StepSecurity

StepSecurity Harden-Runner detected a supply chain attack on Microsoft's Azure Karpenter Provider in real-time! ???? On August 31, 2024, an independent security researcher demonstrated a supply chain attack on Microsoft’s open-source project, Azure Karpenter Provider. If carried out by a threat actor, this could have caused a Codecov-style software supply chain attack. An adversary could have exfiltrated CI/CD secrets to access the cloud environments that this workflow had access to. ??? All GitHub Actions workflows in the Azure Karpenter Provider project had been using StepSecurity’s Harden-Runner since January 2024. Harden-Runner had created a baseline of outbound network calls for the impacted job over hundreds of runs. When the researcher exploited the vulnerability to exfiltrate a secret, the outbound call was to a domain that wasn’t in the baseline, triggering Harden-Runner’s anomaly detection alert in real time. ?? Within an hour of the exploit, StepSecurity reported the detection to the Microsoft Security Response Center (MSRC). We are honored to be acknowledged for our detection on Microsoft’s acknowledgment portal, which recognizes contributors to the security of their online services. ?? Following this exploit, the repository now uses Harden-Runner in block mode, actively preventing unauthorized outbound calls that aren’t in the allowed list, further raising the bar for the project’s CI/CD security. ?? This marks the second CI/CD supply chain attack detected by Harden-Runner this year, the previous one being on Google's open-source project, Flank. ?? ?? Check out the video and full case study to learn more about the vulnerability, how it was exploited, and how the exploit was detected in real time. The link to the case study is in the comments.

?? How Harden-Runner Spotted Systemic Anomalous Traffic to api.ipify.org from GitHub Hosted Runners It started on November 8, 2024. StepSecurity Harden-Runner raised an alert about unusual outbound traffic to an unknown domain, api.ipify.org across multiple StepSecurity customers' GitHub Actions workflows. ?? What we found:? ?? Only GitHub-hosted runners were impacted; self-hosted runners were unaffected.? ?? A process called provjobd had started making these unexpected calls.? ?? The domain api.ipify.org retrieves public IP addresses, which wasn’t needed by the affected workflows. ?? With no public documentation available, we reached out to GitHub Support. ?? GitHub support's response:? 1?? Provjobd is an internal tool temporarily used for diagnostic purposes.? 2?? The calls were expected and benign.? 3?? This was a one-time rollout with no plans to reintroduce it. ?? Why this matters:? Harden-Runner detected and flagged this systemic anomaly in real time, showcasing:? ? Baseline monitoring to catch unusual activity.? ? Process-level visibility to pinpoint the source. ? Rapid alerts for immediate investigation. CI/CD pipelines are critical to software delivery—and a target for attacks. Incidents like this highlight the importance of real-time monitoring and anomaly detection. Check out the full blog post in the comments to learn more.?

???StepSecurity Harden-Runner now protects over 4,500 open-source repositories, marking incredible growth in CI/CD security adoption.? ? This milestone, achieved in less than two months after surpassing 4,000 repositories, highlights the growing adoption and trust in Harden-Runner within the open-source community and beyond.? ? ?? What makes this special? We're seeing unprecedented adoption across the spectrum - from innovative startups to government agencies. More organizations are recognizing that CI/CD security isn't optional - it's essential.? ? Here’s why developers are choosing the Harden-Runner GitHub Action:? 1?? Exfiltration Prevention: Monitors and blocks outbound traffic from runners, safeguarding your CI/CD secrets.? 2?? Build Tampering Detection: Detects attempts to tamper with your source code and build artifacts during build.? 3?? Anomaly Detection: Flags any unexpected behavior during pipeline execution.? ? ?? A huge thank you to our growing community! Your trust drives us to keep innovating in making CI/CD security accessible to everyone.? ? For more details, check out our blog post ( ?? in comments below).

