[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-83226":3},{"id":4,"name":5,"fullName":6,"owner":5,"repo":5,"description":7,"homepage":8,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":23,"topics":24,"createdAt":9,"pushedAt":9,"updatedAt":29,"readmeContent":30,"aiSummary":9,"trendingCount":15,"starSnapshotCount":15,"syncStatus":31,"lastSyncTime":32,"discoverSource":33},83226,"cicd-sensor","cicd-sensor\u002Fcicd-sensor","Open-source eBPF runtime security sensor for GitHub Actions and GitLab CI\u002FCD.","https:\u002F\u002Fcicd-sensor.github.io",null,"Go",173,3,1,8,0,78,83,234,1.81,"Apache License 2.0",false,"main",true,[25,26,27,28],"ebpf","runtime-security","security","supply-chain-security","2026-06-12 02:04:32","\u003C!-- markdownlint-disable MD041 -->\n> 🚧 **Pre-release: Active development.**\n> cicd-sensor is currently in pre-release and under active development. Feedback is very welcome.\n\n\u003Cp align=\"center\">\n  \u003Cimg src=\"cicd-sensor.png\" alt=\"cicd-sensor logo\" width=\"160\">\n\u003C\u002Fp>\n\u003Ch1 align=\"center\">cicd-sensor\u003C\u002Fh1>\n\u003Cp align=\"center\">\u003Cstrong>Think EDR, but for CI\u002FCD Pipelines.\u003C\u002Fstrong>\u003Cbr>Open-source eBPF-powered runtime security sensor for GitHub Actions and GitLab CI\u002FCD.\u003Cbr>→ \u003Ca href=\"https:\u002F\u002Fcicd-sensor.github.io\u002F\">Full documentation\u003C\u002Fa>\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n  \u003Ca href=\"LICENSE\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache%202.0-blue.svg\" alt=\"License\">\u003C\u002Fa>\n  \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLanguage-Go-00ADD8?logo=go\" alt=\"Language\">\n  \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPlatform-Linux-FCC624?logo=linux\" alt=\"Platform\">\n  \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FOpen%20Source-Yes-brightgreen\" alt=\"Open Source\">\n\u003C\u002Fp>\n\n\u003Chr>\n\n## Demo\n\n\u003Cdiv align=\"center\">\n  \u003Ctable>\n    \u003Ctr>\u003Ctd>\n      \u003Cimg src=\"docs\u002Fassets\u002Fdemo.gif\" alt=\"cicd-sensor GitHub Actions demo\" width=\"560\">\n    \u003C\u002Ftd>\u003C\u002Ftr>\n  \u003C\u002Ftable>\n  \u003Csub>Example: cicd-sensor added to a GitHub Actions workflow. The resulting reports are viewable in the GitHub job summary.\u003C\u002Fsub>\n\u003C\u002Fdiv>\n\n## What cicd-sensor does\n\nWhen a compromised dependency in a CI\u002FCD job steals your cloud credentials and leaks them, would you catch it? Would you have the logs to investigate afterward? cicd-sensor is an open-source sensor that lets every team answer both.\n\n**Detection:** Detects supply-chain attacks at runtime using process ancestry (e.g. credential access from a process descended from `npm install`) and correlation across signals (e.g. multiple credential categories read in one job). Baseline rules target patterns seen in real CI\u002FCD attacks, and are opt-out: turn them off if you only want the logs and evidence below.\n\n**Logs and evidence:** Per run, cicd-sensor can emit logs for review, alerting, and forensics, routed through cicd-sensor Manager to cloud sinks like S3, GCS, and Pub\u002FSub. The cicd-sensor-action can also produce a graphical report and a build attestation per run. Your data stays under your control. cicd-sensor never sends anything to servers operated by the cicd-sensor project.\n\n## Quick start\n\nOn GitHub-hosted runners, add the cicd-sensor action as the first step in your workflow.\n\n```yaml\njobs:\n  build:\n    runs-on: ubuntu-24.04\n    steps:\n      - uses: cicd-sensor\u002Fcicd-sensor-action@1935de498397aa7b9bf6ac7ca822ddb430a34843 # v0.0.31\n```\n\nFor self-hosted GitHub Actions or GitLab CI\u002FCD, see the [User Guide](https:\u002F\u002Fcicd-sensor.github.io\u002Fuser-guide\u002Foverview.html).\n\n## Why CI\u002FCD runtime needs this\n\nCI\u002FCD pipelines build, release, deploy, and manage cloud infrastructure, and they hold the cloud credentials, signing keys, and registry tokens to do it. Supply-chain attackers run inside those jobs and disappear with the evidence when the job ends.\n\nMost other runtimes have their open-source defenders: Falco, Tetragon, Tracee, Wazuh, OSQuery. Open-source coverage for CI\u002FCD runtime has lagged behind. Sigstore proved *where* and *how* artifacts were built; cicd-sensor preserves *what actually ran* so teams can detect, respond, and audit.