StepSecurity

?? StepSecurity Harden-Runner is helping secure the Ruby GitHub org! Let’s take a moment to spotlight an awesome open-source project from the Ruby GitHub org that uses Harden-Runner in its publishing workflow! ?? This project is securely publishing to RubyGems—and doing it the right way with:? ? OpenID Connect (OIDC) authentication – no static credentials!? ? Harden-Runner’s network and runtime monitoring – full visibility into every outbound request.? ? What does the network traffic look like?? ? Code checkout from GitHub? ? Dependencies pulled from GitHub & RubyGems? ? Secure publishing to RubyGems ? sigstore usage for supply chain integrity? ?? No unexpected network calls – everything checks out! ?? Why is this exciting?? ?? Software supply chain attacks are on the rise – secure publishing matters more than ever!? ?? Harden-Runner ensures workflows only talk to trusted endpoints – no surprises.?? ?? It ensures only expected processes interact with trusted endpoints, protecting the integrity of the published software. This is community-tier usage – meaning anyone can see these insights and learn from them!?Check out the Harden-Runner insights in action (link in comments) ?? Huge shoutout to the Ruby community for leading by example with secure CI/CD practices! Want to make sure your workflows are secure too? Try Harden-Runner today! ???

StepSecurity Now Integrates with RunsOn for Secure, Cost-Effective CI/CD Pipelines! ?? I'm thrilled to announce that StepSecurity's Harden-Runner now seamlessly integrates with RunsOn – the modern solution for self-hosting GitHub Actions runners on AWS at scale. This partnership combines StepSecurity's robust CI/CD security capabilities with RunsOn's optimized, cost-efficient runners. As software supply chain attacks continue to rise, this integration provides critical protection without disrupting developer workflows. Why choose RunsOn with StepSecurity? 1?? 10x cheaper than GitHub-hosted runners 2?? 30%+ faster performance 3?? 5x faster, unlimited caching with S3-local bucket 4?? Full control within your AWS account 5?? Enhanced security with Harden-Runner's network restrictions and runtime monitoring Implementation is incredibly simple too! Just update your runner image to use the StepSecurity image, and you'll always have the latest Harden-Runner agent without manual updates or configuration hassles. This partnership represents our ongoing commitment to making CI/CD security accessible, effective, and developer friendly. Ready to strengthen your CI/CD security while optimizing costs? Check out our integration guide (in comments) for more details.

?? Secure Repo Just Got Better!? ? StepSecurity’s Secure Repo has already helped 2,000+ open-source projects and several StepSecurity enterprise customers apply GitHub Actions security best practices automatically. Now, we’re making it even more customizable and efficient with these new updates:? ? ? Pin to GitHub’s New Immutable Actions – No need to pin by commit SHA if an action is immutable! Secure Repo will now pin immutable actions to their semantic version (e.g., v1.2.3) for easier maintenance. ?? Exempt Actions from Pinning – You can now exclude specific actions from being pinned, giving you more flexibility. ?? Save Your Security Settings – No more selecting best practices every time! Configure your preferences once in User Settings, and they’ll apply automatically when analyzing new repos.? ? With these updates, Secure Repo makes it even easier for developers to secure their CI/CD pipelines with minimal effort. For more details, check out the ?? in the comments.?

I love how easy StepSecurity makes it to apply best practices in your GitHub Actions workflows! I noticed one of my action repos did not follow my normal setup, and adding all the updates would be quite some work. With app.stepsecurity.io it is super easy to let them propose a PR. Just tweak some of the settings to match your own preferences, and Go Go Go. Easy peasy! This was the PR generated in mere seconds: https://lnkd.in/eX-2UWQG #GitHubActions #Security #SupplyChainSecurity

?? Why Compliance Auditors Are Looking at Your CI/CD Runners—And How to Prepare CI/CD pipelines are the backbone of modern software delivery, yet their build runners often go unmonitored. These runners have privileged access to source code, secrets, and deployment systems—making them a prime target for supply chain attacks. But here’s the issue: Compliance frameworks (PCI-DSS, SOC 2, HIPAA, ISO 27001, etc.) don’t explicitly mention CI/CD runners. As a result, security teams focus on servers and endpoints, while build environments operate under the radar. That’s starting to change—and auditors are taking notice. ?? Why CI/CD Runners Are a Security Risk ?? Unmonitored Egress Traffic – Attackers can exfiltrate secrets via outbound connections without detection. ?? Lack of Endpoint Protection – CI runners rarely have EDR, leaving unauthorized processes unnoticed. ?? Supply Chain Attack Vector – Compromised runners can inject malicious code into builds (e.g., SolarWinds). ?? Ephemeral ≠ Secure – Short-lived runners still process sensitive data, but often lack logs for forensic analysis. Ignoring these risks is no longer an option—especially if your CI/CD environment touches regulated data. ?? How StepSecurity Harden-Runner Helps StepSecurity Harden-Runner secures CI/CD pipelines by providing: ? Egress Filtering & Network Monitoring – Blocks unauthorized connections, preventing data exfiltration. ? File Integrity Monitoring – Detects tampering and unauthorized code changes. ? Process Monitoring (EDR-like Capabilities) – Tracks all executed processes and commands. ? Audit Logging & Reporting – Generates compliance-ready reports for security reviews. Read the blog post in the comments for more details

