> For the complete documentation index, see [llms.txt](https://docs.stepsecurity.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stepsecurity.io/start-here/readme.md).

# Introduction

**Welcome to the StepSecurity Documentation hub!**

Here, you'll find all the information you need to get started with StepSecurity, implement its powerful features, and manage your security operations efficiently. Our documentation is designed to help you navigate the platform effortlessly and maximize your use of StepSecurity's tools.

### What is StepSecurity?

StepSecurity detects, prevents, and responds to software supply chain attacks across three critical surfaces: developer environments, code repositories, and CI/CD pipelines.

It works by deploying lightweight agents and automated checks at each stage of your development lifecycle:

**On CI/CD runners**, the Harden-Runner agent uses eBPF to monitor every outbound network call, file write, and process execution, correlating each event to the specific workflow step that triggered it.

**On code repositories**, automated checks block compromised npm packages and enforce security best practices through pull requests.

**On developer machines**, a lightweight script inventories AI coding agents, IDE extensions, and local packages to catch threats before they reach your pipelines.

### Platform at a Glance

Prevent, detect, and respond across the three surfaces attackers target. Every capability links to its documentation.

|                 | 🖥️ Developer Machines                                                                                                                                                                                                                                                                                                                                                  | 📦 OSS Packages                                                                                                                                                                                                                                                                                                                                                 | ♾️ CI/CD Pipelines                                                                                                                                                                                                                                                                                                                                   |
| --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **🛡️ Prevent** | <p><a href="https://docs.stepsecurity.io/packages/secure-registry">Secure Registry policies at download time</a><br><br><a href="https://docs.stepsecurity.io/developer-machines/device-policy/policies">IDE extension allowlists</a><br><br><a href="https://docs.stepsecurity.io/developer-machines/packages/package-configs">Package manager config policies</a></p> | <p><a href="https://docs.stepsecurity.io/github/github-checks/configuration">Compromised update checks</a><br><br><a href="https://docs.stepsecurity.io/github/github-checks/configuration">Package cooldown checks</a><br><br><a href="https://docs.stepsecurity.io/github/orchestrate-security/policy-driven-prs">Dependabot config orchestration</a></p>     | <p><a href="https://docs.stepsecurity.io/github-actions/harden-runner">Harden-Runner egress control</a><br><br><a href="https://docs.stepsecurity.io/github-actions/workflow-run-policies">Workflow run policies</a><br><br><a href="https://docs.stepsecurity.io/github-actions/actions/stepsecurity-maintained-actions">Maintained Actions</a></p> |
| **🔍 Detect**   | <p><a href="https://docs.stepsecurity.io/developer-machines/mcp-servers">AI agent and MCP server inventory</a><br><br><a href="https://docs.stepsecurity.io/developer-machines/ide-extensions">IDE extension inventory</a><br><br><a href="https://docs.stepsecurity.io/developer-machines/packages/oss-package-search">Package search on machines</a></p>              | <p><a href="https://docs.stepsecurity.io/github/github-checks/configuration">Dependency screening at every PR</a><br><br><a href="https://docs.stepsecurity.io/packages/oss-package-search">One search across repos, PRs and machines</a><br><br><a href="https://docs.stepsecurity.io/administration/admin-console/integrations">Real time SIEM alerts</a></p> | <p><a href="https://docs.stepsecurity.io/workspace/detections">Runtime detections with eBPF</a><br><br><a href="https://docs.stepsecurity.io/github-actions/harden-runner/baseline">Network baselines</a><br><br><a href="https://docs.stepsecurity.io/workspace/settings/notifications">Real time alerts</a></p>                                    |
| **⚡ Respond**   | <p><a href="https://docs.stepsecurity.io/developer-machines/ide-extensions">Compromised package and extension detection</a><br><br><a href="https://docs.stepsecurity.io/developer-machines/suspicious-files">Suspicious files</a><br><br><a href="https://docs.stepsecurity.io/developer-machines/packages/oss-package-search">Incident search across machines</a></p> | <p><a href="https://docs.stepsecurity.io/workspace/threat-center">Threat Center</a><br><br><a href="https://docs.stepsecurity.io/packages/oss-package-search">Blast radius mapping</a><br><br><a href="https://docs.stepsecurity.io/oss-supply-chain-security/respond">Remediation verification</a></p>                                                         | <p><a href="https://docs.stepsecurity.io/github-actions/harden-runner">Automatic attack blocking</a><br><br><a href="https://docs.stepsecurity.io/github-actions/harden-runner/policy-store">Lockdown mode</a><br><br><a href="https://docs.stepsecurity.io/github-actions/harden-runner/baseline">Run level forensics</a></p>                       |

