StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Guides
    • How to enable network and runtime monitoring (Harden-Runner) for runners
    • How to restrict network connections to explicitly allowed endpoints
    • How do I authenticate with the StepSecurity app
    • How should I improve the security of third-party actions in my organization
    • How should I reduce the number of Harden-Runner anomalous endpoint alerts
    • How can developers see and fix StepSecurity findings without security’s help?
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Policy Driven PRs
    • Secure Workflow
    • Secure Repo
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Actions

GitHub Actions Score

PreviousReusable WorkflowsNextStepSecurity Maintained Actions

Last updated 2 months ago

Was this helpful?

This page helps you assess the security score of any GitHub Action used in your workflows.

Note: GitHub Actions security scores are graded by OpenSSF ScoreCard

How to Check an Actions Security Score

  • Navigate to the Actions section and select GitHub Actions Score

  • Enter the name of an action (e.g., google-github-actions/auth) to view its security score.

  • This will open the GitHub Actions Advisor, which provides a breakdown of the GitHub Actions security score

  • The following details are displayed for each Action:

Security Score Details
Remarks

Score

The actions security score. The highest rating is 10.

License

Verifies the presence of a published license in standard locations. A clear license is crucial for security reviews, audits, and mitigating legal risks for users.

Maintained

Project activity is assessed based on recent commits and issue engagement. Active maintenance is crucial for ongoing security and functionality.

Vulnerabilities

Dependencies are monitored for vulnerabilities and updated periodically to address identified issues promptly.

Branch protection

Checks if default and release branches are protected using GitHub’s branch protection or repository rules. Ensures defined workflows, such as required reviews or status checks, are enforced before merging.

Manual code review

Verifies that code changes are reviewed by at least one person other than the author. This practice enhances code quality and security through additional oversight.

Secure publishinng

Verifies that secure deployment practices are in place, including deployment review, reproducible builds, and generation of SBOM and provenance.

Signed commits

All code contributions are made with signed commits, enforced through branch protection to ensure code authenticity and integrity.

Automated security tools

Verifies the use of automated tools like SAST, SCA, and security scorecards on each change and periodically. Checks if responses are triaged promptly to maintain security standards.

Popular

Checks if the action is widely used by other open source projects. Higher usage can indicate community trust and more thorough vetting.

Security policy

Verifies the presence of a SECURITY.md file in standard locations. This policy provides secure reporting methods, ensuring responsible disclosure.

  • Scroll down in the GitHub Actions Advisor to see all outbound network calls made by the action.

GitHub Actions Score
GitHub Actions Advisor
GitHub Actions Advisor