step-security
diff --git a/‎README.md‎
Lines changed: 4 additions & 3 deletions b/‎README.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎dist/index.js‎
Lines changed: 1 addition & 0 deletions b/‎dist/index.js‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎dist/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/post/index.js‎
Lines changed: 5 additions & 0 deletions b/‎dist/post/index.js‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎dist/post/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/post/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/pre/index.js‎
Lines changed: 160 additions & 307 deletions b/‎dist/pre/index.js‎
Lines changed: 160 additions & 307 deletions
diff --git a/‎dist/pre/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/pre/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎osv-scanner.toml‎
Lines changed: 5 additions & 1 deletion b/‎osv-scanner.toml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎package-lock.json‎
Lines changed: 86 additions & 39 deletions b/‎package-lock.json‎
Lines changed: 86 additions & 39 deletions
diff --git a/‎src/cleanup.ts‎
Lines changed: 5 additions & 0 deletions b/‎src/cleanup.ts‎
Lines changed: 5 additions & 0 deletions
@@ -19,7 +19,7 @@ Corporate laptops and production servers typically have robust security monitori
 
 Traditional security monitoring and EDR solutions are ineffective for CI/CD runners due to their ephemeral nature. These tools also lack the necessary context to correlate events with specific workflow runs in a CI/CD environment.
 
-StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.
+StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners, with support for Linux, Windows, and macOS runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.
 ### Harden-Runner: Security Incidents Detected
 
 - [Harden-Runner Detected the tj-actions/changed-files compromise](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) ([CVE-2025-30066](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3))
@@ -138,7 +138,7 @@ Explore the full feature set in the [Features Documentation](https://docs.stepse
 
 ## Trusted By and Case Studies
 
-Harden-Runner is trusted by over 8000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more.
+Harden-Runner is trusted by over 11,000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more.
 
 ### Trusted by
 
@@ -163,7 +163,8 @@ Harden-Runner is designed to work seamlessly across a variety of runner environm
 
 | Environment Type | Compatibility | Audit Mode Deployment | Workflow Changes for Audit Mode |
 |------------------|---------------|--------------------------|-------------------|
-| GitHub-hosted runners | ✅ Full support | Add Harden-Runner Action to workflow | Yes |
+| GitHub-hosted runners (Linux) | ✅ Full support | Add Harden-Runner Action to workflow | Yes |
+| GitHub-hosted runners (Windows, macOS) | ✅ Audit mode only | Add Harden-Runner Action to workflow | Yes |
 | Self-hosted VM runners | ✅ Full support | Include agent in runner image | No |
 | Self-hosted bare-metal runners | ✅ Full support | Install agent as a service | No |
 | Actions Runner Controller (ARC) | ✅ Full support | Deploy as DaemonSet | No |
 
@@ -32029,6 +32029,7 @@ const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
 const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
+const ARM64_WINDOWS_RUNNER_MESSAGE = "Windows ARM runners are not yet supported by Harden-Runner.";
 
 ;// CONCATENATED MODULE: external "node:fs"
 const external_node_fs_namespaceObject = require("node:fs");
 
@@ -32034,6 +32034,7 @@ const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
 const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
+const ARM64_WINDOWS_RUNNER_MESSAGE = "Windows ARM runners are not yet supported by Harden-Runner.";
 
 // EXTERNAL MODULE: external "path"
 var external_path_ = __nccwpck_require__(6928);
@@ -32350,6 +32351,10 @@ function handleWindowsCleanup() {
             console.log("Windows post step already executed, skipping");
             return;
         }
+        if (process.arch === "arm64") {
+            console.log(ARM64_WINDOWS_RUNNER_MESSAGE);
+            return;
+        }
         const p = external_child_process_.spawn("powershell.exe", [
             "-NoProfile",
             "-NonInteractive",
 
@@ -8,4 +8,8 @@ reason = "Untrusted headers are not processed"
 
 [[IgnoredVulns]]
 id = "GHSA-xx4v-prfh-6cgc"
-reason = "Untrusted headers are not processed"
+reason = "Untrusted headers are not processed"
+
+[[IgnoredVulns]]
+id = "GHSA-g9mf-h72j-4rw9"
+reason = "undici fetch() is only used to call GitHub API; exploitation requires a malicious server"
@@ -204,6 +204,11 @@ async function handleWindowsCleanup() {
     return;
   }
 
+  if (process.arch === "arm64") {
+    console.log(common.ARM64_WINDOWS_RUNNER_MESSAGE);
+    return;
+  }
+
   const p = cp.spawn(
     "powershell.exe",
     [
Original file line number	Diff line number	Diff line change
`@@ -204,6 +204,11 @@ async function handleWindowsCleanup() {`
`204`	`204`	`return;`
`205`	`205`	`}`
`206`	`206`
	`207`	`+ if (process.arch === "arm64") {`
	`208`	`+ console.log(common.ARM64_WINDOWS_RUNNER_MESSAGE);`
	`209`	`+ return;`
	`210`	`+ }`
	`211`	`+`
`207`	`212`	`const p = cp.spawn(`
`208`	`213`	`"powershell.exe",`
`209`	`214`	`[`