TeamPCP and LiteLLM supply chain attacks compromised thousands of CI pipelines.Get a free audit →

Runtime visibilityfor GitHub workflows.

Your pipeline runs code you didn’t write, with full access to your secrets, and no record of what it actually did.

Garnet watches every run at the kernel level and lets you see and assert runtime behavior—right where you already build, test, and review code.

Start Profiling Read Docs

dev-sarah pushed 1 commit 12 minutes ago

Add rate limiter to /api/auth

c91fa03

coding-agent pushed 1 commit 3 minutes ago

Update dependency lockfile

Verifiede7b42d1

garnetbotcommented 2 min ago

Garnet profiled build-and-test #4817 — 3 failed assertions.

Runtime Checks4/7 passed

no_known_bad_egress

trivy-action → entrypoint.sh → curl POST → scan.aquasecurtiy[.]org:443

process_memory_read

trivy-action → entrypoint.sh → cat → /proc/<pid>/mem (Runner.Worker)

credentials_files_access

trivy-action → entrypoint.sh → find → *.env, *.pem, *.key

4 passedno_hidden_binary_execution, expected_parent_process, +2 more

View Run Profile →

☺

The Blind Spot in Modern Development

You're executing untrusted code and running blind.

Over 90% of the code executing in your environments is code your team doesn’t write or review. Third-party dependencies, build tools, and AI agents run automatically, with the exact same access to your secrets and infrastructure as your own code.

Static analysis tells you what code looks like. Nothing tells you what it actually does.

Supply Chain Dependencies

Code you import, executing with your secrets.

A dependency can spawn shell commands, phone home, or read secrets during build while your CI logs still look clean. Static scans don't tell you what actually happens inside the runner, and this is the blind spot in supply chain attacks.

postinstall spawned shell process

pip install made outbound curl

container build spawned background process

15m

go build read sensitive host file

22m

dependency install posted env data

30m

npm install changed system permissions

45m

postinstall spawned shell process

pip install made outbound curl

container build spawned background process

15m

go build read sensitive host file

22m

dependency install posted env data

30m

npm install changed system permissions

45m

postinstall spawned shell process

pip install made outbound curl

container build spawned background process

15m

go build read sensitive host file

22m

dependency install posted env data

30m

npm install changed system permissions

45m

Agentic Execution

Generated code and AI agents running without a runtime audit trail

Coding agents - like Cursor, Claude, Codex - install packages, invoke tools, and make decisions with the same privileges as you. When that behavior drifts from intent, isolation and static firewalls can't tell apart. Runtime lineage can.

LIVE

Agent session active

Reviewing code statically isn't enough. Runtime behavior is the only way to trust what actually happened––and recent incidents prove the gap.

01Nov 2025

Shai-Hulud 2.0

Controlled detonation showed 48 behavioral detections, 200 network flows, and a 66-minute runtime from preinstall to malicious egress.

bun bun_environment.js

trufflehog filesystem /home/runner

curl api.tomorrow.io:443

02Mar 2025

tj-actions/changed-files

Compromised install chain used /proc/*/mem reads and repeated base64 encoding, then exfiltrated secrets through GitHub workflow logs.

What Garnet Saw→

reviewdog/action-setup install.sh

tj-actions/changed-files

Aqua Trivy (TeamPCP)

Malicious Trivy action tags scraped /proc memory, encrypted secrets, and exfiltrated to scan.aquasecurtiy[.]org — while the scanner still reported a clean scan.

curl scan.aquasecurtiy[.]org

04Mar 2026

Checkmarx KICS (TeamPCP)

Replay of compromised KICS v2.1.20 surfaced 23 behavioral detections and egress to checkmarx[.]zone while the job exit code stayed green.

checkmarx.zone · dockerd

apk.cgr.dev

05Mar 2026

LiteLLM (TeamPCP)

Compromised Trivy in LiteLLM CI stole `PYPI_PUBLISH`, enabling malicious 1.82.7/1.82.8 releases with startup-triggered credential theft.

What Garnet Saw→

LiteLLM CI

compromised trivy-action

/proc/*/mem + env harvest

curl scan.aquasecurtiy[.]org

publish litellm 1.82.8

01Nov 2025

Shai-Hulud 2.0

Controlled detonation showed 48 behavioral detections, 200 network flows, and a 66-minute runtime from preinstall to malicious egress.

bun bun_environment.js

trufflehog filesystem /home/runner

curl api.tomorrow.io:443

02Mar 2025

tj-actions/changed-files

Compromised install chain used /proc/*/mem reads and repeated base64 encoding, then exfiltrated secrets through GitHub workflow logs.

What Garnet Saw→

reviewdog/action-setup install.sh

tj-actions/changed-files

Aqua Trivy (TeamPCP)

Malicious Trivy action tags scraped /proc memory, encrypted secrets, and exfiltrated to scan.aquasecurtiy[.]org — while the scanner still reported a clean scan.

curl scan.aquasecurtiy[.]org

04Mar 2026

Checkmarx KICS (TeamPCP)

Replay of compromised KICS v2.1.20 surfaced 23 behavioral detections and egress to checkmarx[.]zone while the job exit code stayed green.

checkmarx.zone · dockerd

apk.cgr.dev

05Mar 2026

LiteLLM (TeamPCP)

Compromised Trivy in LiteLLM CI stole `PYPI_PUBLISH`, enabling malicious 1.82.7/1.82.8 releases with startup-triggered credential theft.

What Garnet Saw→

LiteLLM CI

compromised trivy-action

/proc/*/mem + env harvest

curl scan.aquasecurtiy[.]org

publish litellm 1.82.8

How it works

See and assert runtime behavior in GitHub Actions.

You already review code and run tests before you merge. Garnet adds what's missing — what the code actually did when it ran, not just what it claimed to do.

Jibril Runtime Agent

v2.8

Connected

Workflows3

build.yml

PASS

test.yml

WARN

cursor-agent-pr.yml

FAIL

Install in 3 lines of YAML

Drop the action into your workflow. This interfaces Jibril—our lightweight eBPF sensor—with the runner at the kernel level. No proxies, zero code changes, and sub-2% CPU overhead.

Jibril Runtime Agent

v2.8

Connected

Workflows3

build.yml

PASS

test.yml

WARN

cursor-agent-pr.yml

FAIL

Behavioral profiles for every run

Every workflow run produces a structured Run Profile. It is a tamper-proof, canonical record of what actually ran in the kernel—every network call, file access, and process spawn mapped to its exact lineage.

github-runner:1

npm install:42

postinstall → /bin/sh:87

curl exfil.sh:91

webhook.site

node payload.js:93

185.62.190.89

node build.js:55

esbuild:60

Review and assert in your workflow

Runtime assertions are like unit tests, but for runtime behavior. Treat execution boundaries—like expected egress or protected file paths—as testable invariants of your software. Expected behavior passes silently; deviations fail the PR with exact execution lineage.

Ground truth for what code actually did.

Catch unexpected behavior early

Runtime profiles surface deviations you’d never spot in a code review—regressions, unexpected side effects, and attacks—before they become incidents.

Audit dependency and agent execution

See exactly what AI agents and third-party dependencies did during a run, with kernel-level evidence. Know instantly if you’re impacted by a supply-chain attack or rogue agent behavior.

Derive policy from observed behavior

Build firewall rules, egress policies, and allowlists from what your code actually does at runtime—not from assumptions or manual inventories.

Detect known threats automatically

Garnet’s managed threat feeds flag known C2 domains, cryptominer pools, and attack patterns at runtime—catching novel threats before they show up in advisories, no security team required.

"There are a lot of tools that process security advisory data, but Garnet is the first I’ve seen that goes a step further, applying behavioral analysis to find issues before they get reported to an advisory database. This is the kind of thing we’d always wanted to do at npm, Inc., but never got around to. It’s super exciting to see it come to fruition."

Isaac Z. Schlueter

Creator of npm, ex-Project Lead Node.js

A new primitive for autonomous era of software

Making execution observable and trustworthy.

Logs, metrics, and traces were built for code you wrote and services you control. But software is no longer deterministic—and execution is the new surface. Garnet is the missing visibility substrate: runtime behavior captured at the kernel, structured as testable artifacts, and delivered where engineers already work.

Kernel-level visibility, zero overhead

Jibril is a lightweight eBPF agent that instruments at the kernel—not by parsing logs after the fact, but by observing syscalls as they happen. No code changes, no proxies, no sidecars. A single binary that drops into your workflow and captures every process spawn, network call, and file access with full ancestry. Sub-2% CPU overhead, zero configuration - built for modern ephemeral environments.

Assertions that make execution verifiable

You already write tests to verify expected logic and run linters to enforce style. Runtime assertions extend that pattern to execution behavior—define which destinations are expected, which processes can spawn, which files can be touched. A failing assertion is a failing test in your PR. No new dashboards. The feedback loop engineers already trust, now covering what code actually does.

The source of truth for non-deterministic execution

You can’t predict behavior you didn’t author. AI agents, dependencies, and generated code make execution the attack surface—and static rules can’t cover it. Garnet captures what actually ran: a deterministic, structured record of every runtime decision. Not a scan. Not a heuristic. Ground truth for the era where code writes code.

Runtime profile captured for run #4817

Run Profile

GitHub Actions • Per-run behavioral analysis

Open public run profile

Process lineage traced

Network egress profiled

Assertions evaluated

Stop running blind.
Ship with confidence.

One edit to your existing workflow file. Get your first run profile on the next push.

Start Profiling Talk with Founders

Runtime visibility for untrusted execution.

Product

Company

Security

Trust Center

Legal

TeamPCP and LiteLLM supply chain attacks compromised thousands of CI pipelines.Get a free audit →

Runtime visibilityfor GitHub workflows.

Your pipeline runs code you didn’t write, with full access to your secrets, and no record of what it actually did.

Garnet watches every run at the kernel level and lets you see and assert runtime behavior—right where you already build, test, and review code.

Start Profiling Read Docs

dev-sarah pushed 1 commit 12 minutes ago

Add rate limiter to /api/auth

c91fa03

coding-agent pushed 1 commit 3 minutes ago

Update dependency lockfile

Verifiede7b42d1

garnetbotcommented 2 min ago

Garnet profiled build-and-test #4817 — 3 failed assertions.

Runtime Checks4/7 passed

no_known_bad_egress

trivy-action → entrypoint.sh → curl POST → scan.aquasecurtiy[.]org:443

process_memory_read

trivy-action → entrypoint.sh → cat → /proc/<pid>/mem (Runner.Worker)

credentials_files_access

trivy-action → entrypoint.sh → find → *.env, *.pem, *.key

4 passedno_hidden_binary_execution, expected_parent_process, +2 more

View Run Profile →

☺

The Blind Spot in Modern Development

You're executing untrusted code and running blind.

Static analysis tells you what code looks like. Nothing tells you what it actually does.

Supply Chain Dependencies

Code you import, executing with your secrets.

postinstall spawned shell process

pip install made outbound curl

container build spawned background process

15m

go build read sensitive host file

22m

dependency install posted env data

30m

npm install changed system permissions

45m

postinstall spawned shell process

pip install made outbound curl

container build spawned background process

15m

go build read sensitive host file

22m

dependency install posted env data

30m

npm install changed system permissions

45m

postinstall spawned shell process

pip install made outbound curl

container build spawned background process

15m

go build read sensitive host file

22m

dependency install posted env data

30m

npm install changed system permissions

45m

Agentic Execution

Generated code and AI agents running without a runtime audit trail

LIVE

Agent session active

Reviewing code statically isn't enough. Runtime behavior is the only way to trust what actually happened––and recent incidents prove the gap.

01Nov 2025

Shai-Hulud 2.0

Controlled detonation showed 48 behavioral detections, 200 network flows, and a 66-minute runtime from preinstall to malicious egress.

bun bun_environment.js

trufflehog filesystem /home/runner

curl api.tomorrow.io:443

02Mar 2025

tj-actions/changed-files

Compromised install chain used /proc/*/mem reads and repeated base64 encoding, then exfiltrated secrets through GitHub workflow logs.

What Garnet Saw→

reviewdog/action-setup install.sh

tj-actions/changed-files

Aqua Trivy (TeamPCP)

Malicious Trivy action tags scraped /proc memory, encrypted secrets, and exfiltrated to scan.aquasecurtiy[.]org — while the scanner still reported a clean scan.

curl scan.aquasecurtiy[.]org

04Mar 2026

Checkmarx KICS (TeamPCP)

Replay of compromised KICS v2.1.20 surfaced 23 behavioral detections and egress to checkmarx[.]zone while the job exit code stayed green.

checkmarx.zone · dockerd

apk.cgr.dev

05Mar 2026

LiteLLM (TeamPCP)

Compromised Trivy in LiteLLM CI stole `PYPI_PUBLISH`, enabling malicious 1.82.7/1.82.8 releases with startup-triggered credential theft.

What Garnet Saw→

LiteLLM CI

compromised trivy-action

/proc/*/mem + env harvest

curl scan.aquasecurtiy[.]org

publish litellm 1.82.8

01Nov 2025

Shai-Hulud 2.0

Controlled detonation showed 48 behavioral detections, 200 network flows, and a 66-minute runtime from preinstall to malicious egress.

bun bun_environment.js

trufflehog filesystem /home/runner

curl api.tomorrow.io:443

02Mar 2025

tj-actions/changed-files

Compromised install chain used /proc/*/mem reads and repeated base64 encoding, then exfiltrated secrets through GitHub workflow logs.

What Garnet Saw→

reviewdog/action-setup install.sh

tj-actions/changed-files

Aqua Trivy (TeamPCP)

Malicious Trivy action tags scraped /proc memory, encrypted secrets, and exfiltrated to scan.aquasecurtiy[.]org — while the scanner still reported a clean scan.

curl scan.aquasecurtiy[.]org

04Mar 2026

Checkmarx KICS (TeamPCP)

Replay of compromised KICS v2.1.20 surfaced 23 behavioral detections and egress to checkmarx[.]zone while the job exit code stayed green.

checkmarx.zone · dockerd

apk.cgr.dev

05Mar 2026

LiteLLM (TeamPCP)

Compromised Trivy in LiteLLM CI stole `PYPI_PUBLISH`, enabling malicious 1.82.7/1.82.8 releases with startup-triggered credential theft.

What Garnet Saw→

LiteLLM CI

compromised trivy-action

/proc/*/mem + env harvest

curl scan.aquasecurtiy[.]org

publish litellm 1.82.8

How it works

See and assert runtime behavior in GitHub Actions.

You already review code and run tests before you merge. Garnet adds what's missing — what the code actually did when it ran, not just what it claimed to do.

Jibril Runtime Agent

v2.8

Connected

Workflows3

build.yml

PASS

test.yml

WARN

cursor-agent-pr.yml

FAIL

Install in 3 lines of YAML

Drop the action into your workflow. This interfaces Jibril—our lightweight eBPF sensor—with the runner at the kernel level. No proxies, zero code changes, and sub-2% CPU overhead.

Jibril Runtime Agent

v2.8

Connected

Workflows3

build.yml

PASS

test.yml

WARN

cursor-agent-pr.yml

FAIL

Behavioral profiles for every run

github-runner:1

npm install:42

postinstall → /bin/sh:87

curl exfil.sh:91

webhook.site

node payload.js:93

185.62.190.89

node build.js:55

esbuild:60

Review and assert in your workflow

Ground truth for what code actually did.

Catch unexpected behavior early

Runtime profiles surface deviations you’d never spot in a code review—regressions, unexpected side effects, and attacks—before they become incidents.

Audit dependency and agent execution

See exactly what AI agents and third-party dependencies did during a run, with kernel-level evidence. Know instantly if you’re impacted by a supply-chain attack or rogue agent behavior.

Derive policy from observed behavior

Build firewall rules, egress policies, and allowlists from what your code actually does at runtime—not from assumptions or manual inventories.

Detect known threats automatically

Garnet’s managed threat feeds flag known C2 domains, cryptominer pools, and attack patterns at runtime—catching novel threats before they show up in advisories, no security team required.

"There are a lot of tools that process security advisory data, but Garnet is the first I’ve seen that goes a step further, applying behavioral analysis to find issues before they get reported to an advisory database. This is the kind of thing we’d always wanted to do at npm, Inc., but never got around to. It’s super exciting to see it come to fruition."

Isaac Z. Schlueter

Creator of npm, ex-Project Lead Node.js

A new primitive for autonomous era of software

Making execution observable and trustworthy.

Kernel-level visibility, zero overhead

Assertions that make execution verifiable

The source of truth for non-deterministic execution

Runtime profile captured for run #4817

Run Profile

GitHub Actions • Per-run behavioral analysis

Open public run profile

Process lineage traced

Network egress profiled

Assertions evaluated

Stop running blind.
Ship with confidence.

One edit to your existing workflow file. Get your first run profile on the next push.

Start Profiling Talk with Founders

Runtime visibilityfor GitHub workflows.

You're executing untrusted code and running blind.

Code you import, executing with your secrets.

Generated code and AI agents running without a runtime audit trail

Shai-Hulud 2.0

tj-actions/changed-files

Aqua Trivy (TeamPCP)

Checkmarx KICS (TeamPCP)

LiteLLM (TeamPCP)

Shai-Hulud 2.0

tj-actions/changed-files

Aqua Trivy (TeamPCP)

Checkmarx KICS (TeamPCP)

LiteLLM (TeamPCP)

See and assert runtime behavior in GitHub Actions.

Ground truth for what code actually did.

Catch unexpected behavior early

Audit dependency and agent execution

Derive policy from observed behavior

Detect known threats automatically

Making execution observable and trustworthy.

Kernel-level visibility, zero overhead

Assertions that make execution verifiable

The source of truth for non-deterministic execution

Run Profile

Stop running blind. Ship with confidence.

Product

Company

Security

Legal

Runtime visibilityfor GitHub workflows.

You're executing untrusted code and running blind.

Code you import, executing with your secrets.

Generated code and AI agents running without a runtime audit trail

Shai-Hulud 2.0

tj-actions/changed-files

Aqua Trivy (TeamPCP)

Checkmarx KICS (TeamPCP)

LiteLLM (TeamPCP)

Shai-Hulud 2.0

tj-actions/changed-files

Aqua Trivy (TeamPCP)

Checkmarx KICS (TeamPCP)

LiteLLM (TeamPCP)

See and assert runtime behavior in GitHub Actions.

Ground truth for what code actually did.

Catch unexpected behavior early

Audit dependency and agent execution

Derive policy from observed behavior

Detect known threats automatically

Making execution observable and trustworthy.

Kernel-level visibility, zero overhead

Assertions that make execution verifiable

The source of truth for non-deterministic execution

Run Profile

Stop running blind. Ship with confidence.

Stop running blind.
Ship with confidence.

Stop running blind.
Ship with confidence.