> For the complete documentation index, see [llms.txt](https://docs.stepsecurity.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stepsecurity.io/administration/user-settings/orchestrate-options.md). # Orchestrate Options The Orchestrate Options sub-page is where you choose which security controls StepSecurity applies when it orchestrates a repository on your behalf. Each option is an independent toggle, and the controls you enable here are the changes StepSecurity will include in the pull request it opens. ### How it works When you orchestrate a repository, StepSecurity reads your enabled Orchestrate Options and only makes the changes that are turned on. Toggle controls off if you want to skip them, or on if you want them included. Some options have additional configuration (for example, lists of exempted Actions). Expand the option in the UI to see and edit those settings. ### Available controls The available controls cover several categories of GitHub Actions hardening: * Token and permissions hardening, such as restricting permissions for `GITHUB_TOKEN` * Runtime security, such as adding `step-security/harden-runner` to monitor and block unexpected runtime behavior * Supply chain pinning, such as pinning Actions to a full-length commit SHA (with optional exemptions and an Immutable Actions mode), and pinning image tags to digests in Dockerfiles * Dependency hygiene, such as updating Dependabot configuration and adding the Dependency review workflow * Security scanning, such as adding the CodeQL workflow and OpenSSF Scorecard workflow * Organizational workflow rollout, such as adding GitHub Actions workflows from your organization's recommended set * Pre-commit configuration updates The full list and exact wording of each toggle is visible on the Orchestrate Options sub-page itself. Hover over any option to see what it changes. ### Recommended starting point If you are not sure where to start, leave the defaults on. The defaults reflect the controls StepSecurity recommends for most repositories. For repositories where a specific control would cause friction, turn off only that control rather than disabling orchestration entirely. For example, if you maintain a curated allowlist of Actions that should not be pinned to a SHA, add them to the Exempted Actions list under Pin Actions to a full length commit SHA instead of turning the option off. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.stepsecurity.io/administration/user-settings/orchestrate-options.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.