# StepSecurity Maintained Actions StepSecurity maintains a set of trusted GitHub Actions to reduce risk from supply chain attacks due to compromise of third-party actions and enhance security and consistency across workflows. {% hint style="info" %} The current list of maintained actions can be found at New action requests are fulfilled within 2 business days per action (e.g., 5 actions = 10 business days). Upstream changes from the original action repository are incorporated within 30 days of release. {% endhint %} We onboard StepSecurity Maintained Actions based on requests from our enterprise customers who typically ask us to onboard actions that: * Have been abandoned by original maintainers * Have single maintainers * Receive low security scores (based on [OpenSSF Scorecard](https://github.com/ossf/scorecard)) * Present high security risks due to credential access requirements ### Our Secure Maintenance Process 1. **Rigorous Onboarding**: Every action undergoes a thorough manual secure code review before being onboarded as a StepSecurity Maintained Action 2. **Strict Access Control**: All action repositories are created in the StepSecurity organization with write access strictly limited to our engineering team 3. **Robust Branch Protection**: * Requires cryptographically signed commits * Mandates approval from a reviewer other than the PR creator * Enforces security tool status checks before merging, such as: * CodeQL * Dependency Review * OpenSSF Scorecard * GuardDog 4. **Tag Protection**: By default, no tags can be created or changed. We use just-in-time access to create tags during the release process 5. **Secure Release Process**: * For Node actions: The dist folder is built from scratch and validated within a GitHub Actions workflow * For Docker actions: New images are built and pushed to StepSecurity's GitHub container registry 6. **Release Safeguards**: * Uses environment-based approvals to require explicit verification before release * Utilizes ephemeral GitHub Actions tokens instead of persistent bot accounts 7. **Industry Best Practices**: * Follows Open Source Security Foundation Scorecard recommendations * Pins dependencies in GitHub Actions workflows to specific versions * Implements minimal GITHUB\_TOKEN permissions * Utilizes CodeQL and Dependabot 8. **Proactive Vulnerability Management**: Continuously monitors for security vulnerabilities in dependencies with a defined SLA for patches * Critical vulnerabilities (CVSS 9.0 and higher): 2 days * High-risk vulnerabilities (CVSS 7.0 and higher): 30 days * Moderate-risk vulnerabilities (CVSS 4.0 to 6.9): 90 days * Low-risk vulnerabilities (CVSS under 4.0): 180 days 9. **Upstream Coordination**: Monitors for upstream changes and incorporates them using the same rigorous review and release process. Upstream changes from the original action repository are incorporated within **30** days of release. 10. **Comprehensive Testing**: * Implements integration tests for all actions * Tests run automatically before updating dependencies or merging from upstream * Ensures reliability and consistent behavior across updates 11. **Runtime Security Monitoring**: * Runs actions with StepSecurity Harden Runner to observe and analyze network traffic * Monitors runtime behavior for anomalies or unexpected activities ### Real-World Security Benefits **Case Study Comparisons:** * **tj-actions/changed-files**: A compromise occurred when a [persistent bot account](https://github.com/tj-actions/changed-files/issues/2464#issuecomment-2727130040) with repository access was exploited to update tags. StepSecurity actions eliminate this risk by avoiding persistent credentials and requiring environment-based approvals for releases. * **reviewdog actions**: Security was compromised due to [overly permissive access control](https://github.com/reviewdog/reviewdog/issues/2079) where contributors who submitted to `reviewdog/action-*` repositories were automatically invited to the reviewdog/actions-maintainer team, which had write access to these repositories. StepSecurity restricts access exclusively to our dedicated maintenance team.