# StepSecurity Maintained Actions StepSecurity maintains a set of trusted GitHub Actions to reduce risk from supply chain attacks due to compromise of third-party actions and enhance security and consistency across workflows. {% hint style="info" %} The current list of maintained actions can be found at New action requests are fulfilled within 2 business days per action (e.g., 5 actions = 10 business days). Upstream changes from the original action repository are incorporated within 30 days of release. {% endhint %} We onboard StepSecurity Maintained Actions based on requests from our enterprise customers who typically ask us to onboard actions that: * Have been abandoned by original maintainers * Have single maintainers * Receive low security scores (based on [OpenSSF Scorecard](https://github.com/ossf/scorecard)) * Present high security risks due to credential access requirements ### Our Secure Maintenance Process 1. **Rigorous Onboarding**: Every action undergoes a thorough manual secure code review before being onboarded as a StepSecurity Maintained Action 2. **Strict Access Control**: All action repositories are created in the StepSecurity organization with write access strictly limited to our engineering team 3. **Robust Branch Protection**: * Requires cryptographically signed commits * Mandates approval from a reviewer other than the PR creator * Enforces security tool status checks before merging, such as: * CodeQL * Dependency Review * OpenSSF Scorecard * GuardDog 4. **Tag Protection**: By default, no tags can be created or changed. We use just-in-time access to create tags during the release process 5. **Secure Release Process**: * For Node actions: The dist folder is built from scratch and validated within a GitHub Actions workflow * For Docker actions: New images are built and pushed to StepSecurity's GitHub container registry 6. **Release Safeguards**: * Uses environment-based approvals to require explicit verification before release * Utilizes ephemeral GitHub Actions tokens instead of persistent bot accounts 7. **Industry Best Practices**: * Follows Open Source Security Foundation Scorecard recommendations * Pins dependencies in GitHub Actions workflows to specific versions * Implements minimal GITHUB\_TOKEN permissions * Utilizes CodeQL and Dependabot 8. **Proactive Vulnerability Management**: Continuously monitors for security vulnerabilities in dependencies with a defined SLA for patches * Critical vulnerabilities (CVSS 9.0 and higher): 2 days * High-risk vulnerabilities (CVSS 7.0 and higher): 30 days * Moderate-risk vulnerabilities (CVSS 4.0 to 6.9): 90 days * Low-risk vulnerabilities (CVSS under 4.0): 180 days 9. **Upstream Coordination**: Monitors for upstream changes and incorporates them using the same rigorous review and release process. Upstream changes from the original action repository are incorporated within **30** days of release. 10. **Comprehensive Testing**: * Implements integration tests for all actions * Tests run automatically before updating dependencies or merging from upstream * Ensures reliability and consistent behavior across updates 11. **Runtime Security Monitoring**: * Runs actions with StepSecurity Harden Runner to observe and analyze network traffic * Monitors runtime behavior for anomalies or unexpected activities ### Real-World Security Benefits **Case Study Comparisons:** * **tj-actions/changed-files**: A compromise occurred when a [persistent bot account](https://github.com/tj-actions/changed-files/issues/2464#issuecomment-2727130040) with repository access was exploited to update tags. StepSecurity actions eliminate this risk by avoiding persistent credentials and requiring environment-based approvals for releases. * **reviewdog actions**: Security was compromised due to [overly permissive access control](https://github.com/reviewdog/reviewdog/issues/2079) where contributors who submitted to `reviewdog/action-*` repositories were automatically invited to the reviewdog/actions-maintainer team, which had write access to these repositories. StepSecurity restricts access exclusively to our dedicated maintenance team. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.