News

Celebrating 3,000+ GitHub Repositories Secured with Harden-Runner

We're celebrating 3000+ public repositories secured with Harden-Runner! Read this blog to explore how we analyzed the XZ build process using Harden-Runner, how Harden-Runner detected a real CI/CD supply chain attack in a Google open-source project, and more.

Varun Sharma
April 25, 2024

Table of Contents

Table of Contents

We’re excited to share that Harden-Runner now secures over 3,000 open-source repositories on GitHub! This milestone comes less than two months after we celebrated securing 2,500 repositories and is a testament to our accelerating growth over the months.

StepSecurity Harden-Runner provides network egress control and CI/CD infrastructure security for GitHub-hosted and self-hosted runner environments. It has been leveraged by Microsoft, Google, CISA, DataDog, Intel, and hundreds of other organizations to enhance their GitHub Actions security.

NIST Guidance on real-time monitoring of CI/CD servers

The National Institute of Standards and Technology (NIST) recently published guidance on integrating software supply chain security in CI/CD pipelines. The guidance validates that CI/CD security for enterprises is not just important but essential.

As seen in the image below, the guidance emphasizes the need for real-time monitoring to detect "suspicious activities in CI/CD servers that might indicate exfiltration of sensitive data or tampering of builds."

NIST guidance on CI/CD server security
NIST guidance on CI/CD server security

StepSecurity Harden-Runner is designed to do exactly this for both hosted and self-hosted CI/CD servers. This NIST publication is one of several other regulatory and compliance frameworks recommending hardening CI/CD build servers.

Analysis of Backdoored XZ Utils Build Process with Harden-Runner

We analyzed the XZ Utils build process using StepSecurity Harden-Runner and observed the injection of the backdoor. As per the CVE-2024-3094, the build process extracts a disguised test file existing in the source code, which is then used to maliciously modify specific functions in the liblzma code to inject the backdoor.

This is a common supply chain attack technique where source code or build artifacts are tampered during the build process, as previously seen in the SolarWinds and event-stream incidents. Harden-Runner monitors file overwrite events during the build process to detect this attack technique. 

In order to examine the build process of XZ utils, we executed the build for both the non-backdoored and backdoored versions using GitHub Actions. The workflows were run on GitHub-hosted runners, and we monitored the runtime events using StepSecurity Harden-Runner.

Harden-Runner detected the tampering of the Makefile during the XZ build process. Read more about it here or watch this YouTube video of the live analysis:

Harden-Runner Detects CI/CD Supply Chain Attack in Google’s Open-Source Project in Real-Time

Adnan Khan, an independent security researcher, recently demonstrated a supply chain attack on Google’s open-source project, Flank. If done by an actual attacker, this could have led to a supply chain attack like the recent XZ Utils and SolarWinds security incidents. Flank has been using StepSecurity Harden-Runner since Dec 2022, and Adnan’s attempt, while successful, was detected by Harden-Runner. 

While the security researcher was executing the proof of concept against the vulnerable GitHub Actions workflow in the Google OSS repository, Harden-Runner picked up an anomalous outbound network call to raw[.]githubusercontent[.]com despite the researcher’s effort to evade detection. 

A big kudos to Adnan for raising awareness about CI/CD security with ethical testing and to the developers at Google for being vigilant about securing their GitHub Actions!

For executive summary, check out the video below.

Read the case study here.

Spotlight on Project: Picnic Technologies

Great to see Picnic Technologies leveraging the power of StepSecurity Harden-Runner for their open-source project! Kudos to the Picnic developers for proactively securing their GitHub Actions workflows!

Picnic is an online app-based supermarket and one of the top tech startups in the Netherlands! 

As seen in this pull request, it is very interesting to see developers discovering Harden-Runner from other projects and adopting it for their own projects after realizing its impact! The project is using Harden-Runner in block mode, so any outbound calls that are not in the allowed list are blocked.

