHUB_TOKEN permissions by analyzing actual API calls made during workflow execution
Introduces a new HTTPS Events tab in Harden-Runner insights, showing all monitored outbound HTTPS calls with method, path, and organization context
Flags suspicious requests β for example, POST or PUT requests made to GitHub organizations different from where the workflow is running
Powered by eBPF monitoring of SSL writes, avoiding the operational overhead and fragility of MITM proxy approaches
Easily enabled through the StepSecurity dashboard for Team and Enterprise plans, with optional Slack and email notifications for anomalous events
Fully supported in Harden-Runner v2.7.0 for GitHub-hosted and VM-based runners, with ARC (Kubernetes) support coming soon
π https://www.stepsecurity.io/blog/monitor-outbound-https-requests-from-github-actions-runners
GitHub Actions Advisor & StepSecurity Maintained Actions
Feature: Launch of GitHub Actions Advisor and StepSecurity Maintained Actions to help organizations assess and reduce the risk of third-party GitHub Actions.
Highlights:
Introduces GitHub Actions Advisor, providing automated security scores for public Actions based on six attributes: maintenance status, vulnerabilities, popularity, branch protection, license, and security policy
Surfaces networking behavior for Actions using runtime data from Harden-Runner to identify outbound calls to suspicious endpoints
Helps security and DevOps teams understand risk across all Actions used in their GitHub organization
Eliminates tedious manual reviews and forks of low-quality or abandoned Actions
Launches StepSecurity Maintained Actions, secure forks maintained by StepSecurity with manual and automated review, upstream updates, and applied security best practices
Dramatically reduces risk and operational workload while improving developer velocity by enabling safe use of previously unapproved third-party Actions
Fully integrated into the StepSecurity Platform, enabling visibility into security scores and available maintained Actions across repositories
GitHub Actions Workflow Orchestration
Feature: Introduction of Workflow Orchestration for standardized GitHub Actions deployment across repositories.
Highlights:
Automates rollout of approved GitHub Actions workflows using pre-defined workflow templates
Ensures consistent adoption of security best practices and DevOps standards across all repositories
Generates automated pull requests to add or update workflows based on centrally managed templates
Supports orchestration of workflows for secure deployments, linters, security tools, and StepSecurity Maintained Actions
Enables template management through the StepSecurity dashboard, with seamless linking to a designated template repository
Provides curated recommendations per target repository, allowing teams to select and apply appropriate workflows
Fully supports private repositories using fine-grained Personal Access Tokens (PATs) for secure automation
π https://www.stepsecurity.io/blog/streamline-your-github-actions-workflows-with-stepsecurity
Orchestration Platform for Private Repositories
Feature: Launch of StepSecurityβs orchestration platform for securing GitHub Actions workflows in private repositories.
Highlights:
Brings the full power of StepSecurityβs orchestration capabilitiesβtrusted by 700+ open-source projectsβto private repositories
Automates GitHub Actions security hardening, including SAST, SCA, OpenSSF Scorecard, Dependabot config, Harden-Runner, pre-commit hooks, and more
Provides consistent application of security controls across CI/CD pipelines with minimal developer effort
Adds support for analyzing private repositories via fine-grained Personal Access Tokens (PATs)
Automatically generates pull requests to apply missing security tools, enforce least-privilege GITHUB_TOKEN permissions, pin Actions, and strengthen CI/CD configurations
Includes flexible pricing: free for open-source projects, and first five PRs free for private repositories
Enables organizations to secure sensitive internal workflows with the same automated best-practice enforcement used across the open-source ecosystem
πhttps://www.stepsecurity.io/blog/github-actions-security-automation-for-private-repositories
Harden-Runner Support for Self-Hosted VM Runners
Feature: Launch of Harden-Runner for self-hosted VM-based GitHub Actions runners.
Highlights:
Extends Harden-Runnerβs CI/CD runtime security to self-hosted VM runners used on platforms like AWS EC2, Azure VMs, and Google Compute Engine
Supports both persistent and ephemeral VM runners with zero workflow file changes required
Deploys by adding the Harden-Runner agent to the VM image (such as an AMI), automatically monitoring all workflows executed on that runner
Leverages the same battle-tested technology used across 1,600+ open-source projects and millions of workflow runs on GitHub-hosted runners
Provides eBPF-powered runtime monitoring, detecting network activity, file tampering, compromised dependencies, and credential exfiltration attempts
Includes CI/CD-native outbound network filtering, allowing teams to define authorized destinations and block unwanted traffic
Offers policy recommendations based on historical workflow behavior to help teams define precise allowlists
Unified with StepSecurityβs security dashboard, enabling centralized management of GitHub Actions security across GitHub-hosted, Kubernetes-based, and VM-based runners
π https://www.stepsecurity.io/blog/ci-cd-security-for-self-hosted-vm-runners
Harden-Runner Runtime Detections UI
Feature: Introduction of a unified Runtime Detections UI for viewing historical CI/CD security detections.
