Personal Access Token

The Personal Access Token (PAT) sub-page lets you store the GitHub PAT that StepSecurity uses to orchestrate workflows on repositories you own. The PAT is what allows StepSecurity to read your repository, create a branch, and open a pull request with the security changes you have configured under Orchestrate Options.

When you need a PAT

You need to configure a PAT if you want to orchestrate private repositories from User Settings. For organization-wide remediation on private repositories without a PAT, Enterprise users can use Policy-Driven Pull Request instead.

Configuring a PAT

• Open User Settings and select Personal Access Token

• Confirm your Email is correct

• Enter a PAT Name to help you identify the token later

• Paste your token into the Personal Access Token (PAT) field

• Click Update PAT

Recommended PAT permissions

StepSecurity recommends using a fine-grained Personal Access Token from GitHub. Grant it the following permissions:

• Contents: Read and Write

• Pull Requests: Read and Write

• Workflows: Read and Write

These are the minimum permissions needed for StepSecurity to read your repository, create a branch with the security changes, and open the pull request.

Removing a PAT

To remove the stored PAT, open the Personal Access Token sub-page and click Remove PAT. StepSecurity will stop being able to orchestrate workflows on your behalf until you store a new PAT.