Conclusion

Securing over 3,000 open-source repositories with Harden-Runner is a significant milestone for us and grateful for your trust in us! If you’re looking to fortify your GitHub Actions with runtime security and network egress traffic control, try out Harden Runner for free.

Try Harden-Runner

We’re excited to share that Harden-Runner now secures over 3,000 open-source repositories on GitHub! This milestone comes less than two months after we celebrated securing 2,500 repositories and is a testament to our accelerating growth over the months.

StepSecurity Harden-Runner provides network egress control and CI/CD infrastructure security for GitHub-hosted and self-hosted runner environments. It has been leveraged by Microsoft, Google, CISA, DataDog, Intel, and hundreds of other organizations to enhance their GitHub Actions security.

NIST Guidance on real-time monitoring of CI/CD servers

The National Institute of Standards and Technology (NIST) recently published guidance on integrating software supply chain security in CI/CD pipelines. The guidance validates that CI/CD security for enterprises is not just important but essential.

As seen in the image below, the guidance emphasizes the need for real-time monitoring to detect "suspicious activities in CI/CD servers that might indicate exfiltration of sensitive data or tampering of builds."

NIST guidance on CI/CD server security
NIST guidance on CI/CD server security

StepSecurity Harden-Runner is designed to do exactly this for both hosted and self-hosted CI/CD servers. This NIST publication is one of several other regulatory and compliance frameworks recommending hardening CI/CD build servers.

Analysis of Backdoored XZ Utils Build Process with Harden-Runner

We analyzed the XZ Utils build process using StepSecurity Harden-Runner and observed the injection of the backdoor. As per the CVE-2024-3094, the build process extracts a disguised test file existing in the source code, which is then used to maliciously modify specific functions in the liblzma code to inject the backdoor.

This is a common supply chain attack technique where source code or build artifacts are tampered during the build process, as previously seen in the SolarWinds and event-stream incidents. Harden-Runner monitors file overwrite events during the build process to detect this attack technique. 

In order to examine the build process of XZ utils, we executed the build for both the non-backdoored and backdoored versions using GitHub Actions. The workflows were run on GitHub-hosted runners, and we monitored the runtime events using StepSecurity Harden-Runner.

Harden-Runner detected the tampering of the Makefile during the XZ build process. Read more about it here or watch this YouTube video of the live analysis:

Harden-Runner Detects CI/CD Supply Chain Attack in Google’s Open-Source Project in Real-Time

Adnan Khan, an independent security researcher, recently demonstrated a supply chain attack on Google’s open-source project, Flank. If done by an actual attacker, this could have led to a supply chain attack like the recent XZ Utils and SolarWinds security incidents. Flank has been using StepSecurity Harden-Runner since Dec 2022, and Adnan’s attempt, while successful, was detected by Harden-Runner. 

While the security researcher was executing the proof of concept against the vulnerable GitHub Actions workflow in the Google OSS repository, Harden-Runner picked up an anomalous outbound network call to raw[.]githubusercontent[.]com despite the researcher’s effort to evade detection. 

A big kudos to Adnan for raising awareness about CI/CD security with ethical testing and to the developers at Google for being vigilant about securing their GitHub Actions!

For executive summary, check out the video below.

Read the case study here.

Spotlight on Project: Picnic Technologies

Great to see Picnic Technologies leveraging the power of StepSecurity Harden-Runner for their open-source project! Kudos to the Picnic developers for proactively securing their GitHub Actions workflows!

Picnic is an online app-based supermarket and one of the top tech startups in the Netherlands! 

As seen in this pull request, it is very interesting to see developers discovering Harden-Runner from other projects and adopting it for their own projects after realizing its impact! The project is using Harden-Runner in block mode, so any outbound calls that are not in the allowed list are blocked.

Conclusion

Securing over 3,000 open-source repositories with Harden-Runner is a significant milestone for us and grateful for your trust in us! If you’re looking to fortify your GitHub Actions with runtime security and network egress traffic control, try out Harden Runner for free.

Try Harden-Runner