๐งช Worked Example Tabletop: CI Runner Compromise Before Release
Intro: This tabletop trains teams to respond when build trust is uncertain and release pressure is high. It is intentionally designed to force a decision on containment, evidence, and business communication rather than technical cleanup alone.
What this page includes
- a short runner-compromise scenario
- first-15-minute actions
- containment, evidence, and decision questions
- how to score the tabletop
Scenario
Thirty minutes before release, the team notices that a self-hosted CI runner executed an unexpected outbound connection during a privileged deployment job. The runner had access to build artifacts, deployment credentials, and repository write access for release automation.
First 15 minutes
- stop privileged jobs using the affected runner pool;
- quarantine the runner and preserve evidence;
- identify which secrets, artifacts, or deployments were reachable;
- decide whether the release must pause pending trust re-establishment;
- assign one owner for technical containment and one owner for stakeholder communication.
Discussion questions
- Which trust relationships are now suspect?
- Which artifacts or releases must be re-built from a clean path?
- Which credentials must rotate immediately versus after evidence capture?
- What evidence must be preserved before teardown?
- How do you explain the business impact without overstating certainty?
Scoring guidance
Score participants on:
- containment order;
- evidence preservation;
- release decision quality;
- scope analysis of potentially affected trust paths;
- communication clarity.
Related pages
- Vendor Agents, Runners, and Build-Integration Trust Boundaries
- Product Security Incident Response Playbooks
Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.