Introduction
Arcjet is a startup with a mission to help developers protect their applications against various security risks. Their approach involves installing an SDK that inspects every request and offers security features, such as spam and fraud prevention, bot blocking, and API abuse protection. Arcjet is a developer experience-first company and offers seamless and developer-friendly security solutions.
The Challenge
With the increase in CI/CD security attacks, it has become a top priority for many companies to secure their CI/CD pipelines. The recent joint guidance on Defending CI/CD Environments released by CISA and NSA is a testimony to this. CI/CD attacks have and will continue to breach sensitive information and result in data leaks for organizations.
Arcjet's top priority is to provide a native SDK that caters to developers' specific language and tech stack. Since the SDK will be used by Arcjet’s customers, it is important that it is built and released securely. Arcjet uses GitHub Actions on self-hosted Virtual Machines (VMs) to build, test, and release their software.
Arcjet needed a solution to fortify their GitHub Actions environment to not only secure their organization from these threats but to ensure a seamless and easy developer experience in their company. While there are existing application/ cloud security solutions that could be used in CI/CD they are not effective in preventing and detecting attacks targeting GitHub Actions workflows.
The Solution: StepSecurity GitHub Actions Security Platform
Arcjet discovered StepSecurity as a low-friction security platform designed to enhance the security of CI/CD pipelines. One of the capabilities StepSecurity offers is runtime security for GitHub Actions. StepSecurity Harden-Runner serves as a purpose-built agent that monitors the build process for suspicious activities, such as source code overwrites and unexpected outbound calls. This tool aligns perfectly with Arcjet's commitment to providing a seamless and secure developer experience and empowers them to secure their GitHub Actions environment. It also aligns with their need for a solution that works across different GitHub Actions environments – be it GitHub-hosted, self-hosted VMs, or self-hosted Kubernetes runners.
Arcjet uses StepSecurity Harden-Runner to gain visibility into the build process and establish policies to limit outbound access to authorized endpoints. By doing so, they ensure that their CI/CD pipelines remain secure and free from potential threats.
“StepSecurity has helped us protect our GitHub Actions workflows from exfiltration-style attacks by providing network observability for the runtime environment. The platform seamlessly monitors files, processes & network activity and blocks egress traffic (with allowlists), detects source code tampering and compromised dependencies. One thing we love about the tool is that it runs on all platforms- be it GitHub hosted, self-hosted, or VM runners.”
David Mytton
CEO of Arcjet and Co-founder of Console.dev
The Outcome
The adoption of StepSecurity empowered Arcjet to gain better visibility and confidence in their workflows. They can now swiftly detect and mitigate malicious build tools and packages, significantly reducing the risk associated with supply chain attacks. With StepSecurity, Arcjet is now better protected against CI/CD attacks and can easily prevent the exfiltration of sensitive data and service credentials from their workflows. This enhanced security provides assurance to Arcjet’s customers that the Arcjet SDKs are built and released securely.