Getting Started with Secure Repo

Step 1: Navigate to Secure Repo

Step 2: Enter Your GitHub Repository

Click on the "Enter Your GitHub Repository" field.
Type or paste the URL of your GitHub repository.

If you don’t have repositories with workflows, you can fork and experiment with this vulnerable repository

Screenshot of StepSecurity’s GitHub Actions Security Secure Repo, allowing users to analyze and secure their GitHub repositories. The interface features an input field labeled “Enter Your GitHub Repository”, followed by a disabled “Analyze Repository” button and a “Create Pull Request” button in purple.

Step 3: Analyze the Repository

Click the "Analyze Repository" button.
Secure Repo will scan your repository and suggest security improvements.

You must be a contributor to this repository to Preview Changes / Create a Pull Request.

Check if you're listed as a contributor by visiting: https://github.com/OWNER/REPO/graphs/contributors Example: https://github.com/step-security/harden-runner/graphs/contributors

Step 4: Preview the Changes

Click "Preview Changes" to review the security enhancements.

Step 5: Review commit message

Review the commit message generated by Secure Repo.
Click "Preview Changes" again to proceed.

Screenshot of StepSecurity’s Commit Message dialog box for securing GitHub Actions workflows. The dialog prompts the user to provide a remediation commit message, with a pre-filled message: ”[StepSecurity] ci: Harden GitHub Actions”, signed off by StepSecurity Bot bot@stepsecurity.io. Below the message input field, a “Preview Changes” button is highlighted in purple. The background contains security recommendations related to GitHub Action tags and Docker tags, emphasizing the importance of pinning actions to full-length commit SHAs to mitigate security risks.

Step 6: Review Read-Only Preview

Click on the "read-only preview" to review the proposed changes before creating a pull request

Screenshot of StepSecurity’s GitHub Actions Security Orchestration interface displaying a repository analysis. The repository URL is partially blurred in the input field, with an “Analyze Repository” button next to it. A green notification banner states that a read-only preview of security best practices has been created, instructing the user to review changes and click “Create Pull Request” to apply them.

Step 7: Inspect the Code Changes

Ensure the proposed changes align with your repository’s security need

Screenshot of a GitHub pull request diff view showing changes to the .github/workflows/toc-tou.yml file. The interface indicates 1 file changed with +13 additions and -3 deletions. A section of the YAML workflow file is displayed, highlighting modifications to GitHub Actions security settings. • Removed: uses: actions/checkout@v4 • Added: • A new step named “Harden the runner” using step-security/harden-runner@v2.10.4 with an egress policy set to audit outbound calls. • The actions/checkout step now uses a pinned commit SHA (@11bd719...) for improved security.

Step 8: Create a Pull Request

Click "Create Pull Request".
Confirm the pull request details and click "Create Pull Request" again.

Screenshot of StepSecurity’s GitHub Actions Security Secure Repo , displaying an option to create a pull request for security best practices. The repository URL input field is partially blurred, with an “Analyze Repository” button next to it. A green notification banner confirms that a read-only preview of security best practices has been created.

Step 9: Final Confirmation

Secure Repo will generate a confirmation message.
Click the provided link to view your pull request on GitHub.

Screenshot of StepSecurity’s GitHub Actions Security Secure Repo message after securing a repository. The screen displays a congratulatory message: “You are awesome [blurred name] for prioritizing security!” Below, a notification confirms that a pull request has been created with a clickable link labeled “PR-2.”

Step 10: Merge the Pull Request

Once you've reviewed the changes, click the "Merge Pull Request" button to apply the fixes to your repository.

Screenshot of a GitHub pull request review page showing a StepSecurity commit titled ”[StepSecurity] Apply security best practices,” signed off by StepSecurity Bot (bot@stepsecurity.io). The commit is verified with a green label. Below, a merge request panel confirms that “This branch has no conflicts with the base branch,” allowing for automatic merging.

Step 11: Verify Security Fixes

After merging, confirm that the security fixes have been successfully applied by viewing the updated repository.
You can also re-analyze the repository in StepSecurity to verify the changes.

Screenshot of a merged GitHub pull request titled ”[StepSecurity] Apply security best practices #1.” The pull request (PR) was merged into the repository from the step-security-bot branch. The interface shows 1 commit, 29 files changed, and 0 checks. A comment from step-security-bot provides a summary, stating that the PR was created by StepSecurity at the request of a user (blurred name) to incorporate security enhancements. The message instructs the user to tag the requestor in case of any questions. A section titled “Security Fixes” follows, though its content is not fully visible.

PreviousGetting Started with Secure Workflow NextGetting Started with Harden Runner

Last updated 10 months ago

Was this helpful?

hashtagStep 1: Navigate to Secure Repoarrow-up-right

hashtagStep 2: Enter Your GitHub Repository

hashtagStep 3: Analyze the Repository

hashtagStep 4: Preview the Changes

hashtagStep 5: Review commit message

hashtagStep 6: Review Read-Only Preview

hashtagStep 7: Inspect the Code Changes

hashtagStep 8: Create a Pull Request

hashtagStep 9: Final Confirmation

hashtagStep 10: Merge the Pull Request

hashtagStep 11: Verify Security Fixes