Continuous workflow monitoring

listen.dev is powered by a best-in-class detection engine that uses dynamic behavioural analysis (powered by eBPF) to detect adversarial activity in your development environments. This provides depth of visibility and control allows you to safeguard your sensitive data and assets, ensure compliance and prevent supply chain attacks.

How does the detection work?

Our GitHub action comes with a CI agent argus which observes runtime behavior during the execution of workflow runs. This is monitored against a comprehensive set of detections to flag known bad behaviours. Read more about our coverage in Detections.

What kind of harmful behaviors are detected?

There are two main threats from open source modules; compromised workflows, dependencies, and build tools in your GitHub actions environment:

1. Exfiltration of credentials, source code and other sensitive data from the CI/CD system

2. Tampering of code and artifacts at build time

Why traditional approaches aren't sufficient against supply chain attacks?

The supply chain threat landscape is evolving rapidly, with today's adversaries using increasingly sophisticated and novel methods to craft attacks. Conversely, the security tooling industry hasn't kept up.

• Traditional dependency scanners and SCA tools work by referencing databases of known and publicly disclosed vulnerabilities (CVEs) and your security depends on how updated these databases are.

• If your dev toolchain contains unknown and unpatched vulnerabilities (e.g. a recent backdoor, malware or zero-day attack) it is in most cases already too late to contain the harm -- before they are captured by CVE-based scanners.

Finding and patching only known vulnerabilities in your dependencies is a reactive approach and does not provide sufficient defense against modern supply chain attacks. Read more about the difference between known vulnerabilities and supply chain attacks in this blog post.