[pull] main from step-security:main

README.md

@@ -22,6 +22,8 @@ Traditional security monitoring and EDR solutions are ineffective for CI/CD runn
 StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners, with support for Linux, Windows, and macOS runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.
 ### Harden-Runner: Security Incidents Detected
 
+- [Harden-Runner Detected the Compromised axios npm Package Dropping a Remote Access Trojan](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan) ([backstage/backstage#33693](https://github.com/backstage/backstage/issues/33693), [block/elasticgraph#1103](https://github.com/block/elasticgraph/issues/1103))
+- [Harden-Runner Detected the Trivy Compromise with Malicious v0.69.4 Release](https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release) ([k8gb-io/k8gb#2294](https://github.com/k8gb-io/k8gb/issues/2294))
 - [Harden-Runner Detected the tj-actions/changed-files compromise](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) ([CVE-2025-30066](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3))
 - [Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF’s Backstage Repository](https://www.stepsecurity.io/blog/how-harden-runner-detected-the-sha1-hulud-supply-chain-attack-in-cncfs-backstage-repository)
 - [Harden-Runner Detected the NX Build System compromise](https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware)
@@ -32,7 +34,7 @@ StepSecurity Harden-Runner addresses this gap by providing security monitoring t
 - [Harden-Runner Flagged an Anomalous Outbound Call, Leading to a Docker Documentation Update](https://www.stepsecurity.io/blog/harden-runner-flags-anomalous-outbound-call-leading-to-docker-documentation-update)
 
 ### See It in Action
-Harden-Runner secures over **18 million CI/CD workflow runs every week**, protecting thousands of pipelines, including those from popular open-source projects by **Microsoft, Google, and CISA**. See how top projects are using Harden-Runner and explore the insights:  
+Harden-Runner secures over **25 million CI/CD workflow runs every week**, protecting thousands of pipelines, including those from popular open-source projects by **Microsoft, Google, and CISA**. See how top projects are using Harden-Runner and explore the insights:  
 ➡️ [Who's using Harden-Runner?](https://docs.stepsecurity.io/whos-using-harden-runner)
 
 ## Quick Links
@@ -70,7 +72,7 @@ To integrate Harden-Runner, follow these steps:
    ```yaml
    steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+       uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
        with:
          egress-policy: audit
 
@@ -149,19 +151,19 @@ Harden-Runner is trusted by over 11,000 leading open-source projects and enterpr
 
 ### Enterprise Case Studies
 
+- [How Mercari Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/mercari)
+- [How Omnissa Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/omnissa)
+- [Chainguard Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/chainguard)
 - [How Coveo Strengthened GitHub Actions Security with StepSecurity](https://www.stepsecurity.io/case-studies/coveo)
 - [Hashgraph Achieves Comprehensive CI/CD Security Without Compromising Development Speed](https://www.stepsecurity.io/case-studies/hashgraph)
-- [Chainguard Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/chainguard)
-- [Kapiche secures their GitHub Actions software supply chain with Harden-Runner](https://www.stepsecurity.io/case-studies/kapiche)
-- [Arcjet Enhances CI/CD Security with Harden-Runner](https://www.stepsecurity.io/case-studies/arcjet)
 
 ---
 
 ## Environment Compatibility Matrix
 
 Harden-Runner is designed to work seamlessly across a variety of runner environments, providing consistent security insights and protections regardless of where your workflows execute. For self-hosted runners, audit mode is deployed directly to the runner infrastructure without requiring any changes to your existing workflows. For more details, refer to the [official documentation](https://docs.stepsecurity.io/harden-runner).
 
-| Environment Type | Compatibility | Audit Mode Deployment | Workflow Changes for Audit Mode |
+| Environment Type | Compatibility | Audit Mode Deployment | Workflow Changes for Audit/Block Mode |
 |------------------|---------------|--------------------------|-------------------|
 | GitHub-hosted runners (Linux) | ✅ Full support | Add Harden-Runner Action to workflow | Yes |
 | GitHub-hosted runners (Windows, macOS) | ✅ Audit mode only | Add Harden-Runner Action to workflow | Yes |

action.yml

@@ -40,6 +40,10 @@ inputs:
     description: "Set to true to fetch policy from the policy store using the API key. This is the preferred method over the policy input which requires id-token: write permission. Policies can be defined and attached at workflow, repo, org, or cluster (for ARC) level in the policy store. The most granular policy will apply."
     required: false
     default: "false"
+  deploy-on-self-hosted-vm:
+    description: "Set to true to deploy the Harden Runner agent directly on a self-hosted runner VM (Linux only). The recommended approach for self-hosted VMs is to bake the agent into the VM image; see docs.stepsecurity.io. Use this option only if baking is not possible, and only for ephemeral runners."
+    required: false
+    default: "false"
 
