Harden-Runner: EDR for CI/CD Stops Supply Chain Attacks Cold

Corporate laptops and production servers typically have robust security monitoring in place to reduce risk and meet compliance requirements. However, CI/CD runners, which handle sensitive information like secrets for cloud environments and create production builds, often lack such security measures. This oversight has led to significant supply chain attacks, including the SolarWinds and Codecov breaches.

Traditional security monitoring and EDR solutions are ineffective for CI/CD runners due to their ephemeral nature. These tools also lack the necessary context to correlate events with specific workflow runs in a CI/CD environment.

StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.

Harden-Runner secures over a million CI/CD workflow runs every week, protecting thousands of pipelines, including those from popular open-source projects by Microsoft, Google, and CISA. See how top projects are using Harden-Runner and explore the insights.

Why Choose Harden-Runner?

• Prevent Exfiltration: Prevent the exfiltration of CI/CD secrets and source code.
• Detect Tampering: Identify source code modifications during builds.
• Anomaly Detection: Spot unusual dependencies and workflow behaviors.
• Simplify Permissions: Determine the minimum required GITHUB_TOKEN permissions.

Features

Harden-Runner offers a comprehensive suite of features to enhance the security of your CI/CD workflows, available in two tiers: Community (Free) and Enterprise (Paid).

Community (Free)

• CI/CD-Aware Event Correlation: Each outbound network connection, file operation, and process execution is mapped to the exact step, job, and workflow where it occurs.
• Automated Baseline Creation: Harden-Runner builds a baseline for each job based on past outbound network connections.
• Anomaly Detection: Once the baseline is created, any future outbound calls not in the baseline trigger a detection.
• Block Network Egress Traffic with Domain Allowlist: Optionally use the automatically created baseline to control outbound network traffic by specifying allowed domains, preventing unauthorized data exfiltration.
• Detect Modification of Source Code: Monitor and alert on unauthorized changes to your source code during the CI/CD pipeline.

Enterprise (Paid)

Includes all features in the Community tier, plus:

• Support for Private Repositories: Extend Harden-Runner’s security capabilities to your private GitHub repositories.
• Support for Self-Hosted Runners: Apply security controls and monitoring to self-hosted GitHub Actions runners.
• GitHub Checks Integration: Enable GitHub Checks for Harden-Runner—if the baseline remains unchanged, the check passes; if it changes, the check fails, showing new outbound connections.
• View Outbound GitHub API calls at the Job Level: Monitor HTTPS requests to GitHub APIs
• Determine Minimum GITHUB_TOKEN Permissions: Monitor outbound HTTPS requests to GitHub APIs to recommend the least-privilege permissions needed for your workflows, enhancing security by reducing unnecessary access.
• View the Name and Path of Every File Written During the Build Process: Gain visibility into every file written to the build environment, including the ability to correlate file writes with processes, ensuring complete transparency.
• View Process Names and Arguments: Monitor every process executed during the build process, along with its arguments, and navigate the process tree to detect suspicious activities.

Install & Use