Skip to main content
See what code actually does when it runs. Garnet profiles every network connection, process spawn, and file access during execution — and surfaces results in your existing workflows. Jibril, a lightweight eBPF runtime agent, runs inside your GitHub Actions workflows (or any execution environment), builds a full behavioral profile per run, and evaluates it against runtime assertions.

Core concepts

Runs

Every execution produces a behavioral profile: process lineage, network egress, and assertion results.

Assertions

Runtime behavior as testable infrastructure. Assertions evaluate every run and surface verdicts in your workflow, just like a test suite.

Runtime Agents

Jibril, a lightweight eBPF runtime agent deployed in your execution environment. Captures process, network, and file activity at kernel level.

Get started

Quick Start

Generate a token, install a runtime agent, see your first run in minutes.
 Add Garnet as a step in any GitHub Actions workflow: 
- uses: garnet-org/action@v2
  with:
    api_token: ${{ secrets.GARNET_API_TOKEN }}
Detailed guide: GitHub Actions

How it works

  1. Deploy Jibril, an eBPF runtime agent, in your execution environment
  2. Profile every outbound connection through process ancestry — traced back to the exact dependency that opened it
  3. Evaluate runtime assertions per run — verdicts surface in Step Summary, Slack, or webhooks

See it in action

Garnet flagging a suspicious domain in a CI run
A flagged run showing chainstack.com flagged as suspicious in this context — it was seen in past attacks through Garnet threat intel. The full process tree traces the connection back to wget inside the CI workflow.

Shai-Hulud v2 — Supply Chain Worm

See how Garnet detected a supply chain worm contacting suspicious domains during a live CI run