Admin Experience
This guide is designed to help Admins successfully onboard with StepSecurity and secure their organization’s GitHub Actions workflows. You’ll learn how to install the required apps, enforce security policies, enable automated remediations, manage exceptions, and request maintained GitHub Actions
Install the StepSecurity Apps
StepSecurity provides two GitHub Apps: Basic and Advanced. Both must be installed to unlock the full set of enterprise-grade features.
StepSecurity Basic App
Required to access Enterprise Tier features.
If already installed, you can skip this step.
StepSecurity Advanced App
Unlocks advanced functionality, including:
Analysis of private GitHub Actions
Automated creation of GitHub Issues and Pull Requests for misconfigurations (e.g., over-privileged GITHUB_TOKEN)
Integration with GitHub Advanced Security
Ability to enforce Workflow Run Policies to block policy-violating runs
Setup Policy-Driven Pull Requests
After installing both apps, enable Policy-Driven PRs to automate security remediation across your repositories. This feature allows StepSecurity to:
Create GitHub Issues for policy violations
Automatically open Pull Requests to fix misconfigurations
👉 Learn how to set up Policy-Driven PRs →
Setting Up Harden Runner
StepSecurity's Harden-Runner adds runtime protections and telemetry to your GitHub Actions workflows. There are two supported setup paths based on the type of runner you're using:
GitHub-Hosted Runners: Add Harden-Runner to your workflow files using either the Secure Repo or Secure Workflow
Self-Hosted Runners: Admins should follow the deployment guide provided in the app to install Harden-Runner for:
Kubernetes-based environments using Actions Runner Controller (ARC)
Traditional VM- or bare-metal-based runners
Enable GitHub Checks
To minimize developer noise, GitHub Checks should be enabled only on repositories that have a stable baseline.
To enable GitHub Check for your repositories, follow the instructions provided in this guide
Setup Workflow Run Policies
Workflow Run Policies allow you to enforce security controls by blocking GitHub Actions workflow runs that violate organization-defined policies.
👉Learn how to set up Workflow Run policies
Configure Suppression Rules
If harmless outbound calls (e.g., to www.google.com
) are being flagged repeatedly, you can create Suppression Rules to silence false positives and reduce developer friction.
Suppression Rules allow you to:
Ignore specific outbound network calls from trusted domains
Reduce alert noise while maintaining visibility into new threats
👉Learn how to configure Suppression Rules
Request a New StepSecurity Maintained Action
If your organization has enabled the Allowed Actions Workflow Policy, any new GitHub Action must first be reviewed and approved by an Admin before developers can use it.
When a developer attempts to use an Action that is not currently maintained by StepSecurity, you can request StepSecurity to create a maintained version of that Action.
Last updated
Was this helpful?