ResourcesCompanyPricing Install StepSecurity App Login

Introduction
Getting Started
- Quickstart (Community Tier)
- Quickstart (Enterprise Tier)
Overview
Harden-Runner
Orchestrate Security
Run Policies
- Policies
- Policy Evaluations
Artifact Monitor
Actions Secret
Actions
Settings
Admin Console
Partnerships
- RunsOn
Who's Using Harden-Runner?
Enterprise Readiness

Powered by GitBook

On this page

Was this helpful?

Getting Started

Quickstart (Community Tier)

Getting Started with Secure Repo

PreviousGetting Started with Secure Workflow NextGetting Started with Harden Runner

Last updated 1 month ago

Was this helpful?

Step 1: Navigate to

Step 2: Enter Your GitHub Repository

Click on the "Enter Your GitHub Repository" field.
Type or paste the URL of your GitHub repository.

If you don’t have repositories with workflows, you can fork and experiment with this

Step 3: Analyze the Repository

Click the "Analyze Repository" button.
Secure Repo will scan your repository and suggest security improvements.

You must be a contributor to this repository to Preview Changes / Create a Pull Request.

Step 4: Preview the Changes

Click "Preview Changes" to review the security enhancements.

Step 5: Review commit message

Review the commit message generated by Secure Repo.
Click "Preview Changes" again to proceed.

Step 6: Review Read-Only Preview

Click on the "read-only preview" to review the proposed changes before creating a pull request

Step 7: Inspect the Code Changes

Ensure the proposed changes align with your repository’s security need

Step 8: Create a Pull Request

Click "Create Pull Request".
Confirm the pull request details and click "Create Pull Request" again.

Step 9: Final Confirmation

Secure Repo will generate a confirmation message.
Click the provided link to view your pull request on GitHub.

Step 10: Merge the Pull Request

Once you've reviewed the changes, click the "Merge Pull Request" button to apply the fixes to your repository.

Step 11: Verify Security Fixes

After merging, confirm that the security fixes have been successfully applied by viewing the updated repository.
You can also re-analyze the repository in StepSecurity to verify the changes.

Check if you're listed as a contributor by visiting: https://github.com/OWNER/REPO/graphs/contributors Example:

https://github.com/step-security/harden-runner/graphs/contributors

vulnerable repository

Screenshot of StepSecurity’s GitHub Actions Security Secure Repo, allowing users to analyze and secure their GitHub repositories. The interface features an input field labeled “Enter Your GitHub Repository”, followed by a disabled “Analyze Repository” button and a “Create Pull Request” button in purple.

Screenshot of StepSecurity’s GitHub Actions Security Orchestration interface displaying a repository analysis. The repository URL is partially blurred in the input field, with an “Analyze Repository” button next to it. A green notification banner states that a read-only preview of security best practices has been created, instructing the user to review changes and click “Create Pull Request” to apply them.

Screenshot of StepSecurity’s Commit Message dialog box for securing GitHub Actions workflows. The dialog prompts the user to provide a remediation commit message, with a pre-filled message: ”[StepSecurity] ci: Harden GitHub Actions”, signed off by StepSecurity Bot bot@stepsecurity.io. Below the message input field, a “Preview Changes” button is highlighted in purple. The background contains security recommendations related to GitHub Action tags and Docker tags, emphasizing the importance of pinning actions to full-length commit SHAs to mitigate security risks.

Screenshot of StepSecurity’s GitHub Actions Security Secure Repo , displaying an option to create a pull request for security best practices. The repository URL input field is partially blurred, with an “Analyze Repository” button next to it. A green notification banner confirms that a read-only preview of security best practices has been created.

Screenshot of StepSecurity’s GitHub Actions Security Secure Repo, allowing users to analyze and secure their GitHub repositories. The interface features an input field labeled “Enter Your GitHub Repository”, followed by a disabled “Analyze Repository” button and a “Create Pull Request” button in purple.

Screenshot of a GitHub pull request diff view showing changes to the .github/workflows/toc-tou.yml file. The interface indicates 1 file changed with +13 additions and -3 deletions. A section of the YAML workflow file is displayed, highlighting modifications to GitHub Actions security settings. • Removed: uses: actions/checkout@v4 • Added: • A new step named “Harden the runner” using step-security/harden-runner@v2.10.4 with an egress policy set to audit outbound calls. • The actions/checkout step now uses a pinned commit SHA (@11bd719...) for improved security.

Screenshot of StepSecurity’s GitHub Actions Security Secure Repo message after securing a repository. The screen displays a congratulatory message: “You are awesome [blurred name] for prioritizing security!” Below, a notification confirms that a pull request has been created with a clickable link labeled “PR-2.”

Screenshot of a merged GitHub pull request titled ”[StepSecurity] Apply security best practices #1.” The pull request (PR) was merged into the repository from the step-security-bot branch. The interface shows 1 commit, 29 files changed, and 0 checks. A comment from step-security-bot provides a summary, stating that the PR was created by StepSecurity at the request of a user (blurred name) to incorporate security enhancements. The message instructs the user to tag the requestor in case of any questions. A section titled “Security Fixes” follows, though its content is not fully visible.

Screenshot of a GitHub pull request review page showing a StepSecurity commit titled ”[StepSecurity] Apply security best practices,” signed off by StepSecurity Bot (bot@stepsecurity.io). The commit is verified with a green label. Below, a merge request panel confirms that “This branch has no conflicts with the base branch,” allowing for automatic merging.