GitHub Actions In Use

To get insights into the GitHub Actions used in your repositories, navigate to the Actions section in the StepSecurity dashboard. Here, you can find:

• The name of each Action.

• The Action Security Score.

• The Repositories using that particular Action.

Exploring GitHub Actions Insights

• Viewing Action Details

• How Action Scores are Calculated

• Managing Low Scoring Actions

• Requesting a Maintained Action

Viewing Action Details

Click on a specific Action (e.g., actions/checkout) to open its details page. You will see four tabs:

Repositories Tab

• Displays the repositories using the selected Action.

• Lists associated workflows.

• Shows the SHA and tag used in each repository.

• Displays the age of the last used tag or SHA.

  • If a tag has not been updated recently, it’s recommended to upgrade it.

  • You can automate this process using Dependabot.

Security Score Tab

• Displays the Security Score of the Action.

• The score is calculated using industry best practices, including OpenSSF Scorecard checks and the Secure Software Publishing Guide.

AI Analysis

• Displays the AI-powered security assessment of the selected Action.

• The AI Analysis evaluates the Action’s source code, workflow configuration, token usage, and supply chain risk patterns to identify potential security issues. This analysis is powered by StepSecurity’s vertical supply chain security AI agent, which is trained on past real-world supply chain incidents and common CI/CD attack patterns. By leveraging historical breach data and known exploitation techniques, the AI agent is able to detect subtle risk indicators that traditional rule-based scanners may miss.

• It generates the AI Security Score and provides detailed security findings with severity levels and remediation guidance.

• For Actions that do not yet have AI Analysis available, you can request an analysis directly from the Action details page.

Network Behavior Tab

• Shows all outbound network calls made by the Action during execution.

How Action Scores are Calculated

Each GitHub Action is assigned a Security Score on a 0–10 scale. The score reflects how closely the Action aligns with industry best practices for secure software development and maintenance.

Scores are derived from multiple components, each normalized to a 0–10 range, and combined into a final score depending on whether the Action is public or private.

Score Components

Each component contributes a score between 0 and 10.

Popularity Score

Maintained Score (for internal/private actions)

• Node.js Runtime Check

  • If the Action uses Node.js 16 or lower, the score is 0.

• Commit Recency

Vulnerabilities Score (for internal/private actions)

The score is calculated using an OSV scan of the Action’s dependencies.

If no dependencies are found to scan, the score defaults to 10.

Branch Protection Score

Derived from OpenSSF Scorecard results and reflects whether the Action’s repository enforces recommended branch protection settings.

Final Score Calculation

• Public Actions (6 components)

• Private or Internal Actions (3 components)

The final score is rounded to the nearest whole number, resulting in a value between 0 and 10.

Managing Low-Scoring Actions

• Actions with low security scores should be replaced or updated.

• StepSecurity provides maintained alternatives for some actions.

• If an action has a maintained version, you will see a Maintained action available label.

• Clicking on the Maintained action available label will take you to the StepSecurity-maintained action, where you can see the difference between the StepSecurity-maintained action and the low-scoring action.

Requesting a Maintained Action

• Click on an action with a low score.

• If it does not have a maintained version, you can request one.

• Click on Request maintained action .

• Enter your email and submit the request.