StepSecurity Harden-Runner recently observed an anomalous outbound call in multiple customer environments. The destination was a Docker, Inc related domain that wasn’t in the baseline. ?? What we found: ? The call was going to: docker-images-prod[dot]6aa30f8b08e16409b46e0173d6de2f56[dot]r2[dot]cloudflarestorage[dot]com ? No mention of it in Docker’s documentation. ? A similar domain was recently added to the allowlist for Docker in their documentation ?? What we did: We raised an issue with Docker, and they updated their documentation to include the missing domain! ? ?? The surprising part? Docker Desktop also made this call, but no EDR solution flagged it. If an EDR tool had detected it, someone would have reported it and gotten it updated sooner. Instead, it went unnoticed—until Harden-Runner detected it. ?? This is why monitoring outbound network calls from CI/CD runners matters. Harden-Runner helps detect new, undocumented, and potentially malicious endpoints from CI/CD runners. ?? If you’re not monitoring outbound calls in your builds, now is the time! For more details, check out the blog post (link in the comments)

?? We're Hiring Golang Developers! At StepSecurity, we're looking for passionate Go developers who bring a strong track record of open source contributions. Our ideal candidates have demonstrated their expertise through sustained contributions to enterprise-level open source projects. Key Requirements: ? 1+ year of active contributions to open source projects (enterprise projects preferred) ? Deep expertise in Golang ? Based in India What We Offer: ? Competitive compensation package ? 100% remote work flexibility ? Opportunity to work on cutting-edge security solutions Interested? Please DM me with your GitHub profile for consideration.

I'm thrilled to share that StepSecurity Harden-Runner has reached a major milestone: securing GitHub Actions workflows for over 5??0??0??0?? open source projects! ?? Recent CI/CD supply chain attacks at major organizations underscore why we started this journey. Harden-Runner helps prevent such incidents by controlling network access and monitoring activities on both GitHub-hosted and self-hosted runners. Some recent highlights of our impact: 1?? Detected a real-world CI/CD supply chain attack on Azure Karpenter Provider, earning recognition in Microsoft's Security Response Center 2?? Launched new GitHub Checks integration for immediate security feedback right in your PR workflow 3?? Released a modernized Insights page (beta) showing detailed workflow security analysis To all our open-source community - thank you for your trust in making CI/CD security better together! Read more in the blog post ( ?? in the comments)

?? Security Incident: Compromised Docker Image ?? Recently, one of Kong’s Docker images was compromised. According to the Kong team’s initial investigation, the root cause was a misconfiguration in the public repository’s GitHub Actions build pipeline. This allowed a compromised version of the image, containing a crypto miner, to replace the legitimate one on Docker Hub. Since the issue involved a misconfigured GitHub Actions workflow and led to the image being replaced on Docker Hub, it’s likely that Docker Hub publishing credentials were exfiltrated from a GitHub Actions workflow and used to publish the compromised image. As is often the case with supply chain attacks, it was customers who first detected the issue—not the security team. Users reported unusually high CPU usage and observed a suspicious message printed by the image in a GitHub issue (link to the issue is in the comments). This incident underscores the critical importance of vigilance and robust security in CI/CD pipelines. Supply chain attacks are a growing threat, and proactive monitoring is essential to prevent and mitigate such incidents. ?? Secure your CI/CD pipelines and monitor them closely!

As 2024 comes to a close, we’ve been reflecting on the state of CI/CD security—an area that continues to face growing challenges and opportunities. In this post, I’ll share StepSecurity’s accomplishments in 2024 as we worked to secure CI/CD pipelines and predictions for 2025 in this critical and emerging space (?? to detailed blog post in the comments). ?? Looking Back at 2024: ?? CI/CD Supply Chain Attacks in Focus: This year, incidents like the XZ Utils and Ultralytics security breaches, and critical GitHub Actions vulnerabilities in projects from large enterprises like Google, Microsoft, and PyTorch, underscored the urgent need for enhanced CI/CD security. ? At StepSecurity, we: ??5??X’ed our ARR, a testament to the trust our customers placed in us. ? Detected two CI/CD supply chain attacks in open-source projects. ?? Grew Harden Runner adoption from 2K to 5K open-source repositories. ?? Expanded our team from 4 to 11 full-time members, bringing in exceptional talent to strengthen our mission. ?? Published two enterprise case studies and launched new marketing and product websites, supporting our customers and growth. ?? Looking Ahead to 2025: 1???Evolving Attacks: Threat actors will continue to innovate, making it essential for organizations to adopt proactive measures and secure their CI/CD pipelines. 2???Increased Awareness and Training: Organizations will prioritize educating developers on identifying and mitigating these emerging risks. 3???Security Embedded in Workflows: Developers will increasingly adopt CI/CD security solutions that integrate seamlessly into the development process. At StepSecurity, we’re committed to staying ahead of these challenges and empowering developers with the tools they need to secure their pipelines effectively. ?? Thank you to our customers, team, and investors for being part of this journey. If you’re looking to fortify your CI/CD workflows in 2025, let’s connect!