 branding:
   icon: "check-square"

dist/index.js

@@ -31910,6 +31910,9 @@ function isAgentInstalled(platform) {
             return false;
     }
 }
+function shouldDeployAgentOnSelfHosted(deployOnSelfHostedVm, isContainer, agentAlreadyInstalled) {
+    return deployOnSelfHostedVm && !isContainer && !agentAlreadyInstalled;
+}
 function utils_getAnnotationLogs(platform) {
     switch (platform) {
         case "linux":

dist/post/index.js

@@ -31916,6 +31916,9 @@ function isAgentInstalled(platform) {
             return false;
     }
 }
+function shouldDeployAgentOnSelfHosted(deployOnSelfHostedVm, isContainer, agentAlreadyInstalled) {
+    return deployOnSelfHostedVm && !isContainer && !agentAlreadyInstalled;
+}
 function getAnnotationLogs(platform) {
     switch (platform) {
         case "linux":

src/checksum.ts

@@ -4,8 +4,8 @@ import * as fs from "fs";
 
 const CHECKSUMS = {
   tls: {
-    amd64: "d4b80f15758bb950787000e802cc58a565919a8cb9ecf405777b304ef42911fe", // v1.7.15
-    arm64: "3c224ea1da1776d1ba9f70b8dd8f0d8432230a7c2d464bca84bbdee8b7d46f6c",
+    amd64: "86d042adcdc03eb1ea50d35d265da47622a6d0aedef9657f84ce1eb7f04d6057", // v1.8.0
+    arm64: "ea1074a2358d50db9a9fe18ae3971b87305cda63f262c494a5f43b25f4e524ce",
   },
   non_tls: {
     amd64: "4aaaeebbe10e619d8ce13e8cc4a1acbafc8f891e8cdd319984480b9ec08407b8", // v0.15.0

src/install-agent.ts

@@ -26,7 +26,7 @@ export async function installAgent(
 
   if (isTLS) {
     downloadPath = await tc.downloadTool(
-      `https://github.com/step-security/agent-ebpf/releases/download/v1.7.15/harden-runner_1.7.15_linux_${variant}.tar.gz`,
+      `https://github.com/step-security/agent-ebpf/releases/download/v1.8.0/harden-runner_1.8.0_linux_${variant}.tar.gz`,
       undefined,
       auth
     );

src/interfaces.ts

@@ -17,6 +17,7 @@ export interface Configuration {
   one_time_key: string;
   api_key: string;
   use_policy_store: boolean;
+  deploy_on_self_hosted_vm: boolean;
 }
 
 export interface PolicyResponse {

src/policy-utils.test.ts

@@ -45,6 +45,7 @@ test("merge configs", async () => {
     one_time_key: "",
     api_key: "",
     use_policy_store: false,
+    deploy_on_self_hosted_vm: false,
   };
   let policyResponse: PolicyResponse = {
     owner: "h0x0er",
@@ -75,6 +76,7 @@ test("merge configs", async () => {
     one_time_key: "",
     api_key: "",
     use_policy_store: false,
+    deploy_on_self_hosted_vm: false,
   };
 
   localConfig = mergeConfigs(localConfig, policyResponse);
@@ -314,6 +316,7 @@ test("mergeConfigs does not override local allowed_endpoints if not empty", () =
     one_time_key: "",
     api_key: "",
     use_policy_store: false,
+    deploy_on_self_hosted_vm: false,
   };
   let policyResponse: PolicyResponse = {
     allowed_endpoints: ["remote.endpoint:443"],
@@ -345,6 +348,7 @@ test("mergeConfigs overrides disable_sudo_and_containers from remote", () => {
     one_time_key: "",
     api_key: "",
     use_policy_store: false,
+    deploy_on_self_hosted_vm: false,
   };
   let policyResponse: PolicyResponse = {
     allowed_endpoints: [],
@@ -375,6 +379,7 @@ test("mergeConfigs does not override fields when remote values are undefined", (
     one_time_key: "",
     api_key: "",
     use_policy_store: false,
+    deploy_on_self_hosted_vm: false,
   };
   let policyResponse: PolicyResponse = {
     allowed_endpoints: [],