





















At StepSecurity, we set out to solve a fundamental problem
CI/CD pipelines had become the highest-value target in the software supply chain, yet they operated with virtually no runtime security.
Today, we're celebrating a milestone that validates this mission.
Harden-Runner now protects over 10,000 open-source repositories. Harden-Runner is also used by companies across open source, security, and enterprise environments. A public list of organizations using Harden-Runner is available in our documentation
Harden-Runner is essentially an EDR solution for CI/CD runners.
Just as traditional endpoint detection and response (EDR) protects laptops and servers by monitoring activity, detecting threats, and enforcing protections, Harden-Runner extends the same security model to CI/CD runners. It continuously observes workflows, inspects runtime behavior, and blocks malicious activity before it can cause damage.
As strong believers in open-source, we also offer a free community tier for open-source projects, making it easier for maintainers to secure their CI/CD pipelines without added cost.
This number reflects a fundamental shift in how organizations approach pipeline security, moving from reactive incident response to continuous, proactive protection. It represents three years of relentless focus on making CI/CD secure by default
When we launched Harden-Runner in March 2022, the CI/CD security landscape was vastly different. Most organizations treated their build pipelines as trusted environments—a dangerous assumption that attackers had already begun exploiting. We built Harden-Runner to change that assumption, bringing endpoint-style runtime security to CI/CD runners.
The growth trajectory tells the story:

That acceleration reflects a critical industry awakening. Organizations now recognize that securing the build process is just as important as securing the application itself. With over 13 million jobs monitored weekly, we're seeing this shift play out across individual developers, open-source projects, and Fortune 500 enterprises.
Harden-Runner's value isn't just measured in features; it's measured in threats detected and attacks prevented. Over the past three years, we've caught supply chain attacks that others missed, often becoming the first line of defense when trusted components turned malicious.
In one of our most significant detections, Harden-Runner flagged suspicious behavior in the widely-used tj-actions/changed-files Action before any public disclosure. The Action had been compromised through a sophisticated supply chain attack, and malicious code was executing in thousands of workflows.
Harden-Runner detected anomalous network traffic patterns that didn't match established baselines. This early warning allowed affected organizations to respond immediately, preventing potential credential theft and code tampering. The incident demonstrated why runtime monitoring is critical: static analysis can't catch what happens when trusted dependencies turn malicious at runtime.
When the Shai Hulud supply chain attack targeted CNCF's Backstage repository, Harden-Runner was there to catch it. This attack represented a new category of threat, one that traditional security tools weren't designed to detect. Our runtime monitoring identified the attack's signature behavior, providing immediate visibility into the compromise.
In August 2025, the popular Nx build system was compromised in an incident dubbed s1ngularity. Malicious versions were published to npm and delivered a data-stealing payload via a post-install script that harvested developer secrets like GitHub and npm tokens, SSH keys, environment variables, and wallet data.
The malware also attempted to abuse local AI CLI tools such as Claude, Gemini, and q to help with reconnaissance and data collection, marking a new escalation in supply chain attacker tradecraft.
Harden-Runner successfully flagged the activity as anomalous during runtime analysis. The compromised install path made unexpected outbound calls to api.github.com during npm install, which is not normal package-install behavior. The process chain also revealed the malicious post-install script spawning credential theft actions like gh auth token, which Harden-Runner surfaced clearly in workflow telemetry.
When an independent security researcher demonstrated a supply chain attack on Flank, Google's open-source mobile testing project, Harden-Runner detected it in real time. The researcher exploited a vulnerable GitHub Actions workflow to gain access to an elevated GITHUB_TOKEN with write permissions to the repository. They crafted an innovative exploit that attempted to blend in with normal traffic patterns, downloading and executing code that exfiltrated the token by reading runner worker memory.
Harden-Runner had been monitoring Flank's workflows since December 2022, building baselines of normal network behavior. When the exploit made an outbound call to raw.githubusercontent.com, a domain that had never appeared in previous runs, Harden-Runner immediately flagged it as anomalous. The detection happened despite the researcher's efforts to circumvent monitoring by using familiar GitHub endpoints.
In the researcher's own words: "Ran into StepSecurity Harden-Runner while executing a PoC against a Google OSS repository and it picked up an anomalous curl to raw.githubusercontent.com despite some initial effort I made to blend in. The maintainers had Harden Runner in audit mode, but that telemetry could very well be the difference between a supply chain attack and successful incident response for an organization that actually alerts on it."
Had this been a real attack instead of ethical security research, the compromised token could have been used to tamper with Flank's releases, potentially affecting all downstream users. Harden-Runner's detection provided the visibility needed to identify and respond to the threat in real time.
Harden-Runner also detected a real-time CI/CD supply chain attack in Microsoft’s open-source Azure Karpenter Provider project. An independent security researcher exploited a misconfigured GitHub Actions workflow that allowed untrusted code to run with elevated permissions, resulting in access to a GITHUB_TOKEN with id-token: write scope. In a real attack, this token could have been used to access cloud resources tied to the workflow.
Because Harden-Runner had been deployed across the project’s workflows, the exploit was detected immediately through anomalous outbound network activity. The malicious run attempted to fetch code from a GitHub gist and exfiltrate credentials to an external domain, both of which deviated from the established baseline of normal workflow behavior. StepSecurity reported the issue to Microsoft’s Security Response Center within an hour, and the disclosure was formally acknowledged by Microsoft.
Reaching 10,000 protected repositories required building a platform that adapts to how teams actually work. Since launch, we've focused on making Harden-Runner powerful enough for enterprise environments while remaining simple enough for individual developers.
The 10,000 repositories protected by Harden-Runner represent thousands of individual decisions to prioritize runtime security. Here's what developers and security engineers are saying:
“Before StepSecurity, detecting the origin of a suspicious outbound network connection was challenging with traditional CNAPPs or IDS solutions, as we’d only see a general alert. StepSecurity gives us complete visibility into which specific Action triggered a connection and even lets us drill down into host processes tied to that Action. Now, we have a clear and actionable picture of every network connection our runners make, and we can respond with confidence”--Jean-Philippe Lachance, Staff Security Specialist, R&D, Coveo
“It’s easy to get started with GitHub Actions, but using it securely has historically required manual effort and configuration, which isn’t as straightforward. StepSecurity solves this by automating security best practices for workflows, as well as through their Harden-Runner action, which provides protection against exfiltration and source code tampering throughout the lifecycle of a workflow. Leveraging the Harden-Runner action is both painless and an absolute must for any project.”--Evan Gibler, Staff Security Engineer, Chainguard
"Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool's improvement over time."--Jordan Harband, Open Source Maintainer
"Harden-Runner is a Must-Have GitHub Action to Prevent Supply Chain Attacks. StepSecurity is the one-stop-shop to harden your GitHub Actions and ensure peace of mind."--Wenqi Glantz, Software Architect
"Harden-runner is an amazing project by StepSecurity! You can easily integrate it in your GitHub Actions and it will block egress traffic and ensure your code isn't overwritten at runtime, to protect against malicious or compromised dependencies."--Christophe Tafani-Dereeper, Cloud Security Engineer
"Since enabling Harden Runner in our projects, we have much higher confidence and observability into what our build process is doing. This is just one step in a much broader piece of work we are doing to increase the trust in our supply chain security."--Cam Parry, Senior Site Reliability Engineer, Kapiche
The Harden-Runner Community Tier is trusted by some of the most widely used open-source projects and ecosystems in the world. These projects sit at the core of modern software development and infrastructure, which makes their CI/CD pipelines especially attractive targets for supply chain attacks.
Today, Harden-Runner helps protect workflows across projects and organizations including:




Many more projects use Harden-Runner across the open-source ecosystem. You can see more here
Reaching 10,000 protected repositories marks a significant milestone, but it's just the beginning. The threats facing CI/CD pipelines continue to evolve, and so must our defenses. We're focused on three key areas:
Whether you're protecting a solo project or enterprise infrastructure, Harden-Runner delivers the runtime visibility and control that modern CI/CD demands. Our Community Tier remains free for all public repositories, making it easy to get started.
Ready to secure your workflows?
Use our Secure Workflow tool to automatically integrate Harden-Runner into your GitHub Actions with minimal configuration. Join the 10,000+ repositories that have made runtime security a default part of their development process.
Together, we're building a future where CI/CD pipelines are secure by default, not as an afterthought, but as a fundamental property of how we build software.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。