Highlights:
Adds a centralized dashboard displaying all past Harden-Runner threat detections across GitHub Actions workflows
Surfaces two critical detection types:
Blocked outbound calls β triggered when workflows attempt to contact non-allowed endpoints
Source code overwrite detections β alerts when multiple processes modify source files during a run, indicating potential supply chain attacks
Provides direct links to the specific workflow run, insights page, and exact step where the detection occurred
Enhances visibility and auditability beyond Slack or email notifications previously used for detection alerts
Accessible only to members of GitHub organizations that have installed the Harden-Runner App (requires only read access to the Actions API)
Strengthens organizationsβ ability to investigate anomalies, validate policy effectiveness, and monitor CI/CD runtime security posture
Wildcard Domain Support for Harden-Runner Egress Policies
Feature: Introduction of wildcard domain support in Harden-Runnerβs egress policy block mode.
Highlights:
Allows wildcard domains in the allowed-endpoints list, simplifying the management of outbound network rules
Enhances flexibility and reduces configuration overhead for complex environments with dynamic or region-specific endpoints
Eliminates the need to enumerate individual subdomains β a single wildcard rule (for example, *.data.mcr.microsoft.com:443) now covers all variants
Particularly useful for scenarios like pulling container images from Microsoft Container Registry, where content-delivery endpoints vary by region
Strengthens CI/CD security by maintaining strict block-mode egress controls while reducing friction for legitimate workflows
Feature developed directly from community feedback (Issue #236), demonstrating StepSecurityβs commitment to user-driven enhancements
Harden-Runner Policy Store
Feature: Introduction of the Policy Store for managing Harden-Runner policies outside workflow files.
Highlights:
Enables teams to define and manage Harden-Runner policies directly in the StepSecurity dashboard, without modifying workflow YAML
Supports configuration of network egress restrictions, sudo access controls, and code-tampering detection policies through a centralized UI
Allows workflows to reference policies using a simple policy attribute, reducing duplication and operational overhead
Eliminates the need to store policy definitions inside workflow files, improving maintainability and simplifying policy updates
Requires only id-token: write permissions for Harden-Runner to authenticate and fetch policy details securely
Provides an intuitive interface to create, update, and apply policies across jobs and repositories
Improves developer experience and enables more scalable governance of CI/CD security controls
π https://www.stepsecurity.io/blog/introducing-harden-runner-policy-store
Harden-Runner Support for Kubernetes-Based Self-Hosted Runners (ARC)
Feature: Launch of Harden-Runner for Kubernetes-based self-hosted GitHub Actions runners using Actions Runner Controller (ARC).
Highlights:
Extends Harden-Runner beyond GitHub-hosted Ubuntu runners to fully support ARC-managed Kubernetes self-hosted runners
Provides runtime CI/CD security using eBPF for file, DNS, and network event auditing without requiring workflow or container image changes
Delivers 100% runtime visibility across all workflow executions in Kubernetes environments
Maintains Harden-Runnerβs core protections β preventing credential exfiltration, detecting source-code tampering, and identifying compromised dependencies or build tools
Re-architected to use Kubernetes-native resources for event handling, correlation, and insights
Offers agentless, operationally simple deployment for enterprise self-hosted CI/CD environments
Ideal for organizations requiring private-network runners, custom operating environments, or enhanced security around sensitive secrets and cloud admin identities
Harden-Runner v1.5.0: Automatic Cache Endpoint Detection
Feature: Automatic detection of GitHub Actions cache endpoints in Harden-Runner.
Highlights:
Harden-Runner now auto-detects GitHub Actions cache endpoints during workflow execution
Removes the need to manually specify cache endpoints in the allowed-endpoints list when using block mode
Improves developer experience by preventing accidental blocking of cache traffic, especially in forks and reusable workflows where cache endpoints differ
Ensures seamless operation across repositories by dynamically identifying Azure Blob storage endpoints used by GitHub Actions caching
Maintains backward compatibility β workflows that explicitly list cache endpoints will continue to work without modification
Enhances Harden-Runnerβs overall usability for users securing their CI/CD pipelines through outbound network restrictions
π https://www.stepsecurity.io/blog/harden-runner-github-action-now-auto-detects-cache-endpoints
Harden-Runner: Source Code Tampering Detection for GitHub Actions
Feature: Introduction of Harden-Runner, a GitHub Actions security agent designed to detect unauthorized source code modification during the build process.
Highlights:
Detects tampering of source code during CI/CD builds β the same attack vector used in the SolarWinds supply chain compromise
Leverages the Linux Audit Framework on GitHub-hosted Ubuntu runners to monitor file modifications at runtime
Surfaces detections directly in GitHub Actions as error annotations, including syscall details and the modifying executable
Provides CI/CD runtime visibility that traditional countermeasures (branch protection, code review, and code signing) cannot offer
Easy to adoptβadded as the first step in any GitHub Actions workflow
Already used in 500+ repositories, including public open-source projects from Google, Microsoft, Automattic, and the broader developer ecosystem
Available on the GitHub Marketplace, with hands-on scenarios provided through the Supply Chain Goat project
Last updated
Was this helpful?