Introduction
We’re thrilled to announce that we’re taking Harden-Runner to the next level by supporting Kubernetes-based self-hosted GitHub Actions runners. This exciting development allows users to secure their Actions Runner Controller (ARC) environments with StepSecurity's advanced security features, ensuring that CI/CD workflows are protected from potential threats. Read the blog to know more about why you need ARC based self-hosted GitHub Actions Runners, how it works, and more.
Harden-Runner for GitHub Hosted Actions Runner
Harden-Runner is an open-source, purpose-built CI/CD runtime security agent for GitHub Actions. Earlier, it was only supported on Ubuntu based GitHub hosted Actions runners. Built based on learnings from past software supply chain attacks, it packs an impressive array of capabilities, such as preventing the exfiltration of credentials, detecting tampering of source code during builds, and spotting compromised dependencies & build tools. For each workflow execution, it provides an insight page that summarizes runtime security observations. It is currently used by more than 800 open-source repositories and several enterprise customers.
Why Actions Runner Controller (ARC) based self-hosted GitHub Actions Runners?
In our discussions with enterprises, we found that customers use self-hosted GitHub Actions runners primarily for security reasons. Self-hosted runners provide complete control of the runtime CI/CD environment. In addition, it can also work within customers’ private network environment. As GitHub Actions runners typically use highly sensitive secrets associated with cloud administrator IAM identities and software distribution accounts, some customers prefer self-hosted GitHub Actions as it doesn’t expose these secrets to another third-party. Other reasons are custom choices for hardware, operating system, and software tools for Actions Runners. Some customers also use self-hosted runners for cost reasons.
Kubernetes has become the go-to platform for managing containerized applications at scale. As many such security conscious organizations already have platform teams for managing their Kubernetes infrastructure, Kubernetes has become the most common vehicle for hosting self-hosted GitHub Actions runners.
Harden-Runner for Actions Runner Controller (ARC) based self-hosted GitHub Actions runners
We have rearchitected Harden-Runner to be Kubernetes aware to work efficiently in this environment. It uses native Kubernetes capabilities to provide the same security guarantees like the agent-based model used for GitHub Hosted Actions Runners.
One of the major benefits of using Harden-Runner in a Kubernetes-based self-hosted environment is that it uses eBPF to analyze runtime CI/CD behavior. This means that you won't need to make any changes to the workflow file or the runner pod container image, making it an “agentless” and hassle-free integration for enterprises. Once you deploy Harden-Runner in your Kubernetes cluster, you’ll have 100% runtime visibility for all Action workflow executions. You can optionally update the workflow file to enable additional defenses such as blocking traffic to unknown endpoints.
Secure Your Kubernetes-Based Self-Hosted Runners with Harden-Runner
Harden-Runner is now generally available for Kubernetes-based self-hosted runners. With this release, you can secure your Actions Runner Controller (ARC) environments by leveraging StepSecurity's advanced security features and ensure your CI/CD workflows are protected from potential threats. Explore the full range of capabilities and secure your ARC environment today with StepSecurity Harden-Runner. Secure your ARC environments and GitHub-hosted runners today, try out the StepSecurity platform or get in touch with us- https://www.stepsecurity.io/contact