GitHub Actions In Use

To get insights into the GitHub Actions used in your repositories, navigate to the Actions section in the StepSecurity dashboard. Here, you can find:

  • The name of each Action.

  • The Action Security Score.

  • The Repositories using that particular Action.

StepSecurity Actions page showing GitHub Actions in Use

Exploring GitHub Actions Insights

Viewing Action Details

  • Click on a specific action, such as actions/checkout.

  • This will open the GitHub Actions Advisor, which provides a breakdown of the GitHub Actions security score.

GitHub Actions Security score is calculated using industry best practices such as OpenSSF Scorecard and secure software publishing guide

StepSecurity GitHub Action Advisor
  • Scroll down in the GitHub Actions Advisor to see all outbound network calls made by the action.

StepSecurity GitHub Action Advisor

Checking Repository Usage

  • The dashboard also allows you to view the number of repositories using each action.

StepSecurity Actions page showing GitHub Actions in Use
  • Click on the repository count to access a detailed list of:

    • The repositories using the action.

    • The associated workflows.

    • The SHA and tag for each repository.

    • The age of the last used tag/SHA(If the tag hasn’t been updated in a while, it is recommended to upgrade it. You can automate this process using Dependabot)

  • You can also explore reusable workflows and see where they are being used. Hover over a workflow to find out which other workflows depend on it.

StepSecurity Actions page showing GitHub Action details

Managing Low-Scoring Actions

  • Actions with low security scores should be replaced or updated.

  • StepSecurity provides maintained alternatives for some actions.

  • If an action has a maintained version, you will see a Maintained action available label.

StepSecurity Actions page showing GitHub Actions in Use
  • Clicking on the Maintained action available label will take you to the StepSecurity-maintained action, where you can see the difference between the StepSecurity-maintained action and the low-scoring action.

Requesting a Maintained Action

  • Click on an action with a low score.

StepSecurity Actions page showing GitHub Actions in Use
  • If it does not have a maintained version, you can request one.

  • Click on Request maintained action .

GitHub Actions Advisor
  • Enter your email and submit the request.

GitHub Actions Advisor

Last updated

Was this helpful?