Question 1

How does Harden-Runner compare to traditional EDR for CI/CD?

Accepted Answer

Harden-Runner is specifically designed for CI/CD environments, mapping events to workflow steps, whereas traditional EDR lacks this context. It focuses on the ephemeral nature of runners, making it more effective for detecting supply chain attacks in real-time.

Question 2

How to set up Harden-Runner to block unauthorized network traffic?

Accepted Answer

Start by adding the Harden-Runner action to your workflow with egress-policy set to audit to create a baseline. After sufficient runs, switch to using a domain allowlist to block traffic not in the baseline, as detailed in the getting started guide.

Question 3

Does Harden-Runner work with self-hosted runners?

Accepted Answer

Yes, Harden-Runner fully supports self-hosted VM, bare-metal, and ARC runners, often without requiring workflow changes. The agent can be deployed directly to the runner infrastructure for seamless integration.

Question 4

What are the limitations on macOS GitHub-hosted runners?

Accepted Answer

On GitHub-hosted macOS runners, Harden-Runner only operates in audit mode, meaning you can monitor but not block network egress. Full features like network control are not available on this platform.

Question 5

How does Harden-Runner detect source code tampering?

Accepted Answer

It monitors for unauthorized modifications to source code during the build process by tracking file operations and correlating them with workflow steps, alerting if changes occur outside expected parameters.

Question 6

Is Harden-Runner free for private repositories?

Accepted Answer

No, support for private repositories is part of the paid Enterprise tier. The free Community tier is limited to public repositories, which may restrict use for proprietary projects.

Harden Runner GitHub Action

What is Harden Runner GitHub Action?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions