`step-security/harden-runner`

Ecosystem:
actions

Package URL:
pkg:githubactions/step-security/harden-runner

Total PRs:
8,233 Dependabot PRs

Latest PR:
about 8 hours ago

Unique Repositories:
2,633 repositories

Unique Repos (30 days):
251 repositories

Security Advisories

Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)

GHSA-cpmj-h4f6-r6pq CVE-2026-25598 MODERATE published 4 months ago • updated 2 days ago

## Summary A security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connecti...

Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

GHSA-g85v-wf27-67xc CVE-2024-52587 LOW published over 1 year ago • updated about 2 months ago

### Summary Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that ...

2.16.0 → 2.19.4 Minor PR

Closed about 8 hours ago 4 comments

ci: bump the actions-minor-patch group across 1 directory with 5 updates

parley-wallet/parley-protocol-spec #11

2.16.1 → 2.19.4 Minor PR

Open 1 day ago 2 comments

deps: Bump the actions group with 3 updates

halostatue/mnemonist #43

2.19.1 → 2.19.4 Patch PR

Open 1 day ago 1 comment

build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.4

utilitywarehouse/vault-kube-cloud-credentials #414

2.19.0 → 2.19.4 Patch PR

Closed 3 days ago 1 comment

chore(ci)(deps): bump step-security/harden-runner from 2.19.1 to 2.19.4

dytsou/intern-corner-scheduler #103

2.19.1 → 2.19.4 Patch PR

Open 3 days ago 2 comments

deps: Bump the actions group with 7 updates

halostatue/fish-chezmoi #68

2.19.1 → 2.19.4 Patch PR

Open 3 days ago 1 comment

chore(deps): bump the github-actions group across 1 directory with 5 updates

OpenAlly/npm-packages #292

2.14.1 → 2.19.4 Minor PR

Open 3 days ago 1 comment

github-actions(deps): bump step-security/harden-runner from 2.4.0 to 2.19.4

SolidWorx/SolidShift #4

2.4.0 → 2.19.4 Minor PR

Open 4 days ago 2 comments

chore(deps): bump the github-actions group across 1 directory with 15 updates

actions-marketplace-validations/afadesigns_zshellcheck #3

2.19.0 → 2.19.4 Patch PR

Open 5 days ago 1 comment

chore(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4

eclipse-tractusx/tractusx-edc #2848

2.19.3 → 2.19.4 Patch PR

Open 6 days ago 1 comment

Bump the actions-updates group across 1 directory with 3 updates

edera-dev/edera-check #140

2.19.1 → 2.19.4 Patch PR

Closed 7 days ago 1 comment

chore(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4

BcryptNet/bcrypt.net #293

2.19.3 → 2.19.4 Patch PR

Open 7 days ago 1 comment

deps(deps): Bump the actions group across 1 directory with 9 updates

mgoodric/security-atlas #723

2.19.3 → 2.19.4 Patch PR

Open 8 days ago 7 comments

chore(deps): bump the github-actions group across 1 directory with 12 updates

afadesigns/zshellcheck #1335

2.19.0 → 2.19.4 Patch PR

Open 8 days ago 1 comment

chore(deps): bump the github-actions-deps group across 1 directory with 3 updates

