GitHub Actions In Use

To get insights into the GitHub Actions used in your repositories, navigate to the Actions section in the StepSecurity dashboard. Here, you can find:

• The name of each Action.

• The Action Security Score.

• The Repositories using that particular Action.

Exploring GitHub Actions Insights

• Viewing Action Details

• Checking Repository Usage

• Managing Low Scoring Actions

• Requesting a Maintained Action

Viewing Action Details

• Click on a specific action, such as actions/checkout.

• This will open the GitHub Actions Advisor, which provides a breakdown of the GitHub Actions security score.

• Scroll down in the GitHub Actions Advisor to see all outbound network calls made by the action.

Checking Repository Usage

• The dashboard also allows you to view the number of repositories using each action.

• Click on the repository count to access a detailed list of:

  • The repositories using the action.

  • The associated workflows.

  • The SHA and tag for each repository.

  • The age of the last used tag/SHA(If the tag hasn’t been updated in a while, it is recommended to upgrade it. You can automate this process using Dependabot)

• You can also explore reusable workflows and see where they are being used. Hover over a workflow to find out which other workflows depend on it.

Managing Low-Scoring Actions

• Actions with low security scores should be replaced or updated.

• StepSecurity provides maintained alternatives for some actions.

• If an action has a maintained version, you will see a Maintained action available label.

• Clicking on the Maintained action available label will take you to the StepSecurity-maintained action, where you can see the difference between the StepSecurity-maintained action and the low-scoring action.

Requesting a Maintained Action

• Click on an action with a low score.

• If it does not have a maintained version, you can request one.

• Click on Request maintained action .

• Enter your email and submit the request.