Skip to content
Latchkey

step-security/harden-runner

Monitor and restrict a runner's network egress to detect and block CI supply-chain attacks.

Community actionCategory: Security & Supply ChainLatest v2View on GitHub

What it does

step-security/harden-runner runs as the first step and monitors the runner's outbound network calls and file activity. In audit mode it reports; in block mode it denies egress to anything not on your allowlist.

It is designed to catch the exact class of attack where a compromised action tries to exfiltrate secrets.

Usage

workflow (.yml)
steps:
  - uses: step-security/harden-runner@v2
    with:
      egress-policy: audit   # switch to block once you know your endpoints
  - uses: actions/checkout@v4

Inputs

InputDescriptionDefaultRequired
egress-policyaudit (report only) or block (deny non-allowlisted egress).auditNo
allowed-endpointsEndpoints permitted in block mode.-No
disable-sudoDisable sudo on the runner.falseNo

Notes

Start in audit mode to learn the endpoints your build needs, then move to block with an allowlist.

Common errors

  • A build that suddenly fails to reach a registry in block mode means that endpoint is not in allowed-endpoints. Add it.

Security and pinning

  • Add harden-runner as the first step so it can observe everything that follows.
  • Pin it to a commit SHA like any third-party action.

Alternatives and related

Frequently asked questions

How does harden-runner catch a compromised action?
It monitors outbound network traffic. In block mode it denies egress to endpoints you did not allow, so an action trying to exfiltrate secrets is stopped and surfaced.
Running step-security/harden-runner? Run it on Latchkey managed runners - self-healing and caching included. Start free → 30-day trial · No credit card