# GitHub Actions In Use {% hint style="warning" %} Available for **Enterprise** Tier only {% endhint %} To get insights into the GitHub Actions used in your repositories, navigate to the `Actions` section in the StepSecurity dashboard. Here, you can find: * The name of each Action. * The Action Security Score. * The Repositories using that particular Action. ![StepSecurity Actions page showing GitHub Actions in Use](https://ajeuwbhvhr.cloudimg.io/colony-recorder.s3.amazonaws.com/files/2025-03-03/8ebd38bf-aae4-4345-9353-dd8271724841/ascreenshot.jpeg?tl_px=127,89\&br_px=2880,1628\&force_format=jpeg\&q=100\&width=1120.0) ## Exploring GitHub Actions Insights * [Viewing Action Details](#viewing-action-details) * [How Action Scores are Calculated](#how-action-scores-are-calculated) * [Managing Low Scoring Actions](#managing-low-scoring-actions) * [Requesting a Maintained Action](#requesting-a-maintained-action) ### Viewing Action Details Click on a specific Action (e.g., actions/checkout) to open its details page. You will see four tabs: #### Repositories Tab * Displays the repositories using the selected Action. * Lists associated workflows. * Shows the SHA and tag used in each repository. * Displays the age of the last used tag or SHA. * If a tag has not been updated recently, it’s recommended to upgrade it. * You can automate this process using Dependabot.

#### Security Score Tab * Displays the Security Score of the Action. * The score is calculated using industry best practices, including OpenSSF Scorecard checks and the Secure Software Publishing Guide.

#### AI Analysis * Displays the AI-powered security assessment of the selected Action. * The AI Analysis evaluates the Action’s source code, workflow configuration, token usage, and supply chain risk patterns to identify potential security issues.\ This analysis is powered by StepSecurity’s vertical supply chain security AI agent, which is trained on past real-world supply chain incidents and common CI/CD attack patterns. By leveraging historical breach data and known exploitation techniques, the AI agent is able to detect subtle risk indicators that traditional rule-based scanners may miss. * It generates the AI Security Score and provides detailed security findings with severity levels and remediation guidance.

* For Actions that do not yet have AI Analysis available, you can request an analysis directly from the Action details page. {% hint style="info" %} **Note**: Each user is limited to 10 AI Analysis requests per day. {% endhint %}

#### Network Behavior Tab * Shows all outbound network calls made by the Action during execution.

### How Action Scores are Calculated Each GitHub Action is assigned a Security Score on a 0–10 scale. The score reflects how closely the Action aligns with industry best practices for secure software development and maintenance. Scores are derived from multiple components, each normalized to a 0–10 range, and combined into a final score depending on whether the Action is public or private. #### Score Components Each component contributes a score between 0 and 10. | Component | Source | Description | | ----------------- | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | | License | GitHub API | 10 for permissive OSS licenses like MIT or Apache 2.0, lower for restrictive licenses like AGPL, and 0 if no license is specified | | Popularity | GitHub Code Search | Based on how many open-source projects use the action | | Branch Protection | Scorecard | Measures repository branch protection settings | | Maintained | Scorecard (or internal check) | How recently the action was updated | | Security Policy | Scorecard | Whether repo has a security policy | | Vulnerabilities | Scorecard (or OSV scan) | Known vulnerabilities in dependencies | **Popularity Score** | More than 1000 | 10 | | -------------- | -- | | More than 500 | 7 | | More than 200 | 5 | | 200 or fewer | 0 | **Maintained Score (for internal/private actions)** * Node.js Runtime Check * If the Action uses Node.js 16 or lower, the score is 0.
* Commit Recency | 30 days or less | 10 | | ------------------ | -- | | 90 days or less | 8 | | 180 days or less | 6 | | 365 days or less | 4 | | 730 days or less | 2 | | More than 730 days | 0 | *** **Vulnerabilities Score (for internal/private actions)** The score is calculated using an OSV scan of the Action’s dependencies. | 0 | 10 | | ----------- | -- | | 1–2 | 7 | | 3–5 | 4 | | More than 5 | 0 | If no dependencies are found to scan, the score defaults to 10. **Branch Protection Score** Derived from OpenSSF Scorecard results and reflects whether the Action’s repository enforces recommended branch protection settings. **Final Score Calculation** * Public Actions (6 components) {% code overflow="wrap" %} ``` (License + Popularity + BranchProtection + Maintained + SecurityPolicy + Vulnerabilities) / 6 ``` {% endcode %} * Private or Internal Actions (3 components) ``` (Maintained + Vulnerabilities + BranchProtection) / 3 ``` The final score is rounded to the nearest whole number, resulting in a value between 0 and 10. ### Managing Low-Scoring Actions * Actions with low security scores should be replaced or updated. * StepSecurity provides maintained alternatives for some actions. * If an action has a maintained version, you will see a `Maintained action available` label.

StepSecurity Actions page showing GitHub Actions in Use

* Clicking on the `Maintained action available` label will take you to the StepSecurity-maintained action, where you can see the difference between the StepSecurity-maintained action and the low-scoring action. ### Requesting a Maintained Action * Click on an action with a **low score**. ![StepSecurity Actions page showing GitHub Actions in Use](https://ajeuwbhvhr.cloudimg.io/colony-recorder.s3.amazonaws.com/files/2025-03-03/e48140a1-d547-4d22-96b1-1a330f9f2352/ascreenshot.jpeg?tl_px=0,179\&br_px=2752,1718\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=279,348) * If it does not have a maintained version, you can request one. * Click on `Request maintained action` .
![GitHub Actions Advisor](https://ajeuwbhvhr.cloudimg.io/colony-recorder.s3.amazonaws.com/files/2025-03-03/4df01b00-116c-4320-9a48-1df15530d28f/ascreenshot.jpeg?tl_px=255,0\&br_px=3008,1538\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=922,241) * Enter your email and submit the request. ![GitHub Actions Advisor](https://ajeuwbhvhr.cloudimg.io/colony-recorder.s3.amazonaws.com/files/2025-03-03/cfdf34d9-6f5e-412b-9ccb-890e6218b508/ascreenshot.jpeg?tl_px=255,179\&br_px=3008,1718\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=629,299) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stepsecurity.io/actions/github-actions-in-use.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.