StepSecurity Maintained Actions
Last updated
Was this helpful?
Last updated
Was this helpful?
StepSecurity maintains a set of trusted GitHub Actions to reduce risk from supply chain attacks due to compromise of third-party actions and enhance security and consistency across workflows.
We onboard StepSecurity Maintained Actions based on requests from our enterprise customers who typically ask us to onboard actions that:
Have been abandoned by original maintainers
Have single maintainers
Receive low security scores (based on )
Present high security risks due to credential access requirements
Rigorous Onboarding: Every action undergoes a thorough manual secure code review before being onboarded as a StepSecurity Maintained Action
Strict Access Control: All action repositories are created in the StepSecurity organization with write access strictly limited to our engineering team
Robust Branch Protection:
Requires cryptographically signed commits
Mandates approval from a reviewer other than the PR creator
Enforces security tool status checks before merging, such as:
CodeQL
Dependency Review
OpenSSF Scorecard
GuardDog
Tag Protection: By default, no tags can be created or changed. We use just-in-time access to create tags during the release process
Secure Release Process:
For Node actions: The dist folder is built from scratch and validated within a GitHub Actions workflow
For Docker actions: New images are built and pushed to StepSecurity's GitHub container registry
Release Safeguards:
Uses environment-based approvals to require explicit verification before release
Utilizes ephemeral GitHub Actions tokens instead of persistent bot accounts
Industry Best Practices:
Follows Open Source Security Foundation Scorecard recommendations
Pins dependencies in GitHub Actions workflows to specific versions
Implements minimal GITHUB_TOKEN permissions
Utilizes CodeQL and Dependabot
Proactive Vulnerability Management: Continuously monitors for security vulnerabilities in dependencies with a defined SLA for patches
High-risk vulnerabilities (CVSS 7.0 and higher): 30 days
Moderate-risk vulnerabilities (CVSS 4.0 to 6.9): 90 days
Low-risk vulnerabilities (CVSS under 4.0): 180 days
Upstream Coordination: Monitors for upstream changes and incorporates them using the same rigorous review and release process
Comprehensive Testing:
Implements integration tests for all actions
Tests run automatically before updating dependencies or merging from upstream
Ensures reliability and consistent behavior across updates
Runtime Security Monitoring:
Runs actions with StepSecurity Harden Runner to observe and analyze network traffic
Monitors runtime behavior for anomalies or unexpected activities
Case Study Comparisons:
Go to the Actions section and select StepSecurity Actions.
A list of StepSecurity-maintained actions will be displayed.
Click on any maintained action (e.g step-security/action-semantic-pull-request)
You will be redirected to the GitHub Actions Advisor, where you can compare the security score of StepSecurity-maintained action with the original action.
tj-actions/changed-files: A compromise occurred when a with repository access was exploited to update tags. StepSecurity actions eliminate this risk by avoiding persistent credentials and requiring environment-based approvals for releases.
reviewdog actions: Security was compromised due to where contributors who submitted to reviewdog/action-* repositories were automatically invited to the reviewdog/actions-maintainer team, which had write access to these repositories. StepSecurity restricts access exclusively to our dedicated maintenance team.
