Admin Experience

This guide is designed to help Admins successfully onboard with StepSecurity and secure their organization’s GitHub Actions workflows. You’ll learn how to install the required apps, enforce security policies, enable automated remediations, manage exceptions, and request maintained GitHub Actions

Install the StepSecurity Apps

StepSecurity provides two GitHub Apps: Basic and Advanced. Both must be installed to unlock the full set of enterprise-grade features.

StepSecurity Basic App

Required to access Enterprise Tier features.
If already installed, you can skip this step.
Install the StepSecurity Basic App →

After installation, open the app and go to the Get Started section to set up and secure your CI/CD pipelines.

Setup Policy-Driven Pull Requests

Enable Policy-Driven PRs to automate security remediation across your repositories. This feature allows StepSecurity to:

Create GitHub Issues for policy violations
Automatically open Pull Requests to fix misconfigurations

👉 Learn how to set up Policy-Driven PRs →

Setting Up Harden Runner

StepSecurity's Harden-Runner adds runtime protections and telemetry to your GitHub Actions workflows. There are two supported setup paths based on the type of runner you're using:

GitHub-Hosted Runners: Add Harden-Runner to your workflow files using either the Secure Repo or Secure Workflow
Self-Hosted Runners: Admins should follow the deployment guide provided in the app to install Harden-Runner for:
- Kubernetes-based environments using Actions Runner Controller (ARC)
- Traditional VM- or bare-metal-based runners

Enable GitHub Checks

To minimize developer noise, GitHub Checks should be enabled only on repositories that have a stable baseline.

To enable GitHub Check for your repositories, follow the instructions provided in this guide

Setup Workflow Run Policies

Workflow Run Policies allow you to enforce security controls by blocking GitHub Actions workflow runs that violate organization-defined policies.

👉Learn how to set up Workflow Run policies

Configure Suppression Rules

If harmless outbound calls (e.g., to www.google.com) are being flagged repeatedly, you can create Suppression Rules to silence false positives and reduce developer friction.

Suppression Rules allow you to:

Ignore specific outbound network calls from trusted domains
Reduce alert noise while maintaining visibility into new threats

👉Learn how to configure Suppression Rules

Request a New StepSecurity Maintained Action

If your organization has enabled the Allowed Actions Workflow Policy, any new GitHub Action must first be reviewed and approved by an Admin before developers can use it.

When a developer attempts to use an Action that is not currently maintained by StepSecurity, you can request StepSecurity to create a maintained version of that Action.

👉 Follow this guide to request a maintained Action

PreviousStepSecurity Policies NextOverview

Last updated 13 days ago

Was this helpful?