Admin Experience

This guide is designed to help Admins successfully onboard with StepSecurity and secure their organization’s GitHub Actions workflows. You’ll learn how to install the required apps, enforce security policies, enable automated remediations, manage exceptions, and request maintained GitHub Actions

Install the StepSecurity Apps

StepSecurity provides two GitHub Apps: Basic and Advanced. Both must be installed to unlock the full set of enterprise-grade features.

StepSecurity Basic App

StepSecurity Advanced App

  • Unlocks advanced functionality, including:

    • Analysis of private GitHub Actions

    • Automated creation of GitHub Issues and Pull Requests for misconfigurations (e.g., over-privileged GITHUB_TOKEN)

    • Integration with GitHub Advanced Security

    • Ability to enforce Workflow Run Policies to block policy-violating runs

Setup Policy-Driven Pull Requests

After installing both apps, enable Policy-Driven PRs to automate security remediation across your repositories. This feature allows StepSecurity to:

  • Create GitHub Issues for policy violations

  • Automatically open Pull Requests to fix misconfigurations

👉 Learn how to set up Policy-Driven PRs →

Setting Up Harden Runner

StepSecurity's Harden-Runner adds runtime protections and telemetry to your GitHub Actions workflows. There are two supported setup paths based on the type of runner you're using:

  • GitHub-Hosted Runners: Add Harden-Runner to your workflow files using either the Secure Repo or Secure Workflow

  • Self-Hosted Runners: Admins should follow the deployment guide provided in the app to install Harden-Runner for:

    • Kubernetes-based environments using Actions Runner Controller (ARC)

    • Traditional VM- or bare-metal-based runners

Enable GitHub Checks

To minimize developer noise, GitHub Checks should be enabled only on repositories that have a stable baseline.

To enable GitHub Check for your repositories, follow the instructions provided in this guide

Setup Workflow Run Policies

Workflow Run Policies allow you to enforce security controls by blocking GitHub Actions workflow runs that violate organization-defined policies.

👉Learn how to set up Workflow Run policies

Configure Suppression Rules

If harmless outbound calls (e.g., to www.google.com) are being flagged repeatedly, you can create Suppression Rules to silence false positives and reduce developer friction.

Suppression Rules allow you to:

  • Ignore specific outbound network calls from trusted domains

  • Reduce alert noise while maintaining visibility into new threats

👉Learn how to configure Suppression Rules

Request a New StepSecurity Maintained Action

If your organization has enabled the Allowed Actions Workflow Policy, any new GitHub Action must first be reviewed and approved by an Admin before developers can use it.

When a developer attempts to use an Action that is not currently maintained by StepSecurity, you can request StepSecurity to create a maintained version of that Action.

👉 Follow this guide to request a maintained Action

Last updated

Was this helpful?