A First Look at Harden-Runner: The Must-Have GitHub Action To Prevent Supply Chain Attacks

The what, why, and how

Image by InspiredImages from Pixabay

  ∘ What is a Supply Chain Attack?
  ∘ What is Harden-Runner?
  ∘ Why Do We Need Harden-Runner?
  ∘ How to Use Harden-Runner?
  ∘ Step 1: Add Harden-Runner GitHub Action to your workflow
  ∘ Step 2: Add the recommended outbound endpoints to your workflow
  ∘ Harden-Runner Verification
  ∘ Limitations of Harden-Runner
  ∘ Summary

What is a Supply Chain Attack?

Supply chain attacks are an emerging threat that targets software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.

In the recent past, there has been a sharp rise in software supply chain attacks, where the software being consumed is tampered with to infiltrate organizations. Per the 2021 State of the Software Supply Chain report published by Sonatype, 216 software supply chain attacks were recorded from February 2015 to June 2019.

Then, from July 2019 to May 2020, the number of attacks increased to 929 attacks. However, such attacks represented a 650% year over year (YoY) increase in the past year.