Back to Blog
Resources

Milestone Achieved: 2500+ Public Repositories Secured with Harden-Runner

We're celebrating 2500+ public repositories secured with Harden-Runner! Read this blog to explore how there is a rising need for CI/CD infrastructure security, the impact of Harden-Runner, its new features and how it has become a part of developers' vocabulary.
Varun Sharma

October 14, 2024

Table of Contents

Introduction

We’re thrilled to announce that Harden-Runner now secures over 2,500+ public repositories on GitHub! Harden-Runner has been experiencing exponential growth, and the latest milestone underscores this trend. Remarkably, the last two milestones, securing 2,000 and 1,500 repositories, were achieved in December and September 2023, respectively. This current achievement comes in just two months, highlighting the accelerating adoption of Harden-Runner within the developer community.

StepSecurity Harden-Runner provides network egress control and CI/CD infrastructure security for GitHub-hosted and self-hosted environments. It has been leveraged by Microsoft, Google, CISA, DataDog, Intel and hundreds of more organizations to enhance their GitHub Actions security.

You can give Harden-Runner a try and experience its impact here: https://app.stepsecurity.io/login

The Rising Need for CI/CD Infrastructure Security  

In 2023, there were several benchmarks and guidance released by recognized agencies to highlight the need for CI/CD security. These included CI/CD security enhancement recommendations by Center for Internet Security (CIS), CISA and NSA joint guidance on defending CI/CD pipelines, and an initial public draft emphasizing strategies for integrating software supply chain security into DevSecOps CI/CD pipelines by NIST.  

The latest guidance released by NIST recommends strategies for integration of software supply chain security in DevSecOps CI/CD pipelines. The guidance recommends countermeasures like network security controls and endpoint protection software for attack vectors like malware, network-based attacks, etc. Here’s what the guidance says about the need of network control:

"There should be enhanced real-time monitoring and alerting mechanisms to detect suspicious activities in CI/CD servers, especially activities that might indicate the exfiltration of sensitive data or the tampering of builds."
- NIST Guidance SP 800-204D

Harden-Runner's Impact  

The impact of Harden-Runner extends beyond numbers. It has enhanced the security landscape of CI/CD pipelines across various projects. From industry giants to innovative startups, organizations rely on Harden-Runner to fortify their GitHub Actions environments against potential threats.  

Fortifying Bazel  

To understand the impact of Harden-Runner one of the best cases studies to check out is the Bazel case study. On Feb 1, 2024, security researchers detailed how a potential CI/CD supply chain vulnerability could have compromised the Bazel project. Bazel leveraged Harden-Runner for network egress traffic monitoring and enhance CI/CD infrastructure security and this enabled them to defend against the said CI/CD supply chain attack.  

Defending Against the GHSL-2023-271 Threat

Another compelling example is GHSL-2023-271, a threat neutralized by Harden-Runner. This vulnerability, in a third-party GitHub Action, published by GitHub Security Lab, posed a significant risk by allowing arbitrary command execution in GitHub Runners, potentially leading to the leakage of enterprise secrets. With Harden-Runner, our enterprise customers were able to safeguard their repositories from this vulnerability and potential data leaks. Here’s what one of the enterprises had to say about this:

“We got this in pretty much all our repositories recently https://securitylab.github.com/advisories/GHSL-2023-271_changed-files/. Its used a lot everywhere. Instantly knew StepSecurity was protecting me.”
-Cam Parry, Staff Site Reliability Engineer, Kapiche

“Harden-Runner”: Gradually Becoming a Part of Developers’ Vocabulary 

In the last few months, “Harden-Runner” has been observed becoming a part of developers’ vernacular across the industry! In one example below, you can see a Microsoft developer suggesting “adding Harden-Runner" to a workflow in the Microsoft Authentication Library for Dotnet project

Azure AD Harden-Runner PR
Link to PR: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/4641

Here’s another example of a PR where a developer has “added Harden-Runner Action in audit mode”.

Harden-Runner rego policies PR
Link to PR: https://github.com/redhat-cop/rego-policies/pull/230

The following example also shows a PR where the developer uses the term “Harden CI Runners” and adds Harden-Runner to the workflow.  

Harden-Runner Vocabulary example PR
Link to PR: https://github.com/AJGranowski/reddit-expanded-community-filter-userscript/pull/152

Harden-Runner's Latest Enterprise Features

In the last month, we have introduced two new enhancements for Harden-Runner which has empowered enterprises with enhanced monitoring capabilities and better control network egress traffic.  

Unified Network Egress View: Centralize GitHub Actions Network Destinations for Your Enterprise

One of the latest features added to Harden-Runner is the unified network egress view. With this, security and DevOps engineers gain access to a unified view of GitHub Actions network egress on the StepSecurity platform. This feature enables effective management of outbound endpoints for both GitHub organizations and Actions Runner Controller (ARC) clusters. Enterprises can now easily analyse and monitor outbound connections from all Action workflow runs within their organization or ARC clusters, streamlining security oversight and ensuring compliance.

Monitoring Outbound HTTPS Requests from GitHub Actions Runners

Another latest update for Harden-Runner is the outbound HTTPS request monitoring. In response to customer demand, Harden-Runner now supports monitoring the HTTP method and path of outbound HTTPS requests from GitHub-hosted and self-hosted VM runners. This feature provides better security monitoring by detecting potential exfiltration attempts and recommending precise GITHUB_TOKEN permissions. By leveraging eBPF technology, Harden-Runner ensures reliable monitoring without the need for self-signed certificates, offering a seamless and robust solution for monitoring outbound HTTPS traffic.

Both these features are available to use in the enterprise subscription plan. Although, you can also leverage Harden-Runner's community plan for open-source projects on GitHub for free.  

Harden-Runner also provides runtime security for private repositories and self-hosted runner environments and support for:

  • Self-hosted VM runners
  • Actions Runner Controller (ARC) managed Kubernetes runners

If you’re looking to try out Harden-Runner to monitor network traffic for your enterprise, get in touch with us and we’ll set it up for you!

Conclusion

Securing over 2,500+ open-source repositories with Harden-Runner is a significant milestone for us and grateful for your trust in us! If you’re looking to fortify your GitHub Actions with runtime security and network egress traffic control, try out Harden Runner below for free.

Try StepSecurity for Free
Blog

Explore Related Posts