# GitHub Actions Advisor
{% hint style="warning" %}
Available for **Enterprise** Tier only
{% endhint %}
We perform a holistic evaluation of Actions using Static Analysis, AI Analysis, and Runtime Analysis to provide a complete view of their risk profile
{% hint style="info" %}
Note: GitHub Actions security scores are graded by **OpenSSF ScoreCard**
{% endhint %}
### How to Check an Actions Security Score
* Navigate to the Actions section and select `GitHub Actions Advisor`
* Enter the name of an action (e.g., TimonVS/pr-labeler-action) to view its security score.
* You can also browse a list of Actions maintained by StepSecurity
GitHub Actions Advisor
* This will open the GitHub Actions Advisor, which provides a breakdown of the GitHub Actions security score. The scores are calculated using Static Analysis
* The following details are displayed for each Action:
| Security Score Details | Remarks |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Score | The actions security score. The highest rating is 10. |
| License | Verifies the presence of a published license in standard locations. A clear license is crucial for security reviews, audits, and mitigating legal risks for users. |
| Maintained | Project activity is assessed based on recent commits and issue engagement. Active maintenance is crucial for ongoing security and functionality. |
| Vulnerabilities | Dependencies are monitored for vulnerabilities and updated periodically to address identified issues promptly. |
| Branch protection | Checks if default and release branches are protected using GitHub’s branch protection or repository rules. Ensures defined workflows, such as required reviews or status checks, are enforced before merging. |
| Manual code review | Verifies that code changes are reviewed by at least one person other than the author. This practice enhances code quality and security through additional oversight. |
| Secure publishinng | Verifies that secure deployment practices are in place, including deployment review, reproducible builds, and generation of SBOM and provenance. |
| Signed commits | All code contributions are made with signed commits, enforced through branch protection to ensure code authenticity and integrity. |
| Automated security tools | Verifies the use of automated tools like SAST, SCA, and security scorecards on each change and periodically. Checks if responses are triaged promptly to maintain security standards. |
| Popular | Checks if the action is widely used by other open source projects. Higher usage can indicate community trust and more thorough vetting. |
| Security policy | Verifies the presence of a SECURITY.md file in standard locations. This policy provides secure reporting methods, ensuring responsible disclosure. |
* Scroll down in the GitHub Actions Advisor to see all outbound network calls made by the action. This section displays the results of the Action’s runtime analysis
* On the second tab, you can view the AI Analysis of the Action, including the Action Summary, AI Security Score, security findings, and recommendations
### Composite Actions
Some GitHub Actions act as composite (parent) actions, meaning they include other GitHub Actions within their own action.yml. These composite actions make it easier to reuse complex logic but also introduce additional dependencies that can affect overall security.
When you open a composite action in the GitHub Actions Advisor, you’ll see a Composite Action Details section like this:
* **Effective Score** — Displays the combined score that factors in both the composite action and all internal actions it uses
* **Pinnable** — Indicates whether the composite action can be pinned, based on whether all internal actions are pinned to specific SHAs
* **Action Scores** — Lists each GitHub Action used inside the composite action, along with its individual security score
GitHub Actions Advisor
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.stepsecurity.io/actions/github-actions-advisor.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.