StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Secure Workflow
    • Secure Repo
    • Policy-based PRs
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Getting Started
  2. Quickstart (Community Tier)

Getting Started with Secure Repo

PreviousGetting Started with Secure WorkflowNextGetting Started with Harden Runner

Last updated 1 month ago

Was this helpful?

Step 1: Navigate to

Step 2: Enter Your GitHub Repository

  • Click on the "Enter Your GitHub Repository" field.

  • Type or paste the URL of your GitHub repository.

If you don’t have repositories with workflows, you can fork and experiment with this

StepSecurity Secure Repo Page

Step 3: Analyze the Repository

  • Click the "Analyze Repository" button.

  • Secure Repo will scan your repository and suggest security improvements.

You must be a contributor to this repository to Preview Changes / Create a Pull Request.

Step 4: Preview the Changes

  • Click "Preview Changes" to review the security enhancements.

Step 5: Review commit message

  • Review the commit message generated by Secure Repo.

  • Click "Preview Changes" again to proceed.

Step 6: Review Read-Only Preview

  • Click on the "read-only preview" to review the proposed changes before creating a pull request

Step 7: Inspect the Code Changes

  • Ensure the proposed changes align with your repository’s security need

Step 8: Create a Pull Request

  1. Click "Create Pull Request".

  2. Confirm the pull request details and click "Create Pull Request" again.

Step 9: Final Confirmation

  • Secure Repo will generate a confirmation message.

  • Click the provided link to view your pull request on GitHub.

Step 10: Merge the Pull Request

  • Once you've reviewed the changes, click the "Merge Pull Request" button to apply the fixes to your repository.

Step 11: Verify Security Fixes

  • After merging, confirm that the security fixes have been successfully applied by viewing the updated repository.

  • You can also re-analyze the repository in StepSecurity to verify the changes.

StepSecurity Secure Repo Page

Check if you're listed as a contributor by visiting: https://github.com/OWNER/REPO/graphs/contributors Example:

StepSecurity Secure Repo Page
StepSecurity Secure Repo Page
Preview of changes in GitHub
StepSecurity Secure Repo Page
StepSecurity Secure Repo Page
GitHub PR created by StepSecurity Repo
GitHub PR created by StepSecurity Repo
https://github.com/step-security/harden-runner/graphs/contributors
Secure Repo
vulnerable repository
Screenshot of a GitHub pull request diff view showing changes to the .github/workflows/toc-tou.yml file. The interface indicates 1 file changed with +13 additions and -3 deletions. A section of the YAML workflow file is displayed, highlighting modifications to GitHub Actions security settings. 	•	Removed: uses: actions/checkout@v4 	•	Added: 	•	A new step named “Harden the runner” using step-security/harden-runner@v2.10.4 with an egress policy set to audit outbound calls. 	•	The actions/checkout step now uses a pinned commit SHA (@11bd719...) for improved security.
Screenshot of StepSecurity’s GitHub Actions Security Secure Repo, allowing users to analyze and secure their GitHub repositories. The interface features an input field labeled “Enter Your GitHub Repository”, followed by a disabled “Analyze Repository” button and a “Create Pull Request” button in purple.
Screenshot of StepSecurity’s GitHub Actions Security Secure Repo, allowing users to analyze and secure their GitHub repositories. The interface features an input field labeled “Enter Your GitHub Repository”, followed by a disabled “Analyze Repository” button and a “Create Pull Request” button in purple.
Screenshot of StepSecurity’s Commit Message dialog box for securing GitHub Actions workflows. The dialog prompts the user to provide a remediation commit message, with a pre-filled message: ”[StepSecurity] ci: Harden GitHub Actions”, signed off by StepSecurity Bot bot@stepsecurity.io. Below the message input field, a “Preview Changes” button is highlighted in purple. The background contains security recommendations related to GitHub Action tags and Docker tags, emphasizing the importance of pinning actions to full-length commit SHAs to mitigate security risks.
Screenshot of StepSecurity’s GitHub Actions Security Secure Repo message after securing a repository. The screen displays a congratulatory message: “You are awesome [blurred name] for prioritizing security!” Below, a notification confirms that a pull request has been created with a clickable link labeled “PR-2.”
Screenshot of a GitHub pull request review page showing a StepSecurity commit titled ”[StepSecurity] Apply security best practices,” signed off by StepSecurity Bot (bot@stepsecurity.io). The commit is verified with a green label. Below, a merge request panel confirms that “This branch has no conflicts with the base branch,” allowing for automatic merging.
Screenshot of a merged GitHub pull request titled ”[StepSecurity] Apply security best practices #1.” The pull request (PR) was merged into the repository from the step-security-bot branch. The interface shows 1 commit, 29 files changed, and 0 checks.  A comment from step-security-bot provides a summary, stating that the PR was created by StepSecurity at the request of a user (blurred name) to incorporate security enhancements. The message instructs the user to tag the requestor in case of any questions. A section titled “Security Fixes” follows, though its content is not fully visible.
Screenshot of StepSecurity’s GitHub Actions Security Secure Repo , displaying an option to create a pull request for security best practices. The repository URL input field is partially blurred, with an “Analyze Repository” button next to it. A green notification banner confirms that a read-only preview of security best practices has been created.
Screenshot of StepSecurity’s GitHub Actions Security Orchestration interface displaying a repository analysis. The repository URL is partially blurred in the input field, with an “Analyze Repository” button next to it. A green notification banner states that a read-only preview of security best practices has been created, instructing the user to review changes and click “Create Pull Request” to apply them.