StepSecurity Maintained Actions

StepSecurity maintains a set of trusted GitHub Actions to reduce risk from supply chain attacks due to compromise of third-party actions and enhance security and consistency across workflows.

We onboard StepSecurity Maintained Actions based on requests from our enterprise customers who typically ask us to onboard actions that:

• Have been abandoned by original maintainers

• Have single maintainers

• Receive low security scores (based on OpenSSF Scorecard)

• Present high security risks due to credential access requirements

Our Secure Maintenance Process

1. Rigorous Onboarding: Every action undergoes a thorough manual secure code review before being onboarded as a StepSecurity Maintained Action

2. Strict Access Control: All action repositories are created in the StepSecurity organization with write access strictly limited to our engineering team

3. Robust Branch Protection:

   • Requires cryptographically signed commits

   • Mandates approval from a reviewer other than the PR creator

   • Enforces security tool status checks before merging, such as:

     • CodeQL

     • Dependency Review

     • OpenSSF Scorecard

     • GuardDog

4. Tag Protection: By default, no tags can be created or changed. We use just-in-time access to create tags during the release process

5. Secure Release Process:

   • For Node actions: The dist folder is built from scratch and validated within a GitHub Actions workflow

   • For Docker actions: New images are built and pushed to StepSecurity's GitHub container registry

6. Release Safeguards:

   • Uses environment-based approvals to require explicit verification before release

   • Utilizes ephemeral GitHub Actions tokens instead of persistent bot accounts

7. Industry Best Practices:

   • Follows Open Source Security Foundation Scorecard recommendations

   • Pins dependencies in GitHub Actions workflows to specific versions

   • Implements minimal GITHUB_TOKEN permissions

   • Utilizes CodeQL and Dependabot

8. Proactive Vulnerability Management: Continuously monitors for security vulnerabilities in dependencies with a defined SLA for patches

   • High-risk vulnerabilities (CVSS 7.0 and higher): 30 days

   • Moderate-risk vulnerabilities (CVSS 4.0 to 6.9): 90 days

   • Low-risk vulnerabilities (CVSS under 4.0): 180 days

9. Upstream Coordination: Monitors for upstream changes and incorporates them using the same rigorous review and release process

10. Comprehensive Testing:

    • Implements integration tests for all actions

    • Tests run automatically before updating dependencies or merging from upstream

    • Ensures reliability and consistent behavior across updates

11. Runtime Security Monitoring:

    • Runs actions with StepSecurity Harden Runner to observe and analyze network traffic

    • Monitors runtime behavior for anomalies or unexpected activities

Real-World Security Benefits

Case Study Comparisons:

• tj-actions/changed-files: A compromise occurred when a persistent bot account with repository access was exploited to update tags. StepSecurity actions eliminate this risk by avoiding persistent credentials and requiring environment-based approvals for releases.

• reviewdog actions: Security was compromised due to overly permissive access control where contributors who submitted to reviewdog/action-* repositories were automatically invited to the reviewdog/actions-maintainer team, which had write access to these repositories. StepSecurity restricts access exclusively to our dedicated maintenance team.

Exploring StepSecurity Maintained Actions

• Go to the Actions section and select StepSecurity Actions.

• A list of StepSecurity-maintained actions will be displayed.

• Click on any maintained action (e.g step-security/action-semantic-pull-request)

• You will be redirected to the GitHub Actions Advisor, where you can compare the security score of StepSecurity-maintained action with the original action.