Several of our enterprise customers adopted StepSecurity when they were migrating from Jenkins to GitHub Actions. In our conversations, we’ve noticed many enterprises are making the move from #Jenkins to #GitHubActions for its streamlined workflows, robust security features, and the ease of integrating third-party tools directly from the GitHub Actions Marketplace.? ? We've just published a blog post?(?? in the comments)?on migrating from Jenkins to GitHub Actions. If you're considering making the switch, you should check out the post.? ?? Highlights:?? ?? Key differences between Jenkins and GitHub Actions? ??? Handling complex multi-branch pipelines with ease? ?? Migrating custom plugins and scripts seamlessly? ?? Ensuring secure and efficient secret management? ? Optimizing CI/CD performance post-migration? ? If you're migrating to GitHub Actions from Jenkins and want to secure your pipelines from day one, get in touch with us! ????

?? Thrilled to share that StepSecurity Harden-Runner is featured in the newly published book *GitHub Actions in Action* by Michael Kaufmann, ?? Rob Bos, and Marcel de Vries from Xebia. This comprehensive book explores everything from setting up GitHub Actions to ensuring workflows are secure and efficient, making it an invaluable resource for teams working with GitHub Actions.? ? The security chapter stands out with deep dives into critical topics such as preventing 'pwn requests,' mitigating script injection vulnerabilities, managing GitHub token permissions, and much more. ? We’re honored that StepSecurity Harden-Runner is highlighted as a solution for monitoring and limiting network access?from GitHub runners. If you use GitHub Actions, the book "GitHub Actions in Action" is a must read!?

Exciting developments, success stories, and new teammates at StepSecurity- read our September #newsletter for all this and much more!??

?? Exciting news! Another Microsoft repository has integrated StepSecurity Harden Runner GitHub Action, further validating its importance in securing CI/CD pipelines. ??? The PR titled "Hardening GitHub Runners" in Microsoft's vsts-extension-retrospectives repo, created by a Microsoft developer who maintains the repository, shows the growing adoption of this critical security tool. ?? Harden Runner, now used by over 4,300 open-source projects, provides robust network and runtime security for GitHub-hosted and self-hosted runners. Here's what makes it powerful:? ?? Creates a baseline for each job across multiple runs, tracking outbound network calls, processes created, and files written during the build process?? ?? Alerts on anomalies that deviate from this job-specific baseline?? ?? Enables setting block policies to prevent unauthorized deviations This easy-to-use and comprehensive approach helps teams detect and prevent potential security threats in their CI/CD pipelines, ensuring the integrity of their builds. ?? We're proud to see Harden Runner becoming part of the #security vocabulary in the #developer community.

?? Glad to see fwupd (Firmware updates for Linux) leveraging StepSecurity to automate #GitHub Actions security best practices! ? This popular open-source project has 3k stars and is a system daemon to allow session software to update firmware. ?? Swipe on the carousel below to see all the #security best practices they have automated with StepSecurity!

Digg Sweden, the Agency for Digital Government in Sweden, has added StepSecurity Harden-Runner to their open-source project template! ???? ? ? This template serves as a practical starter for releasing projects as open source, proposing well-known conventions and de-facto standards.? ? ?? Why is this important?? 1?? Growing Awareness of CI/CD Security: More organizations are becoming aware of the need to secure their CI/CD pipelines and runners. 2?? Government Adoption: Digg – Myndigheten f?r digital f?rvaltning's adoption of Harden-Runner demonstrates the growing trust in our security solution among government agencies.? 3?? Setting Standards: As a template for #opensource projects, Digg’s choice influences best practices in security for numerous future projects.? ? ?? The StepSecurity Community is Growing:? ?? Over 4,200 open-source projects now use Harden-Runner?GitHub Action ?? Trusted by government agencies, tech giants, and innovative startups alike? ? As more organizations prioritize the security of their CI/CD pipelines, we're proud to see Harden-Runner becoming an essential tool in creating a safer digital ecosystem.?

Interesting project by Benedikt Hau?ner that sets up a reverse shell on GitHub Actions runners using an Azure Storage account. StepSecurity Harden-Runner is designed to not allow connections to all Azure storage accounts. It detects the cache blob storage account for each job run and only allows egress traffic to that particular blob storage account. Here is a POC showing Harden-Runner blocking call to an attacker-controlled Azure storage account, while allowing connections to the cache storage account. https://lnkd.in/gNUPeegG