diff --git a/NEWREADME.md b/NEWREADME.md new file mode 100644 index 0000000..7ae3193 --- /dev/null +++ b/NEWREADME.md @@ -0,0 +1,131 @@ +

+ + + Dark Banner + +

+ +
+ +[![Maintained by stepsecurity.io](https://img.shields.io/badge/maintained%20by-stepsecurity.io-blueviolet)](https://stepsecurity.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=harden-runner) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/step-security/harden-runner/badge)](https://api.securityscorecards.dev/projects/github.com/step-security/harden-runner) +[![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://raw.githubusercontent.com/step-security/harden-runner/main/LICENSE) + +
+ +# Harden-Runner + +Harden-Runner secures CI/CD workflows by controlling network access and monitoring activities on GitHub-hosted and self-hosted runners. It blocks unauthorized network traffic and detects unusual activity to protect against potential threats. The name "Harden-Runner" comes from its purpose: strengthening the security of the runners used in GitHub Actions workflows. + +## Quick Links + +- [Why Use Harden-Runner](docs/why-use-harden-runner.md) +- [Getting Started Guide](docs/getting-started.md) +- [Features and Capabilities](docs/features.md) +- [Case Studies and Trusted Projects](docs/trusted-and-cases.md) +- [How It Works](docs/how-it-works.md) +- [Known Limitations](docs/limitations.md) +- [Join the Discussions](docs/discussions.md) + +--- + +## Introduction + +Learn how Harden-Runner works through the video below, which shows how it detected a supply chain attack on a Google open-source project. + + + Harden-Runner detected supply chain attack in a Google open-source project + + +--- + +## Why Choose Harden-Runner? + +- **Prevent Exfiltration:** Monitor and block unauthorized outbound network traffic. +- **Detect Tampering:** Identify source code modifications during builds. +- **Anomaly Detection:** Spot unusual dependencies and workflow behaviors. +- **Simplify Permissions:** Determine the minimum required `GITHUB_TOKEN` permissions. + +[Learn More](docs/why-use-harden-runner.md) + +--- + +## Getting Started + +Ready to secure your CI/CD workflows? Follow our [Getting Started Guide](docs/getting-started.md) to learn how to harden GitHub-hosted runners with step-by-step instructions. + +--- + +## Features + +Harden-Runner offers a comprehensive suite of features to enhance the security of your CI/CD workflows, available in two tiers: **Community** (Free) and **Enterprise** (Paid). + +### Community (Free) + +- **Block Network Egress Traffic with Domain Allowlist:** Control outbound network traffic by specifying allowed domains, preventing unauthorized data exfiltration. +- **Detect Compromised Packages, Dependencies & Build Tools:** Identify and mitigate risks from malicious or vulnerable components in your build process. +- **Detect Modification of Source Code:** Monitor and alert on unauthorized changes to your source code during the CI/CD pipeline. +- **Disable Sudo Access:** Restrict the use of superuser privileges in your workflows to minimize security risks. +- **Insights Page for CI/CD Runs:** Access detailed reports and analytics for each CI/CD run to monitor security events and compliance. + +### Enterprise (Paid) + +Includes all features in the **Community** tier, plus: + +- **Support for Private Repositories:** Extend Harden-Runner's security capabilities to your private GitHub repositories. +- **Support for Self-Hosted Runners:** Apply security controls and monitoring to self-hosted GitHub Actions runners. +- **Determine Minimum GITHUB_TOKEN Permissions:** Monitor outbound HTTPS requests to GitHub APIs to recommend the least-privilege permissions needed for your workflows, enhancing security by reducing unnecessary access. +- **View the Name and Path of Every File Written During the Build Process:** Gain visibility into every file written to the build environment, including the ability to correlate file writes with processes, ensuring complete transparency. +- **View Process Names and Arguments:** Monitor every process executed during the build process, along with its arguments, and navigate the process tree to detect suspicious activities. +- **View Outbound HTTPS Traffic at the Job Level:** Monitor HTTPS requests made during your workflows in real time without