📢 Press release of our GitHub Actions Security Platform! While many of you are already familiar with its prowess — given its adoption by over 1,200 open-source projects and numerous enterprises — today, we formally put it in the spotlight. https://t.co/e3YFOFZ34v

5/5 This is the second CI/CD supply chain attack detected by Harden-Runner in 2024. Earlier, it caught an exploit in Google’s open-source project, Flank. Check out the full case study and video of the Azure Karpenter project for all the details:

4/5 We’re honored to be recognized on Microsoft’s acknowledgment portal for our contribution to securing their online services. Following this exploit, the repository now uses Harden-Runner in block mode, preventing unauthorized outbound calls that aren't on the allowed list.🙌

3/5 This anomaly triggered Harden-Runner’s real-time detection alert. Within just an hour of the exploit, StepSecurity reported it to the Microsoft Security Response Center (MSRC).

2/5 Harden-Runner established a baseline of outbound network calls for the impacted job after hundreds of runs. When a researcher exploited a vulnerability to exfiltrate a secret, the call went to a domain outside the baseline. ⚠️

1/5 All #GitHub Actions workflows in the @Microsoft Azure Karpenter Provider project have been secured with StepSecurity’s Harden-Runner since January 2024. Here's how Harden-Runner detected a potential supply chain attack in real-time. 👇

& ease of integrating third-party tools directly from the GitHub Actions Marketplace. 📢We've just published a blog post on migrating from Jenkins to #GitHub Actions. If you're considering making the switch, check out our latest blog:

❗Several of our enterprise customers adopted StepSecurity when they were migrating from Jenkins to GitHub Actions. In our conversations, we’ve noticed many enterprises are making the move from #Jenkins to #GitHubActions for its streamlined workflows, robust #security features..

https://t.co/otRrujpseM

🛠️ Our latest blog post covers everything you need to know about pinning, like: ✅Why you need to pin GitHub Actions ✅Guide to manually pin GitHub Actions ✅Best practices for pinning ✅Challenges, solutions & tools for pinning ✅ Automatic pinning with StepSecurity

🛡️ To avoid this risk, you need to pin actions to an immutable reference – like the full-length commit SHA. This guarantees that your workflows always use a specific, unchangeable version of the action, preventing unauthorized updates and ensuring consistent security.

⚠️Malicious actors can inject harmful code into your CI/CD pipelines by updating action versions with malicious code, leading to the theft of sensitive information like API keys and cloud admin credentials.

🔒 Did you know unpinned actions can lead to security risks in your GitHub workflows? Unpinned #GitHub Actions expose your workflows to vulnerabilities and #supplychainattacks.

🛡️ Enhancing #OSSSecurity can be complex and time-consuming. @step_security's Secure-Repo automates critical best practices, streamlining the process for maintainers to improve their projects' security posture efficiently. Learn more: https://t.co/VVK5hY58pN

Here’s what you can expect: 1️⃣Introduction to XZ Utils Build Process 2️⃣XZ Live Analysis of XZ Utils Build Process with Harden-Runner 3️⃣Understanding the Importance of Runtime Security Monitoring to Identify Supply Chain Attacks

Live Analysis of Backdoored XZ Utils Build Process with StepSecurity Harden-Runner 📅Date & Time: May 22nd 2024, 9:30 am Pacific Time ➡️Register here:

In the aftermath of the #XZUtils backdoor incident, developers and security experts are seeking ways to secure their enterprise workflows from similar supply chain attacks. If you're one of them, we have a special #webinar for you!

We're thrilled to announce @step_security joining OpenSSF! 👏 StepSecurity offers a platform that secures CI/CD infrastructure and pipelines against security attacks, trusted by over 2700 open source projects that use GitHub Actions. 💻

🎉We are thrilled to announce that StepSecurity has secured $3 million in seed #funding to protect CI/CD pipelines for open-source communities and enterprises!

🎉Our partnership with OpenSSF has been fantastic so far, & formalizing it will allow us to empower even more open source maintainers to protect their projects against CI/CD attacks. Read more about this partnership here: https://t.co/pFxhwQa0gb & here:

🤝StepSecurity has already collaborated with OpenSSF Scorecard, and our automation has helped hundreds of open source maintainers to achieve higher scores.