Skip to content

fix(deps): update step-security/harden-runner action to v2.19.1#125

Open
renovate-gsuquet[bot] wants to merge 1 commit intomainfrom
gsuquet/renovate/step-security-harden-runner-2.x
Open

fix(deps): update step-security/harden-runner action to v2.19.1#125
renovate-gsuquet[bot] wants to merge 1 commit intomainfrom
gsuquet/renovate/step-security-harden-runner-2.x

Conversation

@renovate-gsuquet
Copy link
Copy Markdown
Contributor

@renovate-gsuquet renovate-gsuquet Bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
step-security/harden-runner action minor v2.9.0 -> v2.19.1

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

step-security/harden-runner (step-security/harden-runner)

v2.19.1

Compare Source

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

Compare Source

What's Changed
New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks
  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).
Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

Compare Source

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

v2.17.0

Compare Source

What's Changed
Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

v2.16.1

Compare Source

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

v2.16.0

Compare Source

What's Changed
  • Updated action.yml to use node24
  • Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
  • Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

v2.15.1

Compare Source

What's Changed
  • Fixes #​642 bug due to which post step was failing on Windows ARM runners
  • Updates npm packages

Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1

v2.15.0

Compare Source

What's Changed
Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

Compare Source

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

Compare Source

What's Changed

  1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

  2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed
  • Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
  • Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

Compare Source

What's Changed
  • Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

Compare Source

What's Changed
  • Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
  • Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

v2.13.1

Compare Source

What's Changed

  • Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

  • Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

  • Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

v2.13.0

Compare Source

What's Changed
  • Improved job markdown summary
  • Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

Compare Source

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:

  • Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
  • Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

Compare Source

What's Changed
  • Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
  • Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

v2.12.0

Compare Source

What's Changed

  1. A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

  2. New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

v2.11.1

Compare Source

What's Changed

Full Changelog: step-security/harden-runner@v2...v2.11.1

v2.11.0

Compare Source

What's Changed

Release v2.11.0 in #​498
Harden-Runner Enterprise tier now supports the use of eBPF for DNS resolution and network call monitoring

Full Changelog: step-security/harden-runner@v2...v2.11.0

v2.10.4

Compare Source

What's Changed

Fixed a potential Harden-Runner post step failure that could occur when printing agent service logs. The fix gracefully handles failures without failing the post step.

Full Changelog: step-security/harden-runner@v2...v2.10.4

v2.10.3

Compare Source

What's Changed

Fixed an issue where DNS requests using uppercase characters (e.g., EXAMPLE.com) were blocked even when the domain was present in the allowed list. This update standardizes domain names to lowercase for consistent comparison.

Full Changelog: step-security/harden-runner@v2...v2.10.3

v2.10.2

Compare Source

What's Changed

  1. Fixes low-severity command injection weaknesses
    The advisory is here: GHSA-g85v-wf27-67xc

  2. Bug fix to improve detection of whether Harden-Runner is running in a container

Full Changelog: step-security/harden-runner@v2...v2.10.2

v2.10.1

Compare Source

What's Changed

Release v2.10.1 by @​varunsh-coder in #​463
Bug fix: Resolves an issue where DNS resolution of .local domains was failing when using a Kind cluster in a GitHub Actions workflow.

Full Changelog: step-security/harden-runner@v2...v2.10.1

v2.10.0

Compare Source

What's Changed

Release v2.10.0 by @​h0x0er and @​varunsh-coder in #​455

ARM Support: Harden-Runner Enterprise tier now supports GitHub-hosted ARM runners. This includes all the features that apply to previously supported GitHub-hosted x64 Linux runners.

Full Changelog: step-security/harden-runner@v2...v2.10.0

v2.9.1

Compare Source

What's Changed

Release v2.9.1 by @​h0x0er and @​varunsh-coder in #​440
This release includes two changes:

  1. Updated markdown displayed in the job summary by the Harden-Runner Action.
  2. Fixed a bug affecting Enterprise Tier customers where the agent attempted to upload telemetry for jobs with disable-telemetry set to true. No telemetry was uploaded as the endpoint was not in the allowed list.

