step-security · varunsh-coder · Feb 28, 2026 · Feb 28, 2026 · Feb 28, 2026 · Feb 28, 2026
diff --git a/README.md b/README.md
@@ -19,7 +19,7 @@ Corporate laptops and production servers typically have robust security monitori
 
 Traditional security monitoring and EDR solutions are ineffective for CI/CD runners due to their ephemeral nature. These tools also lack the necessary context to correlate events with specific workflow runs in a CI/CD environment.
 
-StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.
+StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners, with support for Linux, Windows, and macOS runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.
 ### Harden-Runner: Security Incidents Detected
 
 - [Harden-Runner Detected the tj-actions/changed-files compromise](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) ([CVE-2025-30066](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3))
@@ -138,7 +138,7 @@ Explore the full feature set in the [Features Documentation](https://docs.stepse
 
 ## Trusted By and Case Studies
 
-Harden-Runner is trusted by over 8000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more.
+Harden-Runner is trusted by over 11,000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more.
 
 ### Trusted by
 
@@ -163,7 +163,8 @@ Harden-Runner is designed to work seamlessly across a variety of runner environm
 
 | Environment Type | Compatibility | Audit Mode Deployment | Workflow Changes for Audit Mode |
 |------------------|---------------|--------------------------|-------------------|
-| GitHub-hosted runners | ✅ Full support | Add Harden-Runner Action to workflow | Yes |
+| GitHub-hosted runners (Linux) | ✅ Full support | Add Harden-Runner Action to workflow | Yes |
+| GitHub-hosted runners (Windows, macOS) | ✅ Audit mode only | Add Harden-Runner Action to workflow | Yes |
 | Self-hosted VM runners | ✅ Full support | Include agent in runner image | No |
 | Self-hosted bare-metal runners | ✅ Full support | Install agent as a service | No |
 | Actions Runner Controller (ARC) | ✅ Full support | Deploy as DaemonSet | No |

diff --git a/dist/index.js b/dist/index.js
@@ -32029,6 +32029,7 @@ const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
 const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
+const ARM64_WINDOWS_RUNNER_MESSAGE = "Windows ARM runners are not yet supported by Harden-Runner.";
 
 ;// CONCATENATED MODULE: external "node:fs"
 const external_node_fs_namespaceObject = require("node:fs");

diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/dist/post/index.js b/dist/post/index.js
@@ -32034,6 +32034,7 @@ const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
 const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
+const ARM64_WINDOWS_RUNNER_MESSAGE = "Windows ARM runners are not yet supported by Harden-Runner.";
 
 // EXTERNAL MODULE: external "path"
 var external_path_ = __nccwpck_require__(6928);
@@ -32350,6 +32351,10 @@ function handleWindowsCleanup() {
             console.log("Windows post step already executed, skipping");
             return;
         }
+        if (process.arch === "arm64") {
+            console.log(ARM64_WINDOWS_RUNNER_MESSAGE);
+            return;
+        }
         const p = external_child_process_.spawn("powershell.exe", [
             "-NoProfile",
             "-NonInteractive",

diff --git a/dist/post/index.js.map b/dist/post/index.js.map
diff --git a/dist/pre/index.js b/dist/pre/index.js
diff --git a/dist/pre/index.js.map b/dist/pre/index.js.map
diff --git a/osv-scanner.toml b/osv-scanner.toml
@@ -8,4 +8,8 @@ reason = "Untrusted headers are not processed"
 
 [[IgnoredVulns]]
 id = "GHSA-xx4v-prfh-6cgc"
-reason = "Untrusted headers are not processed"
+reason = "Untrusted headers are not processed"
+
+[[IgnoredVulns]]
+id = "GHSA-g9mf-h72j-4rw9"
+reason = "undici fetch() is only used to call GitHub API; exploitation requires a malicious server"
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/checksum.ts b/src/checksum.ts
@@ -8,7 +8,7 @@ const CHECKSUMS = {
     arm64: "f9192788e86b2e44b795f072e8cc03eec9852649609aeedac0761d3b67c991fa",
   },
   non_tls: {
-    amd64: "23715f2485c16e2a2ad116abf0fe8443788c62e4f5f224c5858b0b41b591fc89", // v0.14.3
+    amd64: "1531bda40026b799b0704d0f775c372653a91fe436628fa8b416849d9c0707a8", // v0.14.4
   },
   darwin: "797399a3a3f6f9c4c000a02e0d8c7b16499129c9bdc2ad9cf2a10072c10654fb", // v0.0.4
   windows: {

diff --git a/src/cleanup.ts b/src/cleanup.ts
@@ -204,6 +204,11 @@ async function handleWindowsCleanup() {
     return;
   }
 
+  if (process.arch === "arm64") {
+    console.log(common.ARM64_WINDOWS_RUNNER_MESSAGE);
+    return;
+  }
+
   const p = cp.spawn(
     "powershell.exe",
     [

diff --git a/src/common.ts b/src/common.ts
@@ -145,3 +145,6 @@ export const ARC_RUNNER_MESSAGE =
 
 export const ARM64_RUNNER_MESSAGE =
   "ARM runners are not supported in the Harden-Runner community tier.";
+
+export const ARM64_WINDOWS_RUNNER_MESSAGE =
+  "Windows ARM runners are not yet supported by Harden-Runner.";
diff --git a/src/install-agent.ts b/src/install-agent.ts
@@ -5,7 +5,7 @@ import * as path from "path";
 import * as fs from "fs";
 import { verifyChecksum } from "./checksum";
 import { EOL } from "os";
-import { ARM64_RUNNER_MESSAGE } from "./common";
+import { ARM64_RUNNER_MESSAGE, ARM64_WINDOWS_RUNNER_MESSAGE } from "./common";
 import { chownForFolder } from "./utils";
 
 export async function installAgent(
@@ -36,7 +36,7 @@ export async function installAgent(
       return false;
     }
     downloadPath = await tc.downloadTool(
-      "https://github.com/step-security/agent/releases/download/v0.14.3/agent_0.14.3_linux_amd64.tar.gz",
+      "https://github.com/step-security/agent/releases/download/v0.14.4/agent_0.14.4_linux_amd64.tar.gz",
       undefined,
       auth
     );
@@ -157,7 +157,7 @@ export async function installWindowsAgent(configStr: string): Promise<boolean> {
 
   const variant = process.arch === "x64" ? "amd64" : "arm64";
   if (variant === "arm64") {
-    console.log(ARM64_RUNNER_MESSAGE);
+    console.log(ARM64_WINDOWS_RUNNER_MESSAGE);
     return false;
   }