GitHub self hosted runner registered
Description
AlphaSOC detected that a GitHub self hosted runner was registered. Self hosted runners are machines that execute GitHub Actions workflows on infrastructure controlled by the organization. Threat actors can register malicious self hosted runners to gain persistent access to an organization's CI/CD pipeline, execute arbitrary code within the build environment, and potentially access secrets and credentials used in workflows.
Impact
Registration of unauthorized self hosted runners could allow adversaries to intercept sensitive data from CI/CD pipelines, inject malicious code into software builds, or establish persistent access to the organization's development infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | GitHub self hosted runner registered |
Investigation and Remediation
Review the GitHub audit logs to verify the legitimacy of the runner registration, checking the user who performed the action, the repository or organization where it was registered, and whether this action was authorized. If unauthorized, immediately remove the runner from the GitHub settings, revoke any associated tokens and potentially compromised credentials, audit recent workflow executions for suspicious activity, and consider implementing additional controls on runner registration permissions.