StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Guides
    • How to enable network and runtime monitoring (Harden-Runner) for runners
    • How to restrict network connections to explicitly allowed endpoints
    • How do I authenticate with the StepSecurity app
    • How should I improve the security of third-party actions in my organization
    • How should I reduce the number of Harden-Runner anomalous endpoint alerts
    • How can developers see and fix StepSecurity findings without security’s help?
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Policy Driven PRs
    • Secure Workflow
    • Secure Repo
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
Powered by GitBook
On this page
  • Our Secure Maintenance Process
  • Real-World Security Benefits
  • Exploring StepSecurity Maintained Actions

Was this helpful?

Export as PDF
  1. Actions

StepSecurity Maintained Actions

PreviousGitHub Actions ScoreNextSettings

Last updated 22 days ago

Was this helpful?

StepSecurity maintains a set of trusted GitHub Actions to reduce risk from supply chain attacks due to compromise of third-party actions and enhance security and consistency across workflows.

We onboard StepSecurity Maintained Actions based on requests from our enterprise customers who typically ask us to onboard actions that:

  • Have been abandoned by original maintainers

  • Have single maintainers

  • Receive low security scores (based on )

  • Present high security risks due to credential access requirements

Our Secure Maintenance Process

  1. Rigorous Onboarding: Every action undergoes a thorough manual secure code review before being onboarded as a StepSecurity Maintained Action

  2. Strict Access Control: All action repositories are created in the StepSecurity organization with write access strictly limited to our engineering team

  3. Robust Branch Protection:

    • Requires cryptographically signed commits

    • Mandates approval from a reviewer other than the PR creator

    • Enforces security tool status checks before merging, such as:

      • CodeQL

      • Dependency Review

      • OpenSSF Scorecard

      • GuardDog

  4. Tag Protection: By default, no tags can be created or changed. We use just-in-time access to create tags during the release process

  5. Secure Release Process:

    • For Node actions: The dist folder is built from scratch and validated within a GitHub Actions workflow

    • For Docker actions: New images are built and pushed to StepSecurity's GitHub container registry

  6. Release Safeguards:

    • Uses environment-based approvals to require explicit verification before release

    • Utilizes ephemeral GitHub Actions tokens instead of persistent bot accounts

  7. Industry Best Practices:

    • Follows Open Source Security Foundation Scorecard recommendations

    • Pins dependencies in GitHub Actions workflows to specific versions

    • Implements minimal GITHUB_TOKEN permissions

    • Utilizes CodeQL and Dependabot

  8. Proactive Vulnerability Management: Continuously monitors for security vulnerabilities in dependencies with a defined SLA for patches

    • High-risk vulnerabilities (CVSS 7.0 and higher): 30 days

    • Moderate-risk vulnerabilities (CVSS 4.0 to 6.9): 90 days

    • Low-risk vulnerabilities (CVSS under 4.0): 180 days

  9. Upstream Coordination: Monitors for upstream changes and incorporates them using the same rigorous review and release process

  10. Comprehensive Testing:

    • Implements integration tests for all actions

    • Tests run automatically before updating dependencies or merging from upstream

    • Ensures reliability and consistent behavior across updates

  11. Runtime Security Monitoring:

    • Runs actions with StepSecurity Harden Runner to observe and analyze network traffic

    • Monitors runtime behavior for anomalies or unexpected activities

Real-World Security Benefits

Case Study Comparisons:

Exploring StepSecurity Maintained Actions

  • Go to the Actions section and select StepSecurity Actions.

  • A list of StepSecurity-maintained actions will be displayed.

  • Click on any maintained action (e.g step-security/action-semantic-pull-request)

  • You will be redirected to the GitHub Actions Advisor, where you can compare the security score of StepSecurity-maintained action with the original action.

tj-actions/changed-files: A compromise occurred when a with repository access was exploited to update tags. StepSecurity actions eliminate this risk by avoiding persistent credentials and requiring environment-based approvals for releases.

reviewdog actions: Security was compromised due to where contributors who submitted to reviewdog/action-* repositories were automatically invited to the reviewdog/actions-maintainer team, which had write access to these repositories. StepSecurity restricts access exclusively to our dedicated maintenance team.

StepSecurity Actions
OpenSSF Scorecard
persistent bot account
overly permissive access control
StepSecurity Actions