In February 2022, StepSecurity introduced Harden Runner, a first-of-its-kind purpose-built security agent for CI/ CD pipelines. Since its release, Harden Runner has been adopted by over 400 open-source projects, including projects from Microsoft, Google, and Automattic [1].
Today, I am excited to announce the general availability of Harden Runner. This is the only solution that can realistically stop attack methods used in the SolarWinds and Codecov breaches.
You should think of Harden Runner as a context aware Endpoint Detection and Response (EDR) solution for CI/CD pipelines, to audit and block egress traffic, detect source code overwrite, and run pipelines without sudo access.
An overview of Harden Runner
CI/ CD pipelines have privileged credentials used for deployments and are used to create release builds. This has made them a target for attacks like SolarWinds, where the source code was tampered during the build process, and Codecov breach, where credentials were exfiltrated from thousands of CI/ CD pipelines [2][3].
Harden Runner strengthens CI/ CD supply chain security to the next level by:
- Preventing exfiltration of code and credentials from CI/ CD pipelines
- Detecting tampering of source code during the build process
- Detecting malicious tools and dependencies used in the build process
In the latest release, in addition to making the platform enterprise ready, we are also releasing three new features based on the growing adopter demand:
1. Disable sudo: With Harden Runner, you get insights on whether your job uses sudo. If not, you can disable sudo for job runs. This is to prevent malicious build tools or dependencies from installing attack tools.
2. Improved source code overwrite detection: In the previous release, Harden Runner only monitored few file extensions. In the new release, all source code files are monitored. This means even tampering of Infrastructure as code files (such as Kubernetes manifests or terraform) are now detected.
3. Security Alerts: You can now configure a Slack webhook and an email address to receive alerts when outbound traffic is blocked, or a source code file is overwritten during build.
You can get details of each of the features using the new documentation website at https://docs.stepsecurity.io
Case Study
InovIntell secures their CI/ CD with Harden-Runner
InovIntell helps life sciences organizations reach their goals in a smarter and faster way, for the ultimate benefit of patients, with solutions using AI as an ubiquitous and invisible tool.
As a custodian of patient data, InovIntell is always innovating to deploy new security controls to secure their data assets, including patients’ medical data. InovIntell needed an easy-to-use solution to harden their CI/ CD pipelines against third-party supply chain threats.
StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products — GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products
Szymon Maszke, Chief Technical Officer, InovIntell
Read the full case study here: https://www.stepsecurity.io/case-studies/inovintel
Pricing
All Harden-Runner features are free for public GitHub repositories as part of the Community plan. Today, we are announcing Team and Enterprise plans for private repositories with priority support. Details can be found on our website: https://www.stepsecurity.io/pricing
Attack Simulator
You can simulate past supply chain attacks such as SolarWinds, Codecov, and ua-parser-js and see how StepSecurity stops them using https://github.com/step-security/attack-simulator
To get updates as more capabilities are released, follow Step Security on LinkedIn and Twitter.
References
[1] Projects using Harden Runner — https://github.com/step-security/harden-runner/network/dependents
[2] SUNSPOT: An Implant in the Build Process — https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
[3] Bash Uploader Security Update — https://about.codecov.io/security-update/