step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-05 19:53:33 +00:00
Code Issues Projects Releases Packages Wiki Activity
Pull-mirror of github.com/step-security/harden-runner
535 commits 87 branches 69 tags 56 MiB
  • TypeScript 100%
Find a file
eromosele-stepsecurity d77cef7a9d Fix errors
2025-01-10 15:33:01 +01:00
.github Bump step-security/harden-runner from 2.9.0 to 2.9.1 2024-08-05 23:42:24 +00:00
dist Update dist 2024-10-26 09:47:44 -07:00
images Release v2.9.0 (#435) 2024-07-18 10:09:31 -07:00
src chore: clean the code 2024-10-24 13:46:05 +05:30
.eslintrc.js Release v2.5.0 (#325) 2023-07-24 11:30:49 -07:00
.gitignore Publish test results (#363) 2023-12-07 12:09:35 -08:00
.pre-commit-config.yaml Release v2.5.0 (#325) 2023-07-24 11:30:49 -07:00
action.yml Update to node20 2024-01-29 12:13:17 -08:00
jest.config.ts Publish test results (#363) 2023-12-07 12:09:35 -08:00
LICENSE Initial commit 2021-10-28 09:58:47 -07:00
package-lock.json Release v2.9.0 (#435) 2024-07-18 10:09:31 -07:00
package.json Update to node20 2024-01-29 12:13:17 -08:00
README.md Fix errors 2025-01-10 15:33:01 +01:00
SECURITY.md Create SECURITY.md 2021-11-19 13:19:40 -08:00
tsconfig.json Release v2.5.0 (#325) 2023-07-24 11:30:49 -07:00

README.md

Dark Banner

Maintained by stepsecurity.io OpenSSF Scorecard License: Apache 2.0

Harden-Runner

Harden-Runner secures CI/CD workflows by controlling network access and monitoring activities on GitHub-hosted and self-hosted runners. It blocks unauthorized network traffic and detects unusual activity to protect against potential threats. The name "Harden-Runner" comes from its purpose: strengthening the security of the runners used in GitHub Actions workflows.

Quick Links

Introduction

Learn how Harden-Runner works through the video below, which shows how it detected a supply chain attack on a Google open-source project.

Harden-Runner detected supply chain attack in a Google open-source project

Why Choose Harden-Runner?

  • Prevent Exfiltration: Prevent the exfiltration of CI/CD secrets and source code.
  • Detect Tampering: Identify source code modifications during builds.
  • Anomaly Detection: Spot unusual dependencies and workflow behaviors.
  • Simplify Permissions: Determine the minimum required GITHUB_TOKEN permissions.

Learn More

Getting Started

Ready to secure your CI/CD workflows? Follow our Getting Started Guide to learn how to harden GitHub-hosted runners with step-by-step instructions.

Features

Harden-Runner offers a comprehensive suite of features to enhance the security of your CI/CD workflows, available in two tiers: Community (Free) and Enterprise (Paid).

Community (Free)

  • Block Network Egress Traffic with Domain Allowlist: Control outbound network traffic by specifying allowed domains, preventing unauthorized data exfiltration.
  • Detect Compromised Packages, Dependencies & Build Tools: Identify and mitigate risks from malicious or vulnerable components in your build process.
  • Detect Modification of Source Code: Monitor and alert on unauthorized changes to your source code during the CI/CD pipeline.
  • Disable Sudo Access: Restrict the use of superuser privileges in your workflows to minimize security risks.
  • Insights Page for CI/CD Runs: Access detailed reports and analytics for each CI/CD run to monitor security events and compliance.

Enterprise (Paid)

Includes all features in the Community tier, plus:

  • Support for Private Repositories: Extend Harden-Runner's security capabilities to your private GitHub repositories.
  • Support for Self-Hosted Runners: Apply security controls and monitoring to self-hosted GitHub Actions runners.
  • Determine Minimum GITHUB_TOKEN Permissions: Monitor outbound HTTPS requests to GitHub APIs to recommend the least-privilege permissions needed for your workflows, enhancing security by reducing unnecessary access.
  • View the Name and Path of Every File Written During the Build Process: Gain visibility into every file written to the build environment, including the ability to correlate file writes with processes, ensuring complete transparency.
  • View Process Names and Arguments: Monitor every process executed during the build process, along with its arguments, and navigate the process tree to detect suspicious activities.
  • View Outbound HTTPS Traffic at the Job Level: Monitor HTTPS requests made during your workflows in real time without using a proxy. Identify anomalous requests, including cross-organization API calls, with alerts and detailed logs.

For a detailed comparison and more information, please visit our Pricing Page.

Explore the full feature set in the Features Documentation.

Trusted By and Case Studies

Harden-Runner is trusted by over 5000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more.

Trusted by

CISA Microsoft Google DataDog Intel Kubernetes Node.js AWS
CISA
Explore		 Microsoft
Explore		 Google
Explore		 DataDog
Explore		 Intel
Explore		 Kubernetes
Explore		 Node.js
Explore		 AWS
Explore

Case Studies

How It Works

Want to know the technical details? Dive into the architecture of Harden-Runner and its integrations for GitHub-hosted and self-hosted runners in our How It Works Documentation.

Limitations

While Harden-Runner offers powerful features, there are certain limitations based on the environment, such as OS support. See the complete list in Known Limitations.

Discussions

Join the conversation! For questions, ideas, or feedback, visit our Discussions Page.

For enterprise support, email support@stepsecurity.io. Interested in using Harden-Runner in other CI/CD platforms? Reach out to interest@stepsecurity.io.

License

Harden-Runner is open source. See the LICENSE file for details.