Skip to content
Latchkey

How to Monitor Self-Hosted Runners for Anomalies

A hijacked runner usually reveals itself through unexpected network egress or sustained CPU, so alert on both.

Baseline normal runner behavior, then alert on new outbound destinations, unusual processes, and prolonged high CPU. step-security/harden-runner in audit mode surfaces the network view per run.

Steps

  • Run harden-runner in audit mode to log every outbound connection.
  • Alert on connections to hosts outside the known allowlist.
  • Flag sustained high CPU that looks like unauthorized mining.

Audit egress to build a baseline

.github/workflows/ci.yml
steps:
  - uses: step-security/harden-runner@v2
    with:
      egress-policy: audit   # records all outbound endpoints per run
  - uses: actions/checkout@v4
  - run: npm ci && npm run build
# Review the run's network insights, then alert on new destinations

Gotchas

  • Alerting only after a job ends is too late for exfiltration; block egress for high-value pipelines.
  • Legitimate new dependencies add endpoints; review before turning alerts into hard blocks.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →