Skip to main content

Limitations & Caveats

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

warning

This page does not exhaustively cover all limitations and caveats of Takumi Runner. Detailed disclosure of the boundaries of defense mechanisms could be exploited to circumvent them, so the content here is intentionally limited.

Trace Limitations

The Takumi Runner eBPF tracer comprehensively records process, network, and file operations during workflow execution, but the existence of trace data does not guarantee detection of all supply chain attacks.

For example, attacks carried out using techniques that are difficult to distinguish from legitimate build processes, or attacks that use system calls not covered by the tracer, may not be detectable from trace data alone. Traces are effective as evidence for incident investigation and post-mortem analysis, but they are not designed for real-time attack prevention.

Additionally, if the tracer's own operating foundation is compromised — such as through exploitation of a kernel vulnerability — the completeness and integrity of traces are not guaranteed.

Supported Platforms

Currently, Takumi Runner supports GitHub Actions only. Support for other CI/CD platforms such as GitLab CI and CircleCI is planned for future expansion.

GitHub Enterprise Server (self-hosted) is not supported. Only GitHub.com and GitHub Enterprise Cloud are supported.

The execution environment provides Linux (x86_64) ubuntu-latest-compatible environments only. macOS, Windows, and ARM architectures are not supported.

Concurrency

There is a limit on the number of concurrent jobs per organization. The limit varies depending on your subscription plan. Jobs exceeding the limit are queued and start as running jobs complete.

Additionally, GitHub-side limits — including the rate limit via the GitHub App Installation used by Takumi Runner — may also affect actual concurrency and job start timing.

Last updated on