GitHub's custom runner images feature (now in public preview) allows organizations to embed StepSecurity's Harden-Runner agent directly into CI runner infrastructure. This eliminates the need to add security steps to individual workflow files, providing automatic runtime protection across all workflows organization-wide. The approach solves key challenges including workflow file proliferation, developer friction, governance gaps, and maintenance overhead. Baked-in and workflow-level Harden-Runner installations coexist without conflict, enabling gradual migration. The result is platform-level CI/CD security that mirrors how modern cloud infrastructure handles security controls.
Table of contents
The Challenge with Traditional Workflow-Level SecurityCustom Runner Images Change the GameNo Conflicts With Existing WorkflowsThe Path Forward for CI/CD SecuritySort: