Skip to main content
Runs dashboard showing assertion results across workflow runs
Every time a monitored workflow executes, Garnet captures a run — a complete behavioral profile of everything that happened. Runs record what your code connected to, what processes ran, and whether any runtime assertions failed.

What is a run?

A run maps one-to-one with a workflow execution. It captures:
  • Network egress — Every outbound connection with destination domain/IP, port, and protocol
  • Process lineage — Parent-child process relationships showing the full execution flow
  • Assertion results — Pass/fail verdict for each runtime check

Assertions

Assertions are runtime checks evaluated on every run. When all assertions pass, the run is clean. When any assertion fails, the run is flagged.
AssertionWhat it checks
Known bad egressA contacted domain was flagged as suspicious — it was seen in past attacks through Garnet threat intel
Garnet’s threat intelligence database is continuously updated with domains and IPs observed in real supply chain attacks, malware campaigns, and malicious packages.

Filtering runs

The runs feed shows a summary banner (e.g., “3 assertions failed in 142 runs in the last 24 hours”). Use the tabs to filter:
  • All — Every run across all runtime agents
  • Flagged — Runs with one or more failed assertions
  • Passed — Runs where all assertions passed
Toggle between Feed (chronological list) and By Repo (grouped by repository). Use the search bar to filter by repo, branch, actor, or SHA.

Run details — passed

Run detail view showing a passed run with process tree and assertions
Click any run to see the full profile:
  • Process tree — The complete execution chain (e.g., systemd → hosted-compute-agent → Runner.Listener → Runner.Worker → node) with every network connection inline
  • Domain and connection counts — e.g., “3 domains, 3 connections”
  • Overview / JSON tabs — Structured view or raw JSON of the run data
The lower section is split into two panels:
  • Assertions — Pass/fail result for each check. A passed run shows a green indicator with “No contacted domains matched known threats”
  • Run Context — The workflow name, repository, branch, commit SHA, actor, run number, timestamp, and linked runtime agent

Run details — flagged

Run detail view showing a flagged run with suspicious egress
When a run is flagged, the detail view highlights the problem:
  • Red-highlighted connections — The suspicious destination is called out inline in the process tree (e.g., wget → chainstack.com — flagged as suspicious, seen in past attacks through Garnet threat intel)
  • Failed assertion — The Assertions panel shows a red indicator with “A contacted domain was found in Garnet threat intel — used in past attacks”
  • Run Context — Same metadata for tracing back to the exact commit and actor