This story is still developing. There is conclusive evidence that many reviewdog Actions are compromised.

We are investigating a critical security incident involving the popular tj-actions/changed-files GitHub Action. We want to alert you immediately so that you can take prompt action. This post will be updated as new information becomes available.

We’re excited to announce our integration with RunsOn, the modern way to self-host GitHub Actions runners at scale on AWS, with incredible cost savings and advanced features. With this partnership, StepSecurity Harden-Runner now seamlessly integrates with RunsOn, providing enhanced security and visibility for CI/CD pipelines.

The updates include support for pinning GitHub’s New Immutable Actions, exemptions for pinning specific GitHub Actions, and configuring preferences to use across multiple repositories.

Despite the sensitive roles CI/CD runners play (accessing source code, secrets, and deployment systems), compliance requirements often don’t explicitly call them out. As a result, security teams may focus on traditional servers and endpoints, while build runners go unmonitored. This blog will explain why that is changing.

Harden-Runner detected an unexpected outbound call from Docker across multiple customer environments. Surprisingly, it wasn’t listed in Docker’s allow list, and no EDR tool flagged it. Here’s how we identified it, reported it, and got it added to Docker’s documentation.

We're excited to announce that StepSecurity's Harden-Runner GitHub Action has reached a significant milestone, now securing GitHub Actions workflows for over 5,000 open source projects. This milestone comes at a crucial time when CI/CD security is more important than ever, as evidenced by recent security incidents and our growing impact across the open source ecosystem.

How StepSecurity achieved 5X ARR growth while securing over 5,000 open-source repositories in 2024