using a proxy. Identify anomalous requests, including cross-organization API calls, with alerts and detailed logs. + + +For a detailed comparison and more information, please visit our [Pricing Page](https://www.stepsecurity.io/pricing). + +Explore the full feature set in the [Features Documentation](docs/features.md). + +--- + +## Trusted By and Case Studies + +Harden-Runner is trusted by over 4000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more. + +### Trusted by + + +| [![CISA](https://avatars.githubusercontent.com/u/18539691?s=60&v=4)](https://app.stepsecurity.io/github/cisagov/skeleton-generic/actions/runs/9947319332?jobid=27479776091&tab=network-events) | [![Microsoft](https://avatars.githubusercontent.com/u/6154722?s=60&v=4)](https://app.stepsecurity.io/github/microsoft/ebpf-for-windows/actions/runs/7587031851) | [![Google](https://avatars.githubusercontent.com/u/2810941?s=60&v=4)](https://app.stepsecurity.io/github/GoogleCloudPlatform/functions-framework-ruby/actions/runs/7576989995) | [![DataDog](https://avatars.githubusercontent.com/u/365230?s=60&v=4)](https://app.stepsecurity.io/github/DataDog/stratus-red-team/actions/runs/7446169664) | [![Intel](https://avatars.githubusercontent.com/u/17888862?s=60&v=4)](https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/7590975903) | [![Kubernetes](https://avatars.githubusercontent.com/u/36015203?s=60&v=4)](https://app.stepsecurity.io/github/kubernetes-sigs/cluster-api-provider-azure/actions/runs/7591172950) | [![Node.js](https://avatars.githubusercontent.com/u/9950313?s=60&v=4)](https://app.stepsecurity.io/github/nodejs/node/actions/runs/7591405720) | [![AWS](https://avatars.githubusercontent.com/u/2232217?s=60&v=4)](https://app.stepsecurity.io/github/aws/aperf/actions/runs/7631366761) | +| --------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | +| **CISA**
[Explore](https://app.stepsecurity.io/github/cisagov/skeleton-generic/actions/runs/9947319332?jobid=27479776091&tab=network-events) | **Microsoft**
[Explore](https://app.stepsecurity.io/github/microsoft/ebpf-for-windows/actions/runs/7587031851) | **Google**
[Explore](https://app.stepsecurity.io/github/GoogleCloudPlatform/functions-framework-ruby/actions/runs/7576989995) | **DataDog**
[Explore](https://app.stepsecurity.io/github/DataDog/stratus-red-team/actions/runs/7446169664) | **Intel**
[Explore](https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/7590975903) | **Kubernetes**
[Explore](https://app.stepsecurity.io/github/kubernetes-sigs/cluster-api-provider-azure/actions/runs/7591172950) | **Node.js**
[Explore](https://app.stepsecurity.io/github/nodejs/node/actions/runs/7591405720) | **AWS**
[Explore](https://app.stepsecurity.io/github/aws/aperf/actions/runs/7631366761) | + +### Case Studies + +- [Harden-Runner Detects CI/CD Supply Chain Attack in Google’s Open-Source Project Flank](https://www.stepsecurity.io/case-studies/flank) +- [Kapiche secures their GitHub Actions software supply chain with Harden-Runner](https://www.stepsecurity.io/case-studies/kapiche) +- [Arcjet Enhances CI/CD Security with Harden-Runner](https://www.stepsecurity.io/case-studies/arcjet) +- [How Coveo Strengthened GitHub Actions Security with StepSecurity](https://www.stepsecurity.io/case-studies/coveo) +- [StepSecurity Detects CI/CD Supply Chain Attack in Microsoft’s Open-Source Project Azure Karpenter Provider in Real-Time](https://www.stepsecurity.io/case-studies/azure-karpenter-provider) +--- + +## How It Works + +Want to know the technical details? Dive into the architecture of Harden-Runner and its integrations for GitHub-hosted and self-hosted runners in our [How It Works Documentation](docs/how-it-works.md). + +--- + +## Limitations + +While Harden-Runner offers powerful features, there are certain limitations based on the environment, such as OS support. See the complete list in [Known Limitations](docs/limitations.md). + +--- + +## Discussions + +Join the conversation! For questions, ideas, or feedback, visit our [Discussions Page](https://github.com/step-security/harden-runner/discussions). + +For enterprise support, email support@stepsecurity.io. Interested in using Harden-Runner in other CI/CD platforms? Reach out to interest@stepsecurity.io. + +--- + +## License + +Harden-Runner is open source. See the [LICENSE](LICENSE) file for details.