Getting Started with Secure Repo
Last updated
Was this helpful?
Last updated
Was this helpful?
Click on the "Enter Your GitHub Repository" field.
Type or paste the URL of your GitHub repository.
Click the "Analyze Repository" button.
Secure Repo will scan your repository and suggest security improvements.
You must be a contributor to this repository to Preview Changes / Create a Pull Request.
Click "Preview Changes" to review the security enhancements.
Review the commit message generated by Secure Repo.
Click "Preview Changes" again to proceed.
Click on the "read-only preview" to review the proposed changes before creating a pull request
Ensure the proposed changes align with your repository’s security need
Click "Create Pull Request".
Confirm the pull request details and click "Create Pull Request" again.
Secure Repo will generate a confirmation message.
Click the provided link to view your pull request on GitHub.
Once you've reviewed the changes, click the "Merge Pull Request" button to apply the fixes to your repository.
After merging, confirm that the security fixes have been successfully applied by viewing the updated repository.
You can also re-analyze the repository in StepSecurity to verify the changes.
Check if you're listed as a contributor by visiting:
https://github.com/OWNER/REPO/graphs/contributors
Example:
![Screenshot of StepSecurity’s Commit Message dialog box for securing GitHub Actions workflows. The dialog prompts the user to provide a remediation commit message, with a pre-filled message: ”[StepSecurity] ci: Harden GitHub Actions”, signed off by StepSecurity Bot bot@stepsecurity.io. Below the message input field, a “Preview Changes” button is highlighted in purple. The background contains security recommendations related to GitHub Action tags and Docker tags, emphasizing the importance of pinning actions to full-length commit SHAs to mitigate security risks.](https://docs.stepsecurity.io/~gitbook/image?url=https%3A%2F%2Fajeuwbhvhr.cloudimg.io%2Fcolony-recorder.s3.amazonaws.com%2Ffiles%2F2025-02-12%2Ff869f895-6943-4a88-87cd-7b8c7eb73d50%2Fuser_cropped_screenshot.jpeg%3Ftl_px%3D300%2C518%26br_px%3D2266%2C1617%26force_format%3Djpeg%26q%3D100%26width%3D1120.0%26wat%3D1%26wat_opacity%3D1%26wat_gravity%3Dnorthwest%26wat_url%3Dhttps%3A%2F%2Fcolony-recorder.s3.amazonaws.com%2Fimages%2Fwatermarks%2F8B5CF6_standard.png%26wat_pad%3D666%2C277&width=768&dpr=4&quality=100&sign=e9377a5d&sv=2)
![Screenshot of StepSecurity’s GitHub Actions Security Secure Repo message after securing a repository. The screen displays a congratulatory message: “You are awesome [blurred name] for prioritizing security!” Below, a notification confirms that a pull request has been created with a clickable link labeled “PR-2.”](https://docs.stepsecurity.io/~gitbook/image?url=https%3A%2F%2Fajeuwbhvhr.cloudimg.io%2Fcolony-recorder.s3.amazonaws.com%2Ffiles%2F2025-02-12%2F85f7f064-1225-4472-9164-f9fd4eb3c1dc%2Fuser_cropped_screenshot.jpeg%3Ftl_px%3D300%2C0%26br_px%3D2266%2C1098%26force_format%3Djpeg%26q%3D100%26width%3D1120.0%26wat%3D1%26wat_opacity%3D1%26wat_gravity%3Dnorthwest%26wat_url%3Dhttps%3A%2F%2Fcolony-recorder.s3.amazonaws.com%2Fimages%2Fwatermarks%2F8B5CF6_standard.png%26wat_pad%3D709%2C736&width=768&dpr=4&quality=100&sign=6fa13f12&sv=2)
![Screenshot of a GitHub pull request review page showing a StepSecurity commit titled ”[StepSecurity] Apply security best practices,” signed off by StepSecurity Bot (bot@stepsecurity.io). The commit is verified with a green label. Below, a merge request panel confirms that “This branch has no conflicts with the base branch,” allowing for automatic merging.](https://docs.stepsecurity.io/~gitbook/image?url=https%3A%2F%2Fajeuwbhvhr.cloudimg.io%2Fcolony-recorder.s3.amazonaws.com%2Ffiles%2F2025-01-27%2Fbb59495d-db96-4bad-97e6-4a9cdf5086da%2Fascreenshot.jpeg%3Ftl_px%3D0%2C498%26br_px%3D1965%2C1597%26force_format%3Djpeg%26q%3D100%26width%3D1120.0%26wat%3D1%26wat_opacity%3D1%26wat_gravity%3Dnorthwest%26wat_url%3Dhttps%3A%2F%2Fcolony-recorder.s3.amazonaws.com%2Fimages%2Fwatermarks%2F8B5CF6_standard.png%26wat_pad%3D242%2C532&width=768&dpr=4&quality=100&sign=481c4f68&sv=2)
![Screenshot of a merged GitHub pull request titled ”[StepSecurity] Apply security best practices #1.” The pull request (PR) was merged into the repository from the step-security-bot branch. The interface shows 1 commit, 29 files changed, and 0 checks. A comment from step-security-bot provides a summary, stating that the PR was created by StepSecurity at the request of a user (blurred name) to incorporate security enhancements. The message instructs the user to tag the requestor in case of any questions. A section titled “Security Fixes” follows, though its content is not fully visible.](https://docs.stepsecurity.io/~gitbook/image?url=https%3A%2F%2Fajeuwbhvhr.cloudimg.io%2Fcolony-recorder.s3.amazonaws.com%2Ffiles%2F2025-01-28%2F8481e744-a0cb-48f1-a8e8-3c608f41c647%2Fuser_cropped_screenshot.jpeg%3Ftl_px%3D0%2C210%26br_px%3D1528%2C1065%26force_format%3Djpeg%26q%3D100%26width%3D1120.0%26wat%3D1%26wat_opacity%3D1%26wat_gravity%3Dnorthwest%26wat_url%3Dhttps%3A%2F%2Fcolony-recorder.s3.amazonaws.com%2Fimages%2Fwatermarks%2F8B5CF6_standard.png%26wat_pad%3D69%2C-56&width=768&dpr=4&quality=100&sign=370a236d&sv=2)
