How to Monitor Self-Hosted Runners for Anomalies
A hijacked runner usually reveals itself through unexpected network egress or sustained CPU, so alert on both.
Baseline normal runner behavior, then alert on new outbound destinations, unusual processes, and prolonged high CPU. step-security/harden-runner in audit mode surfaces the network view per run.
Steps
- Run
harden-runnerin audit mode to log every outbound connection. - Alert on connections to hosts outside the known allowlist.
- Flag sustained high CPU that looks like unauthorized mining.
Audit egress to build a baseline
.github/workflows/ci.yml
steps:
- uses: step-security/harden-runner@v2
with:
egress-policy: audit # records all outbound endpoints per run
- uses: actions/checkout@v4
- run: npm ci && npm run build
# Review the run's network insights, then alert on new destinationsGotchas
- Alerting only after a job ends is too late for exfiltration; block egress for high-value pipelines.
- Legitimate new dependencies add endpoints; review before turning alerts into hard blocks.
Related guides
How to Audit Self-Hosted Runner ActivityTrack what runs on your self-hosted GitHub Actions runners using the organization audit log and runner diagno…
How to Restrict Runner Network Egress With harden-runnerLock down outbound network traffic from a GitHub Actions runner using step-security/harden-runner in block mo…