Releases: step-security/harden-runner
v2.15.0
What's Changed
Windows and macOS runner support
We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.
Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.
Full Changelog: v2.14.2...v2.15.0
v2.14.2
What's Changed
Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.
Full Changelog: v2.14.1...v2.14.2
v2.14.1
What's Changed
-
In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.
-
Fixed npm audit vulnerabilities
Full Changelog: v2.14.0...v2.14.1
v2.14.0
What's Changed
- Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
- Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.
Full Changelog: v2.13.3...v2.14.0
v2.13.3
What's Changed
- Fixed an issue where process events were not uploaded in certain edge cases.
Full Changelog: v2.13.2...v2.13.3
v2.13.2
What's Changed
- Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
- Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.
Full Changelog: v2.13.1...v2.13.2
v2.13.1
What's Changed
-
Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.
-
Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.
-
Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.
Full Changelog: v2.13.0...v2.13.1
v2.13.0
What's Changed
- Improved job markdown summary
- Https monitoring for all domains (included with the enterprise tier)
Full Changelog: v2...v2.13.0
v2.12.2
What's Changed
Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:
- Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
- Increased policy map size for block mode
Full Changelog: v2...v2.12.2
v2.12.1
What's Changed
- Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
- Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.
Full Changelog: v2...v2.12.1