GitHub Actions In Use

To get insights into the GitHub Actions used in your repositories, navigate to the Actions section in the StepSecurity dashboard. Here, you can find:

• The name of each Action.

• The Action Security Score.

• The Repositories using that particular Action.

Exploring GitHub Actions Insights

• Viewing Action Details

• Managing Low Scoring Actions

• Requesting a Maintained Action

Viewing Action Details

Click on a specific Action (e.g., actions/checkout) to open its details page. You will see three tabs:

Repositories Tab

• Displays the repositories using the selected Action.

• Lists associated workflows.

• Shows the SHA and tag used in each repository.

• Displays the age of the last used tag or SHA.

  • If a tag has not been updated recently, it’s recommended to upgrade it.

  • You can automate this process using Dependabot.

Security Score Tab

• Displays the Security Score of the Action.

• The score is calculated using industry best practices, including OpenSSF Scorecard checks and the Secure Software Publishing Guide.

Network Behavior Tab

• Shows all outbound network calls made by the Action during execution.

Managing Low-Scoring Actions

• Actions with low security scores should be replaced or updated.

• StepSecurity provides maintained alternatives for some actions.

• If an action has a maintained version, you will see a Maintained action available label.

• Clicking on the Maintained action available label will take you to the StepSecurity-maintained action, where you can see the difference between the StepSecurity-maintained action and the low-scoring action.

Requesting a Maintained Action

• Click on an action with a low score.

• If it does not have a maintained version, you can request one.

• Click on Request maintained action .

• Enter your email and submit the request.