Despite the sensitive roles CI/CD runners play (accessing source code, secrets, and deployment systems), compliance requirements often don’t explicitly call them out. As a result, security teams may focus on traditional servers and endpoints, while build runners go unmonitored. This blog will explain why that is changing.

Harden-Runner detected an unexpected outbound call from Docker across multiple customer environments. Surprisingly, it wasn’t listed in Docker’s allow list, and no EDR tool flagged it. Here’s how we identified it, reported it, and got it added to Docker’s documentation.

We're excited to announce that StepSecurity's Harden-Runner GitHub Action has reached a significant milestone, now securing GitHub Actions workflows for over 5,000 open source projects. This milestone comes at a crucial time when CI/CD security is more important than ever, as evidenced by recent security incidents and our growing impact across the open source ecosystem.

How StepSecurity achieved 5X ARR growth while securing over 5,000 open-source repositories in 2024

Securing GitHub Actions: Understanding and Mitigating the 'Pwn Request' Vulnerability

Critical lessons in securing CI/CD pipelines from the Ultralytics GitHub Actions attack

The vulnerability in PyTorch’s CI/CD pipeline highlights the critical need for securing self-hosted runners

Starting November 8, 2024, 6:32 PM UTC, StepSecurity Harden-Runner detected unusual outbound network traffic to an unknown domain from multiple GitHub Actions workflow runs across several customers. This systemic incident underscores the importance of real-time monitoring and network visibility for CI/CD runners, showcasing Harden-Runner's effectiveness in identifying and addressing security anomalies.