GitHub Actions In Use

Available for Enterprise Tier only

To get insights into the GitHub Actions used in your repositories, navigate to the Actions section in the StepSecurity dashboard. Here, you can find:

The name of each Action.
The Action Security Score.
The Repositories using that particular Action.

Exploring GitHub Actions Insights

Viewing Action Details

Click on a specific Action (e.g., actions/checkout) to open its details page. You will see three tabs:

Repositories Tab

Displays the repositories using the selected Action.
Lists associated workflows.
Shows the SHA and tag used in each repository.
Displays the age of the last used tag or SHA.
- If a tag has not been updated recently, it’s recommended to upgrade it.
- You can automate this process using Dependabot.

Security Score Tab

Displays the Security Score of the Action.
The score is calculated using industry best practices, including OpenSSF Scorecard checks and the Secure Software Publishing Guide.

Network Behavior Tab

Shows all outbound network calls made by the Action during execution.

How Action Scores are Calculated

Each GitHub Action is assigned a Security Score on a 0–10 scale. The score reflects how closely the Action aligns with industry best practices for secure software development and maintenance.

Scores are derived from multiple components, each normalized to a 0–10 range, and combined into a final score depending on whether the Action is public or private.

Score Components

Each component contributes a score between 0 and 10.

Component

Source

Description

License

GitHub API

10 if action has a license, 0 if "No License"

Popularity

GitHub Code Search

Based on how many open-source projects use the action

Branch Protection

Scorecard

Measures repository branch protection settings

Maintained

Scorecard (or internal check)

How recently the action was updated

Security Policy

Scorecard

Whether repo has a security policy

Vulnerabilities

Scorecard (or OSV scan)

Known vulnerabilities in dependencies

Popularity Score

More than 1000

More than 500

More than 200

200 or fewer

Maintained Score (for internal/private actions)

Node.js Runtime Check
- If the Action uses Node.js 16 or lower, the score is 0.
Commit Recency

30 days or less

90 days or less

180 days or less

365 days or less

730 days or less

More than 730 days

Vulnerabilities Score (for internal/private actions)

The score is calculated using an OSV scan of the Action’s dependencies.

1–2

3–5

More than 5

If no dependencies are found to scan, the score defaults to 10.

Branch Protection Score

Derived from OpenSSF Scorecard results and reflects whether the Action’s repository enforces recommended branch protection settings.

Final Score Calculation

Public Actions (6 components)

(License + Popularity + BranchProtection + Maintained + SecurityPolicy + Vulnerabilities) / 6

Private or Internal Actions (3 components)

(Maintained + Vulnerabilities + BranchProtection) / 3

The final score is rounded to the nearest whole number, resulting in a value between 0 and 10.

Managing Low-Scoring Actions

Actions with low security scores should be replaced or updated.
StepSecurity provides maintained alternatives for some actions.
If an action has a maintained version, you will see a Maintained action available label.

Clicking on the Maintained action available label will take you to the StepSecurity-maintained action, where you can see the difference between the StepSecurity-maintained action and the low-scoring action.

Requesting a Maintained Action

Click on an action with a low score.

If it does not have a maintained version, you can request one.
Click on Request maintained action .

Enter your email and submit the request.

PreviousActions NextReusable Workflows

Last updated 5 days ago

Was this helpful?