Full Changelog: step-security/harden-runner@v2...v2.9.1

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@renovate-gsuquet renovate-gsuquet Bot requested a review from gsuquet August 6, 2024 05:10
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Aug 6, 2024
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/step-security/harden-runner a5ad31d6a139d249332a2605b85202e8c0b78450 🟢 8.2
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1015 out of 15 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1014 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 46 existing vulnerabilities detected
actions/step-security/harden-runner a5ad31d6a139d249332a2605b85202e8c0b78450 🟢 8.2
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1015 out of 15 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1014 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 46 existing vulnerabilities detected
actions/step-security/harden-runner a5ad31d6a139d249332a2605b85202e8c0b78450 🟢 8.2
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1015 out of 15 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1014 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 46 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/integration-linter-pre-commit.yml
.github/workflows/security-dependencies.yml
.github/workflows/security-ossf-scorecard.yml

@renovate-gsuquet
Copy link
Copy Markdown
Contributor Author

renovate-gsuquet Bot commented Aug 6, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from e7e959d to 673cc72 Compare September 27, 2025 08:18
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.9.1 fix(deps): update step-security/harden-runner action to v2.13.1 Sep 27, 2025
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from 673cc72 to d63cf29 Compare November 5, 2025 11:13
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.13.1 fix(deps): update step-security/harden-runner action to v2.13.2 Nov 5, 2025
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from d63cf29 to 9cb7e09 Compare December 2, 2025 05:13
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.13.2 fix(deps): update step-security/harden-runner action to v2.13.3 Dec 2, 2025
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from 9cb7e09 to 82e9ca0 Compare December 10, 2025 05:14
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.13.3 fix(deps): update step-security/harden-runner action to v2.14.0 Dec 10, 2025
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from 82e9ca0 to 7db504c Compare January 26, 2026 05:22
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.14.0 fix(deps): update step-security/harden-runner action to v2.14.1 Jan 26, 2026
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from 7db504c to 956ef36 Compare February 9, 2026 05:42
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.14.1 fix(deps): update step-security/harden-runner action to v2.14.2 Feb 9, 2026
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from 956ef36 to a4ae92c Compare February 25, 2026 05:38
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.14.2 fix(deps): update step-security/harden-runner action to v2.15.0 Feb 25, 2026
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from a4ae92c to 1a07831 Compare March 6, 2026 05:30
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.15.0 fix(deps): update step-security/harden-runner action to v2.15.1 Mar 6, 2026
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from 1a07831 to ca8e670 Compare March 17, 2026 05:37
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.15.1 fix(deps): update step-security/harden-runner action to v2.16.0 Mar 17, 2026
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from ca8e670 to e45df71 Compare April 1, 2026 05:49
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.16.0 fix(deps): update step-security/harden-runner action to v2.16.1 Apr 1, 2026
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from e45df71 to 5285c86 Compare April 10, 2026 05:52
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.16.1 fix(deps): update step-security/harden-runner action to v2.17.0 Apr 10, 2026
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from 5285c86 to a49b45d Compare April 15, 2026 11:32
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.17.0 fix(deps): update step-security/harden-runner action to v2.18.0 Apr 15, 2026
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from a49b45d to dc43b95 Compare April 20, 2026 11:40
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.18.0 fix(deps): update step-security/harden-runner action to v2.19.0 Apr 20, 2026
@renovate-gsuquet
fix(deps): update step-security/harden-runner action to v2.19.1
0274201 
| datasource  | package                     | from   | to      |
| ----------- | --------------------------- | ------ | ------- |
| github-tags | step-security/harden-runner | v2.9.0 | v2.19.1 |


Signed-off-by: renovate-gsuquet[bot] <173481049+renovate-gsuquet[bot]@users.noreply.github.com>
@renovate-gsuquet renovate-gsuquet Bot force-pushed the gsuquet/renovate/step-security-harden-runner-2.x branch from dc43b95 to 0274201 Compare May 4, 2026 06:13
@renovate-gsuquet renovate-gsuquet Bot changed the title fix(deps): update step-security/harden-runner action to v2.19.0 fix(deps): update step-security/harden-runner action to v2.19.1 May 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gsuquet gsuquet Awaiting requested review from gsuquet

Assignees

@gsuquet gsuquet

Labels

automation ci deployment github_actions integration renovate security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gsuquet