Open Source • CI/CD Security

Runner Guard

Source-to-sink vulnerability scanner for GitHub Actions workflows. Detects injection paths, AI config hijacking, and supply chain steganography in your CI/CD pipelines - before they become breaches.

View on GitHubInstall Now
18

Detection Rules

Go

Single Binary

SARIF

Output Format

0

Dependencies

The Attack That Changed Everything

On March 1, 2026, an autonomous AI agent compromised multiple high-profile open-source projects in under 20 minutes - using misconfigured CI/CD pipelines. The attack exploited pull_request_target workflows that checked out fork code in privileged contexts, exfiltrating Personal Access Tokens through repository secrets. Runner Guard catches the exact vulnerability class that made it possible.

Supply Chain Steganography: GlassWorm

The GlassWorm campaign compromised 433+ components across GitHub, npm, and VS Code/OpenVSX using invisible Unicode characters - variation selectors, zero-width spaces, tag characters - to encode executable payloads hidden from code review, terminals, and even git diff. The decoded ZOMBI module performed credential harvesting, crypto wallet theft, and blockchain-based C2. Runner Guard detects this attack class at the byte level.

See It In Action

Built-in demo scenarios demonstrate each attack class against realistic vulnerable workflows.

Demo Scenario

Fork Checkout Kill Chain

The most common CI/CD pipeline attack: a pull_request_target workflow checks out fork code in the privileged base repository context, giving an attacker's build scripts full access to repository secrets.

RGS-001RGS-007RGS-009RGS-012
runner-guard demo --scenario fork-checkout
Fork Checkout Kill Chain
Demo Scenario

Expression Injection (Microsoft/Akri Pattern)

Modeled after the real-world vulnerability in Microsoft's Akri project. An issue_comment trigger interpolates attacker-controlled data directly into shell run blocks without sanitization.

RGS-002RGS-004RGS-006RGS-008
runner-guard demo --scenario microsoft
Expression Injection (Microsoft/Akri Pattern)
Demo Scenario

AI Configuration Injection

A novel attack surface unique to Runner Guard. When a fork checkout runs in a privileged context, an attacker can modify AI agent configuration files to hijack AI code review agents.

RGS-010RGS-011
runner-guard demo --scenario ai-injection
AI Configuration Injection
Demo Scenario

GlassWorm Supply Chain Attack

Detection of the GlassWorm campaign's invisible Unicode steganography technique that compromised 433+ components across GitHub, npm, and VS Code/OpenVSX.

RGS-016RGS-018
runner-guard demo --scenario glassworm
GlassWorm Supply Chain Attack

Four-Stage Analysis Pipeline

Runner Guard traces attacker-controlled inputs through your workflows from source to sink, catching vulnerabilities that static linters miss.

1

Parser

Builds structured representation of YAML workflow files, matrix strategies, and composite actions

2

Source-to-Sink Tracker

Identifies and traces tainted data flows from attacker-controlled inputs to dangerous sinks

3

Rule Engine

Evaluates 18 YAML-defined rules with updatable threat signatures against parsed workflows

4

Reporter

Outputs findings in console, JSON, and SARIF formats for GitHub Code Scanning

18 Detection Rules

From critical fork checkout exploits and supply chain steganography to AI config injection - including attack vectors no other scanner detects. Click any rule for a deep dive.

RGS-001Critical

Fork Checkout in Privileged Context

Detects pull_request_target workflows that check out fork code with secret access.

RGS-002Critical

Branch Name Injection

Catches attacker-controlled branch names used in shell commands or expressions.

RGS-016Critical

Unicode Steganography in Workflows

Byte-level scanning for invisible Unicode characters encoding hidden payloads in workflow YAML.

RGS-003High

Filename Injection

Identifies crafted filenames that inject commands when processed by workflows.

RGS-004High

Issue/Comment Body Injection

Detects attacker-controlled issue or comment content used unsafely in shell commands.

RGS-005High

Commit Message Injection

Catches commit messages interpolated into shell commands where they can execute code.

RGS-006High

PR Title/Body Injection

Flags pull request titles and body content used in shell contexts without sanitization.

RGS-007High

Secret Exfiltration via Fork

Detects patterns where secrets could be leaked through fork-initiated workflows.

RGS-008Medium

Expression Injection in Conditional

Detects attacker-controlled data used in if: conditionals that may bypass security gates.

RGS-009Medium

Unpinned Third-Party Actions

Flags actions referenced by tag instead of commit SHA, with auto-fix support.

RGS-010High

AI Config Injection

Uniquely detects attacks on CLAUDE.md, .cursorrules, copilot-instructions.md in fork checkouts.

RGS-011High

MCP Tooling Injection

Catches malicious .mcp.json modifications in fork checkout contexts.

RGS-012Medium

Excessive Permissions

Flags workflows with overly broad permissions that violate least-privilege principles.

RGS-013Low

Debug Logging Enabled

Warns when debug logging may expose secrets or sensitive runtime data.

RGS-014Medium

Curl-Pipe-Bash Pattern

Detects piping remote scripts directly into a shell interpreter without verification.

RGS-017High

Steganography in Referenced Scripts

Invisible Unicode in files executed by workflows - setup.py, package.json, Dockerfiles, shell scripts.

RGS-018High

Suspicious Payload Execution

Eval+decode chains, known GlassWorm IOCs, and C2 patterns in workflow run blocks.

RGS-019Medium

Step Output Advisory

Detects step outputs derived from attacker-controlled sources that may propagate tainted data downstream.

Use --rules or --group to run specific rule subsets.

