Releases: step-security/harden-runner
v2.14.0
What's Changed
- Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
- Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.
Full Changelog: v2.13.3...v2.14.0
v2.13.3
What's Changed
- Fixed an issue where process events were not uploaded in certain edge cases.
Full Changelog: v2.13.2...v2.13.3
v2.13.2
What's Changed
- Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
- Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.
Full Changelog: v2.13.1...v2.13.2
v2.13.1
What's Changed
-
Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.
-
Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.
-
Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.
Full Changelog: v2.13.0...v2.13.1
v2.13.0
What's Changed
- Improved job markdown summary
- Https monitoring for all domains (included with the enterprise tier)
Full Changelog: v2...v2.13.0
v2.12.2
What's Changed
Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:
- Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
- Increased policy map size for block mode
Full Changelog: v2...v2.12.2
v2.12.1
What's Changed
- Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
- Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.
Full Changelog: v2...v2.12.1
v2.12.0
What's Changed
-
A new option,
disable-sudo-and-containers, is now available to replace thedisable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post. -
New detections have been added based on insights from the tj-actions and reviewdog actions incidents.
Full Changelog: v2...v2.12.0
v2.11.1
What's Changed
Full Changelog: v2...v2.11.1
Contributors
Assets 2
v2.11.0
What's Changed
Release v2.11.0 in #498
Harden-Runner Enterprise tier now supports the use of eBPF for DNS resolution and network call monitoring
Full Changelog: v2...v2.11.0