Skip to main content

GitHub Actions

Several mechanics have been implemented to allow seamless integration with GitHub Actions.

GitHub Hosted Runners Support

The most popular environment for running GitHub Actions build is GitHub-hosted runners. As soon as a job is submitted, it is translated into a VM created by GitHub and run on GitHub's Azure-backed cloud.

In short, Cimon Agent is runner-aware, which means it is aware of the runner environment and adapts itself accordingly. There are several ways in which the functionality reflects this:

  • Hosted Runner Support - Cimon will be compatible with any Ubuntu-based hosted runner.
  • Allowed Hosts - Github-related hosts will be added automatically, including,, etc.
  • Ignored IPs - Ignoring internal IPs communication, such as the Azure metadata IP address,, and more.
  • Performance - To improve the performance, it will track the descendant processes of the pipeline runner process, Runner.Worker in the case of GitHub Actions (it will also track docker-related processes due to their relevance)
  • GitHub Reporters - It will output the report according to the runner identified. In the GitHub Actions case, that would be a job summary report.

GitHub Actions also allows running jobs inside containers. The setup adds several constraints and hasn't been fully tested yet. When using Cimon on GitHub-hosted machines, we recommend running it natively instead of in a container.

Cimon GitHub Action

As part of Cimon, we provide a custom action for deploying agents seamlessly within any GitHub Actions build. The repository containing the action can be found at The action also could be found on GitHub's official marketplace at

The action is based on the NodeJS engine and contains simple main and post scripts to start and gracefully shut down the agent's container. Cimon is run as a privileged container in detached mode and joins the runners' process and network namespaces to see all the processes and network connections on the host.


The action supports the following parameters:

client-idCimon client ID for authentication
secretCimon secret for authentication
urlCimon endpoint for authentication
preventfalseEnable prevention mode
allowed-ipsA comma or white space separated list of allowed IP addresses
allowed-hostsA comma or white space separated list of allowed domain names. The left-most label can be the wildcard character (*) to match multiple subdomains (e.g. *
ignored-ip-netsA comma or white space separated list of ignored IP networks in CIDR notation, e.g., This setting is mandatory if your workflow runs containers attached to a custom network with configured sub-range. In other words, inter-container networking is usually ignored by Cimon. Cimon implicitly ignores and networks.
github-token${{ github.token }}GitHub token (used to overcome GitHub rate limiting)
report-job-summarytrueReport results through job summary output
report-process-treefalseEnable to report the process tree
slack-webhook-endpointSlack webhook endpoint to report security events
apply-fs-eventsfalseEnable processing filesystem events and display them in the process tree report
log-levelinfoLog level (Used for debugging)
feature-gatesSet of key=value pairs that describe Cimon features
fail-on-errorfalseFail the CI if Cimon encountered an error


We welcome contributions to the GitHub Action project.

After changes were made to the src folder, changes should be reflected in the dist folder by the following steps:

  1. Install or update package dependencies:
npm install
  1. Compile JavaScript source files into single entry point files with ncc:
npm run all

The build script will update actions' entry points code in the dist directory, which should be added to the Git repository.

Job Summary Report

What is Job Summary

Job Summary feature provides a more detailed and customizable summary of the results of each job in a workflow, including the ability to include custom metadata, rich text formatting, and images.

Cimon generates a summary report for every job defined in a workflow. The layout and contents of the report depend on the runtime mode, i.e., detect or prevent.

Here is an example of a standard security report in GitHub:

The full example report could be found here.

The headline indicates whether any risk was detected at runtime. If yes, the subsequent sections provide enough information to understand which program was blocked due to a forbidden network connection, including a process identifier, destination address, port, and protocol.

The Policy Suggestion section shows the recommended Cimon GitHub action configuration to apply in prevent mode. In other words, based on that information, Cimon builds a profile of network events in detect mode and suggests allowed IP addresses and hosts as input configurations in prevent mode.

A typical section is a list of Network Events, i.e., outbound TCP and UDP connections, which includes the integer process identifier (PID) that initiated the connection, process name, destination IP address and port, and resolved host. The last column indicates forbidden connections that are blocked in prevention mode.

Another typical section shows Resolved Domains, i.e., DNS mapping between hosts and corresponding IP addresses.

If reporting process tree is enabled, a summary report includes the Process Tree captured during workflow execution by instrumenting GitHub runner's application (Runner.Worker) and container runtime (containerd/dockerd) and their descendants. Effectively, it shows all processes and programs with command-line arguments run during workflow execution.

Runner.Worker(1528) [ /home/runner/runners/2.301.1/bin/Runner.Worker spawnclient 112 115 ]
node(4101) [ /home/runner/runners/2.301.1/externals/node16/bin/node /home/runner/work/cimon/cimon/./.github/actions/agent-javascript-action/dist/main/index.js ]
node(4299) [ /home/runner/runners/2.301.1/externals/node16/bin/node /home/runner/work/_actions/actions/checkout/93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8/dist/index.js ]
git(4310) [ /usr/bin/git version ]
git(4311) [ /usr/bin/git config --global --add /home/runner/work/cimon/cimon/Hello-World ]
git(4312) [ /usr/bin/git init /home/runner/work/cimon/cimon/Hello-World ]
containerd(672) [ /usr/bin/containerd ]
containerd-shim(4419) [ /usr/bin/containerd-shim-runc-v2 -namespace moby -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 8bd93947b2ac106fae58e095807422f0acc6bd170f76520e645328a170f502c4 start ]
containerd-shim(4427) [ /usr/bin/containerd-shim-runc-v2 -namespace moby -id 8bd93947b2ac106fae58e095807422f0acc6bd170f76520e645328a170f502c4 -address /run/containerd/containerd.sock ]
runc(4437) [ /usr/bin/runc --root /var/run/docker/runtime-runc/moby --log /run/containerd/io.containerd.runtime.v2.task/moby/8bd93947b2ac106fae58e095807422f0acc6bd170f76520e645328a170f502c4/log.json --log-format json create --bundle /run/containerd/io.containerd.runtime.v2.tas ]
exe(4446) [ runc init ]
6(4446) [ runc init ]
wget(4448) [ /bin/wget --timeout=1 ]