GitHub Actions Advisor

Available for Enterprise Tier only

This page helps you assess the security score of any GitHub Action used in your workflows.

Note: GitHub Actions security scores are graded by OpenSSF ScoreCard

How to Check an Actions Security Score

Navigate to the Actions section and select GitHub Actions Advisor
Enter the name of an action (e.g., google-github-actions/auth) to view its security score.
You can also browse a list of Actions maintained by StepSecurity

This will open the GitHub Actions Advisor, which provides a breakdown of the GitHub Actions security score

The following details are displayed for each Action:

Security Score Details

Remarks

Score

The actions security score. The highest rating is 10.

License

Verifies the presence of a published license in standard locations. A clear license is crucial for security reviews, audits, and mitigating legal risks for users.

Maintained

Project activity is assessed based on recent commits and issue engagement. Active maintenance is crucial for ongoing security and functionality.

Vulnerabilities

Dependencies are monitored for vulnerabilities and updated periodically to address identified issues promptly.

Branch protection

Checks if default and release branches are protected using GitHub’s branch protection or repository rules. Ensures defined workflows, such as required reviews or status checks, are enforced before merging.

Manual code review

Verifies that code changes are reviewed by at least one person other than the author. This practice enhances code quality and security through additional oversight.

Secure publishinng

Verifies that secure deployment practices are in place, including deployment review, reproducible builds, and generation of SBOM and provenance.

Signed commits

All code contributions are made with signed commits, enforced through branch protection to ensure code authenticity and integrity.

Automated security tools

Verifies the use of automated tools like SAST, SCA, and security scorecards on each change and periodically. Checks if responses are triaged promptly to maintain security standards.

Popular

Checks if the action is widely used by other open source projects. Higher usage can indicate community trust and more thorough vetting.

Security policy

Verifies the presence of a SECURITY.md file in standard locations. This policy provides secure reporting methods, ensuring responsible disclosure.

Scroll down in the GitHub Actions Advisor to see all outbound network calls made by the action.

Composite Actions

Some GitHub Actions act as composite (parent) actions, meaning they include other GitHub Actions within their own action.yml. These composite actions make it easier to reuse complex logic but also introduce additional dependencies that can affect overall security.

When you open a composite action in the GitHub Actions Advisor, you’ll see a Composite Action Details section like this:

Effective Score — Displays the combined score that factors in both the composite action and all internal actions it uses
Pinnable — Indicates whether the composite action can be pinned, based on whether all internal actions are pinned to specific SHAs
Action Scores — Lists each GitHub Action used inside the composite action, along with its individual security score

PreviousReusable Workflows NextStepSecurity Maintained Actions

Last updated 9 days ago

Was this helpful?