Introduction

Welcome to the StepSecurity Documentation hub!

Here, you'll find all the information you need to get started with StepSecurity, implement its powerful features, and manage your security operations efficiently. Our documentation is designed to help you navigate the platform effortlessly and maximize your use of StepSecurity's tools.

What is StepSecurity?

StepSecurity detects, prevents, and responds to software supply chain attacks across three critical surfaces: developer environments, code repositories, and CI/CD pipelines.

It works by deploying lightweight agents and automated checks at each stage of your development lifecycle:

On CI/CD runners, the Harden-Runner agent uses eBPF to monitor every outbound network call, file write, and process execution, correlating each event to the specific workflow step that triggered it.

On code repositories, automated checks block compromised npm packages and enforce security best practices through pull requests.

On developer machines, a lightweight script inventories AI coding agents, IDE extensions, and local packages to catch threats before they reach your pipelines.

Documentation by Product Area

CI/CD Security (this site) — Harden-Runner runtime protection, GitHub Checks, automated remediation, Actions governance, and workflow run policies for GitHub Actions pipelines.

• GitHub Actions

• GitLab CI

• Azure DevOps

OSS Supply Chain Security → — Cooldown policies, compromised package detection, enterprise-wide package search, threat intelligence, and incident response for package dependencies.

Dev Machine Guard → — Device inventory, IDE extension governance, local dependency monitoring, and AI coding agent visibility for developer machines.

Trusted by Leading Open-Source Projects & Enterprises

Harden-Runner, one of StepSecurity's core solutions is trusted by 13,000+ open-source projects and enterprises, including industry giants like Microsoft, Google, Kubernetes, and more.

Recent supply chain attacks detected by Harden-Runner

• tj-actions/changed-files compromise (CVE-2025-30066)

• axios npm compromise: the largest npm supply chain attack by download count

• Bitwarden CLI hijacked on npm: credential stealer targets developers, GitHub Actions, and AI tools

• Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository

• NX Build System compromise

• xygeni-action GitHub Action backdoored via tag poisoning

Customer case studies

• How Coveo Strengthened GitHub Actions Security with StepSecurity

• Hashgraph Achieves Comprehensive CI/CD Security Without Compromising Development Speed

• How Harden-Runner Caught a Supply Chain Attack in Google's Flank Project

• How Harden-Runner Caught a Supply Chain Attack in Microsoft's Azure Karpenter Provider

See every incident StepSecurity has caught in the wild: View All Incidents →