rudderlabs/rudder-sdk-node #424

2.19.3 → 2.19.4 Patch PR

Open 8 days ago 2 comments

Bump the actions-updates group across 1 directory with 2 updates

edera-dev/edera-check #139

2.19.1 → 2.19.3 Patch PR

Closed 8 days ago 1 comment

chore(deps): bump step-security/harden-runner from 2.14.1 to 2.19.4

milhy545/orchestration #163

2.14.1 → 2.19.4 Minor PR

Open 8 days ago 3 comments

Bump step-security/harden-runner from 2.15.0 to 2.19.4

lance0821/terraform-practice #27

2.15.0 → 2.19.4 Minor PR

Open 9 days ago 1 comment

Bump step-security/harden-runner from 2.19.3 to 2.19.4

JoostFWMaas/AdsorPy #69

2.19.3 → 2.19.4 Patch PR

Open 9 days ago 1 comment

Bump the production-dependencies group across 1 directory with 5 updates

Contrast-Security-OSS/contrast-documentation-rss #22

2.19.1 → 2.19.3 Patch PR

Closed 9 days ago 1 comment

deps: bump step-security/harden-runner from 2.19.3 to 2.19.4

j7an/shared-workflows #70

2.19.3 → 2.19.4 Patch PR

Open 9 days ago 1 comment

deps(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4

markdown-confluence/markdown-confluence #737

2.19.3 → 2.19.4 Patch PR

Closed 9 days ago 4 comments

Bump the dependencies group across 1 directory with 9 updates

oyakh1/hiero-mirror-node--034 #23

2.19.0 → 2.19.4 Patch PR

Closed 9 days ago 1 comment

📦 deps: bump the actions-minor group with 7 updates

CodesWhat/sockguard #73

2.19.1 → 2.19.4 Patch PR

Open 10 days ago 4 comments

build(deps): bump the all group with 3 updates

kubernetes-sigs/cloud-provider-azure #10439

2.19.3 → 2.19.4 Patch PR

Open 10 days ago 3 comments

Chore: bump step-security/harden-runner from 2.19.2 to 2.19.4

onap/portal-ng-bff #92

2.19.2 → 2.19.4 Patch PR

Open 10 days ago 2 comments

chore(deps)(deps): bump step-security/harden-runner from 2.19.1 to 2.19.4

janitor-security/the-janitor #154

2.19.1 → 2.19.4 Patch PR

Open 10 days ago 3 comments

build(deps): Bump step-security/harden-runner from 2.19.1 to 2.19.4

devops-actions/github-copilot-pr-analysis #136

2.19.1 → 2.19.4 Patch PR

Closed 10 days ago 2 comments

Bump step-security/harden-runner from 2.19.1 to 2.19.4

onap/multicloud-framework #9

2.19.1 → 2.19.4 Patch PR

Open 10 days ago 2 comments

Chore(deps): Bump step-security/harden-runner from 2.19.2 to 2.19.4

onap/ci-management #9

2.19.2 → 2.19.4 Patch PR

Open 10 days ago 2 comments

chore(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4

yolo-labz/claude-classroom-submit #26

2.19.3 → 2.19.4 Patch PR

Open 10 days ago 1 comment

Bump step-security/harden-runner from 2.19.1 to 2.19.4

JSPaste/Library #91

2.19.1 → 2.19.4 Patch PR

Open 10 days ago 1 comment

Bump step-security/harden-runner from 2.19.1 to 2.19.4

onap/sdc-onap-ui-angular #9

2.19.1 → 2.19.4 Patch PR

Open 10 days ago 2 comments

:seedling: Bump the github-actions group with 2 updates

open-cluster-management-io/ocm #1542

2.19.3 → 2.19.4 Patch PR

Closed 10 days ago 2 comments

:seedling: Bump the github-actions group across 1 directory with 6 updates

ossf/scorecard #5071

2.19.1 → 2.19.4 Patch PR

Closed 10 days ago 1 comment

Bump the dependencies group across 1 directory with 9 updates

oyakh1/hiero-mirror-node--047 #23

2.19.0 → 2.19.4 Patch PR

Closed 10 days ago 1 comment

chore(deps): Bump the github-actions group with 2 updates

nullvariant/nullvariant-vscode-extensions #517

2.19.3 → 2.19.4 Patch PR

Open 10 days ago 6 comments

Bump step-security/harden-runner from 2.14.1 to 2.19.4

onap/dcaegen2-platform-ves-openapi-manager #6

2.14.1 → 2.19.4 Minor PR

Open 10 days ago 2 comments

chore(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4

kaelys-js/heron #113

2.19.3 → 2.19.4 Patch PR

Open 10 days ago 4 comments

ci: bump the github-actions-minor-patch group with 4 updates

sebastienrousseau/dotfiles #906

2.19.1 → 2.19.4 Patch PR

Closed 10 days ago 5 comments

Bump step-security/harden-runner from 2.9.1 to 2.19.4

cisco-open/AdversaryShield #53

2.9.1 → 2.19.4 Minor PR

Open 10 days ago 1 comment

Bump step-security/harden-runner from 2.19.1 to 2.19.4

onap/dcaegen2 #9

2.19.1 → 2.19.4 Patch PR

Open 10 days ago 2 comments

chore(ci)(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4 in the actions-all group

26zl/StudyWise #456

2.19.3 → 2.19.4 Patch PR

Open 10 days ago 1 comment

build(deps): Bump step-security/harden-runner from 2.19.3 to 2.19.4

FDio/csit #4151

2.19.3 → 2.19.4 Patch PR

Closed 10 days ago 4 comments

build(deps): bump step-security/harden-runner from 2.19.2 to 2.19.4

FelipeFuhr/ffreis-k3s-vagrant #20

2.19.2 → 2.19.4 Patch PR

Open 10 days ago 1 comment

chore(deps): Bump step-security/harden-runner from 2.19.1 to 2.19.4

Takas0522/ComiCal #289

2.19.1 → 2.19.4 Patch PR

Open 10 days ago 1 comment

Bump step-security/harden-runner from 2.19.3 to 2.19.4

Cameron-Lyons/mirt #85

2.19.3 → 2.19.4 Patch PR

Open 10 days ago 1 comment

build(deps): bump the github-actions group across 1 directory with 3 updates

beheoxinh/hsx2agent #4

2.19.1 → 2.19.3 Patch PR

Open 11 days ago 1 comment

chore(actions): bump the actions group with 3 updates

daloyjs/daloy #23

2.19.3 → 2.19.4 Patch PR

Open 11 days ago 1 comment

build(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4

Open-CMSIS-Pack/vidx2pidx #198

2.19.3 → 2.19.4 Patch PR

Open 11 days ago 2 comments

Package Details

Name:	`step-security/harden-runner`
Ecosystem:	actions
PURL Type:	githubactions
Package URL:	`pkg:githubactions/step-security/harden-runner`
JSON API:	View JSON

Security Advisories

5

Active advisories

MODERATE 4

LOW 1

View All githubactions Advisories

Package Information

Description:

Harden-Runner provides runtime security for GitHub-hosted and self-hosted runners

Repository:	https://github.com/step-security/harden-runner
Homepage:	https://www.stepsecurity.io
Latest Release:	`v2.12.0` about 1 year ago
Dependent Repos:	497
Dependent Packages:	0
Ranking:	Top 1.556% by dependent repos Top 0.0% by dependent pkgs

PR Status

Open 3,873 (47.0%)

Merged 1,994 (24.2%)

Closed 2,259 (27.4%)

PR Types

Major 10 (0.1%)

Minor 4,010 (48.7%)

Patch 4,105 (49.9%)

step-security/harden-runner

Security Advisories

Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)

Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)

Harden-Runner allows evasion of 'disable-sudo' policy

Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)

Recent PRs

Package Details

Security Advisories

5

Package Information

PR Status

PR Types

`step-security/harden-runner`