Why do I need to harden self-hosted runners?

Default installations often have root access and unrestricted network paths, making them prime targets for supply chain attacks and lateral movement.

Can I use this with any cloud provider?

Yes, the hardening patterns apply to runners hosted on AWS, GCP, Azure, or on-premises infrastructure.

What specific areas does this skill cover?

It covers OS-level security, network isolation, credential protection, and detailed audit logging based on AEL enforcement patterns.

How does this skill improve CI/CD security?

By reducing the attack surface of the runner host and preventing workflows from accessing sensitive internal metadata or unauthorized network segments.

GitHub Self-Hosted Runner Hardening

Name: GitHub Self-Hosted Runner Hardening
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

Security & Testing

Secures self-hosted GitHub Actions runners using OS-level hardening, network isolation, and credential protection to prevent infrastructure compromise.

About

This skill provides a comprehensive security framework for self-hosted GitHub Actions runners, addressing the inherent risks of default installations that often include root access and unrestricted network paths. It guides developers and DevOps engineers through implementing critical defense-in-depth layers, including restricted network access, filesystem protection, and audit logging. By automating the application of security best practices from the Adaptive Enforcement Lab (AEL), it helps organizations prevent lateral movement and credential theft within their CI/CD pipelines, turning vulnerable runners into hardened, production-ready infrastructure.

Key Features

Comprehensive audit logging and monitoring setup
OS-level security configuration and hardening
Filesystem persistence and ephemeral runner guidance
Network isolation and perimeter defense strategies
0 GitHub stars
Credential protection and ambient token mitigation

Use Cases

Implementing defense-in-depth for high-compliance build environments
Securing private runners for enterprise CI/CD pipelines
Hardening cloud-hosted runners against metadata endpoint attacks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills self-hosted-runner-hardening

For use in Claude.ai and ChatGPT

Download Skill

GitHub