{% hint style="success" %}
Every **Respond** capability is powered by StepSecurity's dedicated threat intelligence team, which has detected and disclosed some of the largest supply chain attacks in the industry.
{% endhint %}

### **Documentation by Product Area**

**CI/CD Security** (this site) — Harden-Runner runtime protection, GitHub Checks, automated remediation, Actions governance, and workflow run policies for GitHub Actions pipelines.

* [GitHub Actions](https://docs.stepsecurity.io/workspace/getting-started)
* [GitLab CI](https://docs.stepsecurity.io/gitlab/)
* [Azure DevOps](https://docs.stepsecurity.io/azure-devops/)

[**OSS Supply Chain Security →**](https://docs.stepsecurity.io/oss-supply-chain-security/) — Cooldown policies, compromised package detection, enterprise-wide package search, threat intelligence, and incident response for package dependencies.

[**Dev Machine Guard →**](https://docs.stepsecurity.io/dev-machine-guard/) — Device inventory, IDE extension governance, local dependency monitoring, and AI coding agent visibility for developer machines.

### Trusted by Leading Open-Source Projects & Enterprises

Harden-Runner, one of StepSecurity's core solutions is trusted by **13,000+** open-source projects and enterprises, including industry giants like Microsoft, Google, Kubernetes, and more.

#### Recent supply chain attacks detected by Harden-Runner

* [tj-actions/changed-files compromise](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) ([CVE-2025-30066](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3))
* [axios npm compromise: the largest npm supply chain attack by download count](https://www.stepsecurity.io/blog/behind-the-scenes-how-stepsecurity-detected-and-helped-remediate-the-largest-npm-supply-chain-attack)
* [Bitwarden CLI hijacked on npm: credential stealer targets developers, GitHub Actions, and AI tools](https://www.stepsecurity.io/blog/bitwarden-cli-hijacked-on-npm-bun-staged-credential-stealer-targets-developers-github-actions-and-ai-tools)
* [Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository](https://www.stepsecurity.io/blog/how-harden-runner-detected-the-sha1-hulud-supply-chain-attack-in-cncfs-backstage-repository)
* [NX Build System compromise](https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware)
* [xygeni-action GitHub Action backdoored via tag poisoning](https://www.stepsecurity.io/blog/xygeni-action-compromised-c2-reverse-shell-backdoor-injected-via-tag-poisoning)

#### Customer case studies

* [How Omnissa Strengthened Its Software Supply Chain Security with StepSecurity](https://www.stepsecurity.io/case-studies/omnissa)
* [How Mercari Hardened Its Software Supply Chain with StepSecurity](https://www.stepsecurity.io/case-studies/mercari)
* [Chainguard Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/chainguard)
* [How XBOW Hardened Its Software Supply Chain with StepSecurity](https://www.stepsecurity.io/case-studies/xbow)
* [How Coveo Strengthened GitHub Actions Security with StepSecurity](https://www.stepsecurity.io/case-studies/coveo)

**See all case studies:** [View Customer Success Stories →](https://www.stepsecurity.io/case-studies)

**See every incident StepSecurity has caught in the wild:** [View All Incidents →](https://www.stepsecurity.io/incidents)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.stepsecurity.io/start-here/readme.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
