A CI/CD runner is the execution environment that performs build, test, or deployment jobs. It often has access to source code, tokens, and cloud credentials, which makes it a high-value identity surface when workflows are compromised.
Expanded Definition
A CI/CD runner is the execution endpoint that actually performs pipeline jobs, such as compiling code, running tests, packaging artifacts, or deploying to cloud and cluster targets. In NHI security, the runner is not just infrastructure; it is an operational identity surface because it executes with inherited permissions, reads secrets, and often exchanges tokens with source control and cloud platforms.
Definitions vary across vendors and platform teams on whether the runner is treated as a host, a service account, or a workload identity, but the security question is the same: what authority does the runner receive, and how is that authority constrained during each job? The distinction matters because a runner that can access repositories, registries, and deployment credentials can become the fastest path from a compromised workflow to production systems. The NIST Cybersecurity Framework 2.0 is useful here because it frames access control, monitoring, and recovery as operational disciplines rather than one-time setup tasks.
The most common misapplication is treating the runner as trusted by default, which occurs when shared runners are allowed to execute arbitrary pipeline steps with long-lived credentials and no job-level isolation.
Examples and Use Cases
Implementing CI/CD runners rigorously often introduces friction between delivery speed and environment isolation, requiring organisations to weigh build throughput against credential containment and auditability.
- Ephemeral self-hosted runners spin up per job, fetch a short-lived token, and terminate after completion to reduce persistence risk.
- Dedicated deployment runners separate build activity from production release steps so that source-code access does not automatically imply release authority.
- Hardened runners restrict outbound network paths and local filesystem access, limiting the blast radius if a pipeline step is poisoned.
- Incident teams use the CI/CD pipeline exploitation case study to understand how a runner can be abused after a workflow compromise.
- Security engineering teams map runner identity to the NIST Cybersecurity Framework 2.0 to align access, logging, and incident response controls.
Runner design also influences secret handling patterns. The Guide to the Secret Sprawl Challenge is relevant because runners frequently become the place where secrets are injected, reused, and accidentally exposed across jobs.
Why It Matters in NHI Security
CI/CD runners sit at the junction of code, secrets, and deployment authority, which makes them a frequent pivot point when supply chain attacks target build systems. If a runner is over-permissioned, an attacker who alters a workflow can move from a single repository event to cloud credentials, container registries, or production release paths. This is why runner governance belongs in NHI security, not only in DevOps hygiene.
NHIMG research shows the scale of the secret exposure problem surrounding these environments: 88% of security professionals are concerned about secrets sprawl, and 54% are dissatisfied with their current secrets management solution because not all secrets are secured. Those conditions are especially dangerous on runners, where tokens and certificates are often mounted only for the duration of a job and then copied into logs, caches, or artifacts. The Reviewdog GitHub Action supply chain attack illustrates how a trusted automation path can become a secret-exfiltration channel when workflow integrity is broken.
Organisations typically encounter runner risk only after a workflow compromise, at which point the CI/CD runner becomes operationally unavoidable to investigate and contain.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Runner secret exposure and sprawl map directly to improper secret management. |
| OWASP Agentic AI Top 10 | Automated execution surfaces need constrained tool access and strong job isolation. | |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access applies to runner identities and their job-scoped permissions. |
Minimise runner secrets, rotate them quickly, and verify no job can persist or print them.
Related resources from NHI Mgmt Group
- What is workload identity federation and why is it important for CI/CD security?
- How do I implement secrets scanning in a CI/CD pipeline?
- When should teams prioritise CI/CD hardening over broader secret scanning?
- How should security teams govern machine credentials across cloud and CI/CD environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