\n\n## Feature comparison\n\n| Capability | cicd-sensor | Harden-Runner (Free) | Comment |\n| --- | --- | --- | --- |\n| **Licensing & deployment** | | | |\n| Open source | ✅ Yes | ✅ Yes | |\n| No SaaS required | ✅ Yes | ❌ No | |\n| **Platform coverage** | | | |\n| Private repos | ✅ Yes | ❌ No | |\n| Self-hosted runners | ✅ Yes | ❌ No | Enforcing self-hosted runners enables organization-wide log collection across every job. |\n| GitHub Actions support | ✅ Yes | ✅ Yes | |\n| GitLab CI\u002FCD support | ✅ Yes | ❌ No | |\n| **Capabilities** | | | |\n| Detection rules | ✅ Yes | ✅ Yes | |\n| Flexible custom rules | ✅ Yes | 🔶 Limited | cicd-sensor rules cover process ancestry, file access, and correlation across signals; Harden-Runner is mainly a network egress allowlist. |\n| Network blocking | 🔶 Partial | ✅ Yes | cicd-sensor kills the process and stops the job on detection instead of filtering traffic like a firewall. |\n| Log export | ✅ Yes | ❌ No | |\n\n\u003Csub>This table compares the free version of Harden-Runner. StepSecurity's paid platform adds more, such as private repository and self-hosted runner support, dashboards, and policy management.\u003C\u002Fsub>\n\n\u003Csub>Based on public information as of May 2026. Corrections welcome.\u003C\u002Fsub>\n\n## Supported CI\u002FCD pipelines\n\n| Platform | Environment | Status |\n| --- | --- | --- |\n| GitHub Actions | GitHub-hosted runner | ✅ Supported |\n| GitHub Actions | Self-hosted Machine Runner | ✅ Supported |\n| GitHub Actions | Actions Runner Controller on Kubernetes | 🚧 Planned |\n| GitLab CI\u002FCD | Self-hosted Docker executor | ✅ Supported |\n| GitLab CI\u002FCD | Self-hosted Kubernetes executor | 🚧 Planned |\n| GitLab CI\u002FCD | GitLab-hosted runner | ❌ Not supported (technical constraints) |\n\nWorks on both public and private repositories, with no third-party SaaS dependency.\n\nLinux kernel: 5.15 or later on `amd64`, 6.1 or later on `arm64`.\n\n## Rules\n\ncicd-sensor ships with a set of baseline rules. See the [Baseline Rules guide](https:\u002F\u002Fcicd-sensor.github.io\u002Fuser-guide\u002Fbaseline-rules.html) for how they work; the rule definitions themselves live in [`rules\u002F`](rules\u002F). You can also write your own rules, or turn the baseline off entirely.\n\n## Documentation\n\n- [Getting Started](https:\u002F\u002Fcicd-sensor.github.io\u002F): what cicd-sensor is and how to start.\n- [User Guide](https:\u002F\u002Fcicd-sensor.github.io\u002Fuser-guide\u002Foverview.html): deployment paths for GitHub Actions and GitLab CI\u002FCD.\n- [Rules](https:\u002F\u002Fcicd-sensor.github.io\u002Fuser-guide\u002Frules.html): write detection, collection, and correlation rules.\n- [Logging](https:\u002F\u002Fcicd-sensor.github.io\u002Fuser-guide\u002Flogging.html): log format delivered by the manager.\n- [Attestation predicate](https:\u002F\u002Fcicd-sensor.github.io\u002Fuser-guide\u002Fattestation-predicate.html): runtime-trace predicate for CI\u002FCD runtime evidence.\n- [Developer Guide](https:\u002F\u002Fcicd-sensor.github.io\u002Fdeveloper-guide\u002Foverview.html): agent, eBPF runtime, manager, and rule engine internals.\n\n## About the project\n\n> [!NOTE]\n> **About the creator:** cicd-sensor is a vendor-neutral open-source project, created and maintained by [Hiroki Suezawa (@rung)](https:\u002F\u002Fwww.suezawa.net), author of the [Common Threat Matrix for CI\u002FCD Pipeline](https:\u002F\u002Fgithub.com\u002Frung\u002Fthreat-matrix-cicd), contributor to the [OWASP Top 10 CI\u002FCD Security Risks](https:\u002F\u002Fowasp.org\u002Fwww-project-top-10-ci-cd-security-risks\u002F), and early contributor to [OSC&R \u002F pbom.dev](https:\u002F\u002Fpbom.dev\u002F). cicd-sensor was started as an individual project to stay close to the open-source community that is on the receiving end of supply-chain attacks.\n\nA read-only official mirror is published at [gitlab.com\u002Fcicd-sensor\u002Fcicd-sensor](https:\u002F\u002Fgitlab.com\u002Fcicd-sensor\u002Fcicd-sensor). GitHub is the canonical source; the GitLab mirror is synced periodically.\n\n## License\n\nApache License 2.0 ([LICENSE](LICENSE)). BPF source under `internal\u002Fagent\u002Fbpf\u002F` is dual-licensed `GPL-2.0-only OR BSD-2-Clause` ([details](internal\u002Fagent\u002Fbpf\u002FREADME.md#licensing)).\n",2,"2026-06-11 04:10:29","CREATED_QUERY"]