GitHub Actions In Use

To get insights into the GitHub Actions used in your repositories, navigate to the Actions section in the StepSecurity dashboard. Here, you can find:

• The name of each Action.

• The Action Security Score.

• The Repositories using that particular Action.

Exploring GitHub Actions Insights

• Viewing Action Details

• How Action Scores are Calculated

• Managing Low Scoring Actions

• Requesting a Maintained Action

Viewing Action Details

Click on a specific Action (e.g., actions/checkout) to open its details page. You will see three tabs:

Repositories Tab

• Displays the repositories using the selected Action.

• Lists associated workflows.

• Shows the SHA and tag used in each repository.

• Displays the age of the last used tag or SHA.

  • If a tag has not been updated recently, it’s recommended to upgrade it.

  • You can automate this process using Dependabot.

Security Score Tab

• Displays the Security Score of the Action.

• The score is calculated using industry best practices, including OpenSSF Scorecard checks and the Secure Software Publishing Guide.

Network Behavior Tab

• Shows all outbound network calls made by the Action during execution.

How Action Scores are Calculated

Each GitHub Action is assigned a Security Score on a 0–10 scale. The score reflects how closely the Action aligns with industry best practices for secure software development and maintenance.

Scores are derived from multiple components, each normalized to a 0–10 range, and combined into a final score depending on whether the Action is public or private.

Score Components

Each component contributes a score between 0 and 10.

Popularity Score

Maintained Score (for internal/private actions)

• Node.js Runtime Check

  • If the Action uses Node.js 16 or lower, the score is 0.

• Commit Recency

Vulnerabilities Score (for internal/private actions)

The score is calculated using an OSV scan of the Action’s dependencies.

If no dependencies are found to scan, the score defaults to 10.

Branch Protection Score

Derived from OpenSSF Scorecard results and reflects whether the Action’s repository enforces recommended branch protection settings.

Final Score Calculation

• Public Actions (6 components)

• Private or Internal Actions (3 components)

The final score is rounded to the nearest whole number, resulting in a value between 0 and 10.

Managing Low-Scoring Actions

• Actions with low security scores should be replaced or updated.

• StepSecurity provides maintained alternatives for some actions.

• If an action has a maintained version, you will see a Maintained action available label.

• Clicking on the Maintained action available label will take you to the StepSecurity-maintained action, where you can see the difference between the StepSecurity-maintained action and the low-scoring action.

Requesting a Maintained Action

• Click on an action with a low score.

• If it does not have a maintained version, you can request one.

• Click on Request maintained action .

• Enter your email and submit the request.