Most teams have no idea what their CI runners connect to during a build. Packages get installed, scripts run, network calls go out — and none of it is logged. That is a real blind spot.
Harden-Runner from StepSecurity is a GitHub Action that monitors and optionally blocks outbound network connections at the runner level, in real time. Think of it as an EDR for your CI pipeline.
It caught the axios supply chain attack in real time — any connection to sfrclak.com (the axios RAT’s C2 server) would have shown up immediately in the security log.
How to add it
Add it as the first step in every job, pinned to a commit SHA:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
allowed-endpoints: >
registry.npmjs.org:443
github.com:443
objects.githubusercontent.com:443
- uses: actions/checkout@v4
- run: npm ci
It must be first — if it runs after other steps, those steps are already unmonitored.
Two modes
audit — logs all outbound connections, blocks nothing. Builds keep working. Use this to learn what your pipeline actually talks to.
block — blocks anything not in allowed-endpoints. Any unexpected connection fails the build immediately.
Start with audit. Run it for a week and look at the logs. Most legitimate builds talk to three to five known endpoints. Build your allowlist from that, then switch to block.
What it monitors
- Outbound network connections — correlated to the exact workflow step that triggered them
- File integrity — alerts if source code is modified during the build
- Process activity — detects suspicious process behaviour, including memory reads of the runner worker process (a known technique for stealing GitHub Actions secrets)
In v2.19.0, known malicious domains and IPs are blocked even in audit mode via a global block list. It also triggers automatic lockdown when a high-risk event is detected mid-build.
What a real allowlist looks like
For a typical Node.js project:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: block
allowed-endpoints: >
registry.npmjs.org:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
After running in audit mode, StepSecurity shows you a suggested allowlist based on observed traffic — you can copy it directly into your workflow.
Free vs paid
The free tier covers public repositories on GitHub-hosted runners. It includes network monitoring, file integrity checks, and the automated incident response features.
The paid tier adds private repositories, self-hosted runners (including Depot, Blacksmith, Namespace, WarpBuild), GitHub Checks integration, and detailed per-step file and process monitoring.