Introduction
Harden Runner is a security agent for GitHub-hosted and Actions Runner Controller (ARC) based self-hosted GitHub Actions runners designed to block egress traffic and detect code overwrite, thereby preventing potential breaches, like the SolarWinds or the Codecov incidents.
Previously, Harden Runner users were notified of threat detections through Slack or email. With the new Runtime Detections UI, users can view all past detections in one place.
An Overview of Runtime Detections UI
The Runtime Detections UI is a powerful addition to Harden Runner, offering a consolidated view of past CI/CD runtime detections across GitHub Actions workflows in your organization. It has two sections:
Outbound calls that have been blocked
Outbound calls are blocked when a workflow makes calls to endpoints not in that job's allowed list of endpoints. This policy can be set in the workflow YAML file or the Policy store.
Source code files are overwritten during CI/CD pipeline execution
Harden Runner monitors source code files during a workflow run, and if two different processes write to a file, it triggers a detection. Such behavior indicates a potential supply chain attack, like in the case of the SolarWinds attack.
In each case, the specific GitHub Actions workflow and workflow run are linked with the detection. It also provides direct links to the run and the insights URL, which details the exact step where the detection occurred.
To get Notifications and view the Detections UI, you must install the Harden Runner App, which only needs read access to the GitHub Actions API. The UI is only accessible to members of the organization on which the Harden Runner App is installed. You can read more about this feature in the documentation.
Conclusion
The new Runtime Detections UI elevates the Harden Runner's capabilities, offering greater visibility over past detections. Try Harden Runner today if you are concerned about CI/CD Security for your GitHub Actions workflows. You can simulate past supply chain attacks and see how Harden Runner blocks them using https://github.com/step-security/attack-simulator.
