GitHub Action · CI/CD Hardening

Legion Runner

Harden Your CI/CD Runners

A drop-in GitHub Action that monitors and controls network traffic, attributes connections to processes with eBPF, and detects file tampering. Defense-in-depth for GitHub-hosted and self-hosted runners against supply-chain attacks and compromised dependencies.

Add to your workflowView SourceBack to WRAITH
Latest releaseGitHub ActionsLinux · eBPF

What It Does

Network, process, and file-integrity controls that turn an open CI runner into a locked-down, observable environment.

Egress Monitoring & Blocking

Audit every outbound connection, or enforce a default-deny allowlist with domain-based rules to stop data exfiltration mid-build.

eBPF Process Attribution

A Rust/aya eBPF agent ties each network connection to the exact process that opened it, so you see what really phoned home.

File Tamper Detection

Snapshots and monitors sensitive files (~/.ssh, ~/.npmrc, .git configs, and your source) and flags changes during the run.

Dynamic DNS Allowlisting

Allow rotating CDN and cloud endpoints by domain without hardcoding IPs, so the allowlist resolves and adapts at runtime.

Ecosystem Presets

Curated allowlists for npm, pip, cargo and more get you a working default-deny policy in one line instead of an audit slog.

Self-Contained

A pure Node.js core with optional Rust binaries fetched on demand, with no external services or vendored dependencies.

Legion Runner, the Rust system-protector agent
Built in Rust

Watching at the kernel, memory-safe by design.

The capture layer is pure Rust. An eBPF agent built on aya hooks the socket layer to attribute every connection to its process, while a Rust file-integrity binary snapshots and watches the paths that matter, with no garbage collector, no vendored packages, no external services.

  • eBPF socket capture: ties each connection to the exact process that opened it.
  • Rust FIM binary: tamper detection for ~/.ssh, ~/.npmrc, .git configs, and source.
  • Fetched on demand: the action core is dependency-free Node.js; binaries load only when needed.

Add It To Your Workflow

Drop it in as the first step, before checkout, so the controls are live for the rest of the job. Pin to the v1 major tag for automatic patch updates.

steps:
  - uses: OpenSource-For-Freedom/legion_runner@v1
    with:
      egress-policy: block
      allowed-presets: cargo

  - uses: actions/checkout@v6
  - run: ./build.sh
InputDefaultPurpose
egress-policyauditaudit (monitor) or block (deny-by-default)
allowed-endpointsnoneHost/port entries permitted in block mode
allowed-presetsnoneCurated ecosystem allowlists (npm, pip, cargo…)
file-integrityautoTamper detection for sensitive files
ebpfautoSocket-layer capture via the Rust/aya agent
View on MarketplaceRead the Docs