We’re thrilled to announce the significant achievement of securing 1,500 open-source repositories with Harden-Runner! This milestone is not just a number; it represents the accelerating growth of Harden-Runner and validates our commitment to CI/CD security and providing GitHub Actions security. We’re also expanding further to more CI/CD providers in the coming months and are excited to play a role in fortifying the defenses of many organizations. If you’re interested in becoming a design partner for the Harden-Runner port to other CI/CD providers, please get in touch with us.
The Journey to 1500 Repositories
Harden-Runner was designed to empower organizations to provide GitHub Actions security against CI/CD attacks. Clearly, it has succeeded in doing so. We’ve seen rapid growth in the adoption of Harden-Runner ever since its inception in December 2021. It took us 10 months to be adopted by the first 500 open-source repositories, the next 5 months to reach 1,000 repositories, and just 4 months to touch 1,500 repositories. The accelerating growth is a testament to Harden-Runner’s success and effectiveness in providing runtime security for GitHub Actions.
Securing One Organization at a Time
Various esteemed organizations have adopted Harden-Runner in the last few months. The Cybersecurity & Infrastructure Security Agency (CISA), for example, is using StepSecurity Harden-Runner to secure their GitHub Actions workflows in various public repositories. On using the StepSecurity Harden-Runner, a CISA developer affirmed on GitHub how it helped them secure their workflow by warning them if an action reaches an unexpected web address or overwrites the source code. Likewise, another developer from Microsoft commented on their pull request on GitHub how Harden-Runner enabled them to secure their CI/CD pipelines by blocking the workflow access to internet endpoints except for the ones they explicitly allowed.
Another big tech firm using StepSecurity’s tools is Google. Google has been using our GitHub Actions Runtime Security solution for several Google projects to strengthen its CI/CD security. Here are other organizations leveraging the power of Harden-Runner:
Harden-Runner’s Success in Numbers
When it comes to the success of Harden-Runner, we’ll let the numbers do the talking. So far, Harden-Runner has secured 2,182,819 CI/CD workflow runs, 1,550+ public repositories and 3,900 CI/CD workflows. We’re constantly working on upgrading Harden-Runner's features and are predicting an even more accelerated growth in numbers in the coming months.
How StepSecurity Can Fortify Your Self Hosted-Runners
StepSecurity’s Harden-Runner works to strengthen the security for both self-hosted Kubernetes-based Actions Runner Controller (ARC) and GitHub-Hosted runners. However, if you’re looking to secure your self-hosted Kubernetes-based Actions Runner Controller (ARC), you’ll get to leverage extra features like secure-by-default ARC Cluster-level policies and monitoring of all workflow runs without the need to change any workflow files. To further explore the security features, you can also access our GitHub Actions Goat hands-on educational project for sample workflows that use self-hosted runners.
CISA Highlights the Importance of Defending CI/CD Environments
The recently published guide by CISA, in collaboration with the National Security Agency (NSA), emphasizes how securing CI/CD pipelines is essential for organizations. The guide lists a number of recommendations to secure the CI/CD pipelines, along with information on the most common security threats and attack patterns. We at StepSecurity are committed to helping organizations defend their CI/CD environments against Malicious Cyber Actors in alignment with the guidance.
Announcing New Features and Expansion to Other CI/CD Providers
StepSecurity’s runtime security solution for GitHub Actions enables you to track network and file activity for all GitHub Actions workflows. Now, it also allows you to:
- View the organizational CI/CD runtime security at one place
- See the runtime security summary for all workflow runs across the organization
- Identify if any jobs are missing runtime security controls, if an outbound call was blocked, or if a source code was overwritten
Looking Ahead
Currently, Harden-Runner works for GitHub-Hosted and self-hosted Kubernetes Actions Runner Controller (ARC) environments. In the coming months, we will be launching Harden-Runners for various CI/CD providers like Jenkins, GitLab CI, Team City, Harness, Azure DevOps, and CircleCI.
If you’re looking to secure these or any other CI/CD provider, get in touch with us and our team will make sure to set up Harden-Runner in your environment to keep your CI/CD pipelines secure.