# Getting Started with Secure Repo #### **Step 1:** Navigate to [Secure Repo](https://app.stepsecurity.io/secure-repo) #### Step 2: Enter Your GitHub Repository * Click on the **"Enter Your GitHub Repository"** field. * Type or paste the URL of your GitHub repository. {% hint style="info" %} If you don’t have repositories with workflows, you can fork and experiment with this [vulnerable repository](https://github.com/step-security/github-actions-goat) {% endhint %}

Screenshot of StepSecurity’s GitHub Actions Security Secure Repo, allowing users to analyze and secure their GitHub repositories. The interface features an input field labeled “Enter Your GitHub Repository”, followed by a disabled “Analyze Repository” button and a “Create Pull Request” button in purple. — StepSecurity Secure Repo Page

#### Step 3: Analyze the Repository * Click the **"Analyze Repository"** button. * Secure Repo will scan your repository and suggest security improvements.

{% hint style="warning" %} You must be a contributor to this repository to Preview Changes / Create a Pull Request. **Check if you're listed as a contributor by visiting:**\ `https://github.com/OWNER/REPO/graphs/contributors`\ \&#xNAN;*Example:* {% endhint %} #### Step 4: Preview the Changes * Click **"Preview Changes"** to review the security enhancements. #### Step 5: Review commit message * Review the commit message generated by Secure Repo. * Click **"Preview Changes"** again to proceed.

Screenshot of StepSecurity’s Commit Message dialog box for securing GitHub Actions workflows. The dialog prompts the user to provide a remediation commit message, with a pre-filled message: ”[StepSecurity] ci: Harden GitHub Actions”, signed off by StepSecurity Bot bot@stepsecurity.io. Below the message input field, a “Preview Changes” button is highlighted in purple. The background contains security recommendations related to GitHub Action tags and Docker tags, emphasizing the importance of pinning actions to full-length commit SHAs to mitigate security risks. — StepSecurity Secure Repo Page

#### Step 6: Review Read-Only Preview * Click on the "**read-only preview**" to review the proposed changes before creating a pull request

Screenshot of StepSecurity’s GitHub Actions Security Orchestration interface displaying a repository analysis. The repository URL is partially blurred in the input field, with an “Analyze Repository” button next to it. A green notification banner states that a read-only preview of security best practices has been created, instructing the user to review changes and click “Create Pull Request” to apply them. — StepSecurity Secure Repo Page

#### Step 7: Inspect the Code Changes * Ensure the proposed changes align with your repository’s security need

Screenshot of a GitHub pull request diff view showing changes to the .github/workflows/toc-tou.yml file. The interface indicates 1 file changed with +13 additions and -3 deletions. A section of the YAML workflow file is displayed, highlighting modifications to GitHub Actions security settings. • Removed: uses: actions/checkout@v4 • Added: • A new step named “Harden the runner” using step-security/harden-runner@v2.10.4 with an egress policy set to audit outbound calls. • The actions/checkout step now uses a pinned commit SHA (@11bd719...) for improved security. — Preview of changes in GitHub

#### Step 8: Create a Pull Request 1. Click **"Create Pull Request"**. 2. Confirm the pull request details and click **"Create Pull Request"** again.

Screenshot of StepSecurity’s GitHub Actions Security Secure Repo , displaying an option to create a pull request for security best practices. The repository URL input field is partially blurred, with an “Analyze Repository” button next to it. A green notification banner confirms that a read-only preview of security best practices has been created. — StepSecurity Secure Repo Page

#### Step 9: Final Confirmation * Secure Repo will generate a confirmation message. * Click the provided link to view your pull request on GitHub.

Screenshot of StepSecurity’s GitHub Actions Security Secure Repo message after securing a repository. The screen displays a congratulatory message: “You are awesome [blurred name] for prioritizing security!” Below, a notification confirms that a pull request has been created with a clickable link labeled “PR-2.” — StepSecurity Secure Repo Page

#### **Step 10: Merge the Pull Request** * Once you've reviewed the changes, click the "Merge Pull Request" button to apply the fixes to your repository.

Screenshot of a GitHub pull request review page showing a StepSecurity commit titled ”[StepSecurity] Apply security best practices,” signed off by StepSecurity Bot (bot@stepsecurity.io). The commit is verified with a green label. Below, a merge request panel confirms that “This branch has no conflicts with the base branch,” allowing for automatic merging. — GitHub PR created by StepSecurity Repo

#### **Step 11: Verify Security Fixes** * After merging, confirm that the security fixes have been successfully applied by viewing the updated repository. * You can also re-analyze the repository in StepSecurity to verify the changes.

Screenshot of a merged GitHub pull request titled ”[StepSecurity] Apply security best practices #1.” The pull request (PR) was merged into the repository from the step-security-bot branch. The interface shows 1 commit, 29 files changed, and 0 checks. A comment from step-security-bot provides a summary, stating that the PR was created by StepSecurity at the request of a user (blurred name) to incorporate security enhancements. The message instructs the user to tag the requestor in case of any questions. A section titled “Security Fixes” follows, though its content is not fully visible. — GitHub PR created by StepSecurity Repo