Detection Is Just the Beginning

Runner Guard identifies CI/CD vulnerabilities before they're exploited. When attacks make it through, Vigilant's CyberDNA Intelligence Platform provides the forensic validation to prove what happened, how far it spread, and that it's been fully contained.

See How ThreatCERT WorksRequest a Demo
GlassWorm Defense

Supply Chain Steganography Detection

The GlassWorm campaign proved that code review alone isn't enough. Invisible Unicode characters encode executable payloads that bypass every human and automated review tool. Runner Guard performs byte-level scanning to catch what's invisible:

  • Invisible Unicode in workflow YAML files (variation selectors, zero-width chars, tag characters)
  • Hidden payloads in referenced scripts - setup.py, package.json, Dockerfiles
  • Known GlassWorm IOC patterns and ZOMBI module signatures
  • Dangerous eval+decode execution chains used for payload activation
  • Updatable threat signatures via embedded signatures.yaml
terminal

$ runner-guard scan . --group steganography

 

CRITICAL RGS-016 unicode-steganography

ci.yml:42 - Invisible Unicode chars

detected (variation selectors, tags)

 

HIGH RGS-017 stego-referenced-script

ci.yml:58 - Hidden chars in script

referenced by workflow: setup.py

 

HIGH RGS-018 suspicious-payload

ci.yml:65 - Known IOC: ZOMBI module

decode pattern with eval chain

 

Found 3 issues (1 critical, 2 high)

Industry First

AI Config Injection Detection

Runner Guard is the first scanner to detect attacks targeting AI coding assistant configurations in CI/CD pipelines. When a fork checkout runs in a privileged context, an attacker can modify these files to hijack AI-assisted development:

  • CLAUDE.md - Claude Code
  • .cursorrules - Cursor
  • copilot-instructions.md - GitHub Copilot
  • .mcp.json - MCP Tooling
terminal

$ runner-guard scan .

 

CRITICAL RGS-001 fork-checkout-exploit

ci.yml:15 - Checks out fork code in

pull_request_target with secret access

 

HIGH RGS-010 ai-config-injection

ci.yml:15 - Fork checkout enables

modification of CLAUDE.md, .cursorrules

 

HIGH RGS-011 mcp-config-injection

ci.yml:15 - Fork checkout enables

modification of .mcp.json

 

Found 3 issues (1 critical, 2 high)

Get Started in Seconds

Single binary. Zero dependencies. Choose your install method.

One-liner
curl -sSfL https://raw.githubusercontent.com/Vigilant-LLC/runner-guard/main/install.sh | bash
Homebrew
brew install Vigilant-LLC/tap/runner-guard
From Source
go install github.com/Vigilant-LLC/runner-guard/cmd/runner-guard@latest

Quick Usage

# Scan current repository

runner-guard scan .

 

# Run only steganography/supply-chain rules

runner-guard scan . --group steganography

 

# Run only AI config detection rules

runner-guard scan . --group ai-config

 

# Run specific rules only

runner-guard scan . --rules RGS-001,RGS-010,RGS-016

 

# Output SARIF for GitHub Code Scanning

runner-guard scan . --format sarif --output results.sarif

 

# CI gating - fail on high severity

runner-guard scan . --fail-on high

 

# View demo attack scenarios

runner-guard demo

Runner Guard scanning a repository

Drop-In GitHub Action

Add automated CI/CD security scanning to every pull request. Results appear directly in the GitHub Security tab.

.github/workflows/runner-guard.yml
name: Runner Guard Security Scan
on:
  pull_request:
    paths:
      - '.github/workflows/**'
      - 'CLAUDE.md'
      - '.claude/**'
      - '.mcp.json'
permissions:
  contents: read
  security-events: write
jobs:
  runner-guard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Vigilant-LLC/runner-guard@v1
        with:
          fail-on: high
          sarif-upload: 'true'
          # Optional: filter by rule group or specific rules
          # group: 'injection,ai-config,steganography'
          # rules: 'RGS-001,RGS-010,RGS-016'

“Runner Guard detects the attack. CyberDNA proves it happened. See the difference forensic validation makes.”

Start a Free POV

Built for Security Teams

Taint Analysis

Traces attacker-controlled inputs through expressions, variables, and shell commands to dangerous sinks.

Steganography Detection

Byte-level scanning for invisible Unicode payloads, GlassWorm IOCs, and eval+decode chains in workflows and referenced scripts.

AI Config Detection

First scanner to detect attacks on CLAUDE.md, .cursorrules, copilot-instructions.md, and .mcp.json in fork checkouts.

Auto-Fix

Pins unpinned actions to commit SHAs and extracts unsafe expressions into env mappings with shell-aware syntax for bash, PowerShell, and cmd.

Zero Dependencies

Single Go binary. No runtime, no framework, no package manager. Download and run.

SARIF Output

Native SARIF format integrates directly with GitHub Code Scanning and the Security tab.

Baseline Management

Suppress known findings to focus on new vulnerabilities. Clean signal, no noise.

Cross-Platform

Pre-built binaries for Linux, macOS, and Windows on both amd64 and arm64 architectures.

Remote Scanning

Scan any public GitHub repo by URL without cloning. Perfect for security audits and assessments.

Secure Your Pipelines Today

Runner Guard is free, open source, and AGPL-3.0 licensed. For organizations that need forensic validation, incident response, and continuous threat hunting - Vigilant's CyberDNA platform extends detection into full FVDR coverage.

View on GitHubRequest a DemoStart Your POV
16 Years. Zero Client Breaches.
FVDR-Patented Technology
SOC 2 Type II Compliant