Orchestrate Options

The Orchestrate Options sub-page is where you choose which security controls StepSecurity applies when it orchestrates a repository on your behalf. Each option is an independent toggle, and the controls you enable here are the changes StepSecurity will include in the pull request it opens.

How it works

When you orchestrate a repository, StepSecurity reads your enabled Orchestrate Options and only makes the changes that are turned on. Toggle controls off if you want to skip them, or on if you want them included.

Some options have additional configuration (for example, lists of exempted Actions). Expand the option in the UI to see and edit those settings.

Available controls

The available controls cover several categories of GitHub Actions hardening:

  • Token and permissions hardening, such as restricting permissions for GITHUB_TOKEN

  • Runtime security, such as adding step-security/harden-runner to monitor and block unexpected runtime behavior

  • Supply chain pinning, such as pinning Actions to a full-length commit SHA (with optional exemptions and an Immutable Actions mode), and pinning image tags to digests in Dockerfiles

  • Dependency hygiene, such as updating Dependabot configuration and adding the Dependency review workflow

  • Security scanning, such as adding the CodeQL workflow and OpenSSF Scorecard workflow

  • Organizational workflow rollout, such as adding GitHub Actions workflows from your organization's recommended set

  • Pre-commit configuration updates

The full list and exact wording of each toggle is visible on the Orchestrate Options sub-page itself. Hover over any option to see what it changes.

If you are not sure where to start, leave the defaults on. The defaults reflect the controls StepSecurity recommends for most repositories.

For repositories where a specific control would cause friction, turn off only that control rather than disabling orchestration entirely. For example, if you maintain a curated allowlist of Actions that should not be pinned to a SHA, add them to the Exempted Actions list under Pin Actions to a full length commit SHA instead of turning the option off.

Last updated

Was this helpful?