Harden-Runner is a CI/CD security agent designed to provide EDR-like monitoring for GitHub Actions runners, addressing the critical gap in securing CI/CD pipelines against supply chain attacks. It targets developers and security teams seeking to enhance the security posture of their build and deployment processes by monitoring network egress, file integrity, and process activity in real-time.

How It Works

Harden-Runner operates by integrating as a step within GitHub Actions workflows. It monitors network connections, file operations, and process executions, correlating these events with specific workflow steps. The agent automatically builds a baseline of normal activity for each job, enabling anomaly detection for deviations like unauthorized network calls or file modifications. This approach provides granular visibility and context, crucial for identifying and mitigating threats in ephemeral CI/CD environments.

Quick Start & Requirements

• Install: Add step-security/harden-runner@<version> as the first step in your GitHub Actions workflow.
• Prerequisites: GitHub Actions environment. Enterprise features require private repository access and support for self-hosted runners.
• Resources: Minimal resource footprint for GitHub-hosted runners. Self-hosted runner integration requires agent deployment.
• Links: Getting Started Guide, Official Documentation, Interactive Demo

Highlighted Details

• Detects CI/CD supply chain attacks, including compromises of popular open-source projects.
• Offers a community (free) tier with core monitoring and anomaly detection, and an enterprise (paid) tier with advanced features like private repo support and GitHub Checks integration.
• Correlates security events directly to workflow steps, providing actionable insights.
• Supports GitHub-hosted, self-hosted VM, bare-metal, and ARC runners.

Maintenance & Community

Maintained by StepSecurity.io. Active community discussions available via Discussions Page. Enterprise support via email.

Licensing & Compatibility

Licensed under Apache 2.0. Compatible with commercial use and closed-source linking.

Limitations & Caveats

Some advanced features, such as support for private repositories and self-hosted runners, are part of the paid Enterprise tier. OS support limitations are detailed in the Known Limitations documentation.