Skip to content
RunsOn - 10x cheaper self-hosted GitHub runners RunsOn
Blog

partnership

1 post with the tag “partnership”

StepSecurity Partnership

I’m excited to announce that RunsOn is now a partner of StepSecurity to address a critical gap in the software supply chain security landscape: protecting CI/CD runners from supply chain attacks.

The Security Gap in CI/CD Infrastructure

While corporate laptops and production servers typically have robust security monitoring in place, CI/CD runners often lack equivalent protection despite handling sensitive information like secrets for package registries and cloud environments. This oversight has contributed to significant supply chain attacks in recent years, including the SolarWinds and Codecov breaches.

Traditional security monitoring solutions aren’t effective for CI/CD runners due to their ephemeral nature and lack of context for correlating events with specific workflow runs.

Introducing StepSecurity Integration with RunsOn

StepSecurity addresses this gap with security monitoring specifically designed for CI/CD environments. Their Harden-Runner is a runtime security agent that provides:

  • Egress network monitoring and filtering: Monitors outbound traffic to build baselines, detect anomalies, and enforce allow lists
  • GitHub API call monitoring: Provides visibility into API usage and helps determine minimum required permissions
  • File integrity and tampering detection: Detects unauthorized modifications to source code during builds
  • Granular event correlation: Maps each network connection, file operation, and process execution to specific steps, jobs, and workflows
  • GitHub Checks integration: Automatically monitors network activity and fails checks when anomalous activity is detected

Getting Started with StepSecurity on RunsOn

The integration is now available to all RunsOn users. To get started:

  1. Obtain a StepSecurity API key (enterprise license required, or start a free trial at stepsecurity.io)

  2. Configure RunsOn with your StepSecurity API key using the IntegrationStepSecurityApiKey stack parameter

  3. Use StepSecurity images in your workflows:

    • ubuntu24-stepsecurity-x64
    • ubuntu24-stepsecurity-arm64

Learn more in the dedicated documentation.