Skip to main content
See what your code is talking to. Garnet monitors every network connection, process, and file access in your CI/CD runs — and stops supply chain attacks before they do damage. A lightweight eBPF agent runs inside your GitHub Actions workflows (or Kubernetes nodes), captures runtime behavior, evaluates it against security assertions, and flags or blocks anything suspicious.

Core concepts

Runs

Every CI workflow execution produces a run — a complete runtime profile with network connections, process trees, and assertion results.

Assertions

Security checks evaluated on every run. Failed assertions — like connections to known malicious domains — flag the run for review.

Agents

Lightweight eBPF sensors deployed on CI runners and cluster nodes. Each agent reports events to the Garnet dashboard.

Get started

Quick Start

Generate a token, install an agent, see your first run in minutes.
Add Garnet as a step in any workflow:
- uses: garnet-org/action@v1
  with:
    api_token: ${{ secrets.GARNET_API_TOKEN }}
Detailed guide: GitHub Actions

How it works

  ┌─────────────┐       ┌─────────────────┐       ┌──────────────────┐
  │  Deploy      │       │  Monitor         │       │  Assert          │
  │  Agent       │──────▶│  Runtime         │──────▶│  & Alert         │
  │              │       │                  │       │                  │
  │  GitHub      │       │  Network egress  │       │  Flag runs with  │
  │  Actions     │       │  Process trees   │       │  failed          │
  │  Kubernetes  │       │  File access     │       │  assertions      │
  └─────────────┘       └─────────────────┘       └──────────────────┘
  1. Deploy an eBPF agent in your CI runner or cluster
  2. Monitor every outbound connection, process spawn, and file access
  3. Assert security invariants on each run — flag and alert when checks fail

Real-world example

Shai-Hulud v2 — Supply Chain Worm

See how Garnet detected a supply chain worm contacting known malicious domains during a live CI run