step-security/harden-runner
Monitor and restrict a runner's network egress to detect and block CI supply-chain attacks.
What it does
step-security/harden-runner runs as the first step and monitors the runner's outbound network calls and file activity. In audit mode it reports; in block mode it denies egress to anything not on your allowlist.
It is designed to catch the exact class of attack where a compromised action tries to exfiltrate secrets.
Usage
workflow (.yml)
steps:
- uses: step-security/harden-runner@v2
with:
egress-policy: audit # switch to block once you know your endpoints
- uses: actions/checkout@v4Inputs
| Input | Description | Default | Required |
|---|---|---|---|
egress-policy | audit (report only) or block (deny non-allowlisted egress). | audit | No |
allowed-endpoints | Endpoints permitted in block mode. | - | No |
disable-sudo | Disable sudo on the runner. | false | No |
Notes
Start in audit mode to learn the endpoints your build needs, then move to block with an allowlist.
Common errors
- A build that suddenly fails to reach a registry in
blockmode means that endpoint is not inallowed-endpoints. Add it.
Security and pinning
- Add harden-runner as the first step so it can observe everything that follows.
- Pin it to a commit SHA like any third-party action.
Alternatives and related
github/codeql-actionRun GitHub CodeQL static analysis to find security vulnerabilities in your code.
Frequently asked questions
How does harden-runner catch a compromised action?
It monitors outbound network traffic. In block mode it denies egress to endpoints you did not allow, so an action trying to exfiltrate secrets is stopped and surfaced.