StepSecurity Harden-Runner Now Secures Over 4,500 Open Source Repositories

We're thrilled to announce that StepSecurity Harden-Runner now secures over 4,500 repositories on GitHub! This achievement comes less than two months after reaching our 4,000 milestone, reflecting the rapid adoption of Harden-Runner across the open-source community. The growing trust in Harden-Runner, both within open source and in high-profile organizations, underscores the importance of securing CI/CD pipelines.

Recognized in the Book GitHub Actions in Action

StepSecurity Harden Runner was featured in the newly published book GitHub Actions in Action, authored by Michael Kaufmann, Rob Bos, and Marcel de Vries from Xebia. This comprehensive guide delves into setting up secure and efficient workflows on GitHub Actions, covering essential topics like preventing ‘pwn requests,’ mitigating script injection vulnerabilities, and managing GitHub token permissions.  

Harden-Runner is highlighted in the book’s security chapter as a go-to solution for monitoring and limiting network access from GitHub runners, further validating its role in keeping CI/CD processes secure. For teams using GitHub Actions, this book is an invaluable resource for building security into every stage of their development pipeline.

Adoption by Digg Sweden

Digg Sweden, the Agency for Digital Government, recently added Harden-Runner to their open-source project template! This template intends to be a practical starter when releasing a project as Open Source. It has been created in a general way to be usable for anyone and proposes well-known conventions and de-facto standards when possible.  

Why is this important?  

1. Growing Awareness of CI/CD Security: More organizations are becoming aware of the need to secure their CI/CD pipelines and runners.
2. Government Adoption: Digg’s adoption of Harden-Runner demonstrates the growing trust in our security solution among government agencies.  
3. Setting Standards: As a template for opensource projects, Digg’s choice influences best practices in security for numerous future projects.

Adopted by Another Microsoft Repository

Excitingly, another Microsoft repository has integrated Harden-Runner, further solidifying its place as a critical CI/CD security tool. A recent pull request titled “Hardening GitHub Runners” was created by a Microsoft developer in the vsts-extension-retrospectives repository, marking another vote of confidence from a major tech player. This PR emphasizes Harden-Runner’s core features:

• Baseline Creation: Tracks outbound network calls, processes, and file writes per job across multiple runs.

• Anomaly Detection: Alerts on any unexpected deviations from the job-specific baseline.

• Blocking Policies: Allows setting specific block policies to prevent unauthorized changes or behavior.

Seeing Harden-Runner integrated into Microsoft projects is a testament to its reliability and effectiveness in fortifying CI/CD security. We’re proud to be part of the security vocabulary in today’s developer community.

Looking Forward

As we celebrate reaching 4,500 repositories, we’re more motivated than ever to continue building out Harden-Runner’s capabilities. Our mission is to make secure CI/CD simple, effective, and accessible to every developer and organization. Thank you to everyone who’s adopted Harden-Runner—we’re excited to continue this journey with you!