Skip to content

Navigation Menu

Appearance settings

Explore
By company size
By use case
By industry
View all solutions
Topics
- AI
- DevOps
- Security
- Software Development
- View all
Explore
- GitHub Sponsors
  Fund open source developers
- The ReadME Project
  GitHub community articles
Repositories
- Enterprise platform
  AI-powered developer platform
Available add-ons
Pricing

Search code, repositories, users, issues, pull requests...

Search

Clear

Search syntax tips

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches

Use saved searches to filter your results more quickly

Name

Query

To see all available qualifiers, see our documentation.

Appearance settings

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

step-security / harden-runner Public

Notifications You must be signed in to change notification settings
Fork 74
Star 854

Code
Issues 20
Pull requests 18
Discussions
Actions
Projects
Security
Insights

Additional navigation options

Code
Issues
Pull requests
Discussions
Actions
Projects
Security
Insights

Releases: step-security/harden-runner

Releases · step-security/harden-runner

v2.13.0

15 Jul 19:31

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

Loading

v2.13.0 Latest

Marketplace

Latest

Marketplace

What's Changed

Improved job markdown summary
Https monitoring for all domains (included with the enterprise tier)

Full Changelog: v2...v2.13.0

Assets 2

Loading

Uh oh!

There was an error while loading. Please reload this page.

All reactions

v2.12.2

30 Jun 06:29

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

Loading

v2.12.2

Marketplace

Marketplace

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:

Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
Increased policy map size for block mode

Full Changelog: v2...v2.12.2

Assets 2

Loading

Uh oh!

There was an error while loading. Please reload this page.

All reactions

v2.12.1

11 Jun 14:27

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

Loading

v2.12.1

Marketplace

Marketplace

What's Changed

Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: v2...v2.12.1

Assets 2

Loading

Uh oh!

There was an error while loading. Please reload this page.

All reactions

v2.12.0

21 Apr 19:06

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

Loading

v2.12.0

Marketplace

Marketplace

What's Changed

A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.
New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: v2...v2.12.0

Assets 2

Loading

Uh oh!

There was an error while loading. Please reload this page.

jonasbn reacted with thumbs up emoji

All reactions

👍 1 reaction

1 person reacted

v2.11.1

01 Apr 19:16

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

Loading

v2.11.1

Marketplace

Marketplace

What's Changed

cache: add support for GitHub Actions cache v2 by @h0x0er in #529

Full Changelog: v2...v2.11.1

Contributors

h0x0er

Assets 2

Loading

Uh oh!

There was an error while loading. Please reload this page.

All reactions

v2.11.0

17 Feb 01:42

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

Loading

v2.11.0

Marketplace

Marketplace

What's Changed

Release v2.11.0 in #498
Harden-Runner Enterprise tier now supports the use of eBPF for DNS resolution and network call monitoring

Full Changelog: v2...v2.11.0

Assets 2

Loading

Uh oh!

There was an error while loading. Please reload this page.

All reactions

v2.10.4

20 Jan 00:34

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

Loading

v2.10.4

Marketplace

Marketplace

What's Changed

Fixed a potential Harden-Runner post step failure that could occur when printing agent service logs. The fix gracefully handles failures without failing the post step.

Full Changelog: v2...v2.10.4

Assets 2

Loading

Uh oh!

There was an error while loading. Please reload this page.

All reactions

v2.10.3

09 Jan 20:52

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

Loading

v2.10.3

Marketplace

Marketplace

What's Changed

Fixed an issue where DNS requests using uppercase characters (e.g., EXAMPLE.com) were blocked even when the domain was present in the allowed list. This update standardizes domain names to lowercase for consistent comparison.

Full Changelog: v2...v2.10.3

Assets 2

Loading

Uh oh!

There was an error while loading. Please reload this page.

All reactions

v2.10.2

18 Nov 21:01

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

Loading

v2.10.2

Marketplace

Marketplace

What's Changed

Fixes low-severity command injection weaknesses
The advisory is here: GHSA-g85v-wf27-67xc
Bug fix to improve detection of whether Harden-Runner is running in a container

Full Changelog: v2...v2.10.2

Assets 2

Loading

Uh oh!

There was an error while loading. Please reload this page.

All reactions

v2.10.1

11 Sep 05:46

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

Loading

v2.10.1

Marketplace

Marketplace

What's Changed

Release v2.10.1 by @varunsh-coder in #463
Bug fix: Resolves an issue where DNS resolution of .local domains was failing when using a Kind cluster in a GitHub Actions workflow.

Full Changelog: v2...v2.10.1

Contributors

varunsh-coder

Assets 2

Loading

Uh oh!

There was an error while loading. Please reload this page.

All reactions

Previous 1 2 3 4 5 Next

Previous Next

Footer

© 2025 GitHub, Inc.

Footer navigation

Terms
Privacy
Security
Status
Docs
Contact

You can’t perform that action at this time.