Getting Started with Secure Repo
Step 1: Navigate to Secure Repo
Step 2: Enter Your GitHub Repository
Click on the "Enter Your GitHub Repository" field.
Type or paste the URL of your GitHub repository.
Step 3: Analyze the Repository
Click the "Analyze Repository" button.
Secure Repo will scan your repository and suggest security improvements.
You must be a contributor to this repository to Preview Changes / Create a Pull Request.
Check if you're listed as a contributor by visiting:
https://github.com/OWNER/REPO/graphs/contributors
Example: https://github.com/step-security/harden-runner/graphs/contributors
Step 4: Preview the Changes
Click "Preview Changes" to review the security enhancements.
Step 5: Review commit message
Review the commit message generated by Secure Repo.
Click "Preview Changes" again to proceed.
![Screenshot of StepSecurity’s Commit Message dialog box for securing GitHub Actions workflows. The dialog prompts the user to provide a remediation commit message, with a pre-filled message: ”[StepSecurity] ci: Harden GitHub Actions”, signed off by StepSecurity Bot bot@stepsecurity.io. Below the message input field, a “Preview Changes” button is highlighted in purple. The background contains security recommendations related to GitHub Action tags and Docker tags, emphasizing the importance of pinning actions to full-length commit SHAs to mitigate security risks.](https://docs.stepsecurity.io/~gitbook/image?url=https%3A%2F%2Fajeuwbhvhr.cloudimg.io%2Fcolony-recorder.s3.amazonaws.com%2Ffiles%2F2025-02-12%2Ff869f895-6943-4a88-87cd-7b8c7eb73d50%2Fuser_cropped_screenshot.jpeg%3Ftl_px%3D300%2C518%26br_px%3D2266%2C1617%26force_format%3Djpeg%26q%3D100%26width%3D1120.0%26wat%3D1%26wat_opacity%3D1%26wat_gravity%3Dnorthwest%26wat_url%3Dhttps%3A%2F%2Fcolony-recorder.s3.amazonaws.com%2Fimages%2Fwatermarks%2F8B5CF6_standard.png%26wat_pad%3D666%2C277&width=768&dpr=4&quality=100&sign=e9377a5d&sv=2)
Step 6: Review Read-Only Preview
Click on the "read-only preview" to review the proposed changes before creating a pull request
Step 7: Inspect the Code Changes
Ensure the proposed changes align with your repository’s security need
Step 8: Create a Pull Request
Click "Create Pull Request".
Confirm the pull request details and click "Create Pull Request" again.
Step 9: Final Confirmation
Secure Repo will generate a confirmation message.
Click the provided link to view your pull request on GitHub.
![Screenshot of StepSecurity’s GitHub Actions Security Secure Repo message after securing a repository. The screen displays a congratulatory message: “You are awesome [blurred name] for prioritizing security!” Below, a notification confirms that a pull request has been created with a clickable link labeled “PR-2.”](https://docs.stepsecurity.io/~gitbook/image?url=https%3A%2F%2Fajeuwbhvhr.cloudimg.io%2Fcolony-recorder.s3.amazonaws.com%2Ffiles%2F2025-02-12%2F85f7f064-1225-4472-9164-f9fd4eb3c1dc%2Fuser_cropped_screenshot.jpeg%3Ftl_px%3D300%2C0%26br_px%3D2266%2C1098%26force_format%3Djpeg%26q%3D100%26width%3D1120.0%26wat%3D1%26wat_opacity%3D1%26wat_gravity%3Dnorthwest%26wat_url%3Dhttps%3A%2F%2Fcolony-recorder.s3.amazonaws.com%2Fimages%2Fwatermarks%2F8B5CF6_standard.png%26wat_pad%3D709%2C736&width=768&dpr=4&quality=100&sign=6fa13f12&sv=2)
Step 10: Merge the Pull Request
Once you've reviewed the changes, click the "Merge Pull Request" button to apply the fixes to your repository.
![Screenshot of a GitHub pull request review page showing a StepSecurity commit titled ”[StepSecurity] Apply security best practices,” signed off by StepSecurity Bot (bot@stepsecurity.io). The commit is verified with a green label. Below, a merge request panel confirms that “This branch has no conflicts with the base branch,” allowing for automatic merging.](https://docs.stepsecurity.io/~gitbook/image?url=https%3A%2F%2Fajeuwbhvhr.cloudimg.io%2Fcolony-recorder.s3.amazonaws.com%2Ffiles%2F2025-01-27%2Fbb59495d-db96-4bad-97e6-4a9cdf5086da%2Fascreenshot.jpeg%3Ftl_px%3D0%2C498%26br_px%3D1965%2C1597%26force_format%3Djpeg%26q%3D100%26width%3D1120.0%26wat%3D1%26wat_opacity%3D1%26wat_gravity%3Dnorthwest%26wat_url%3Dhttps%3A%2F%2Fcolony-recorder.s3.amazonaws.com%2Fimages%2Fwatermarks%2F8B5CF6_standard.png%26wat_pad%3D242%2C532&width=768&dpr=4&quality=100&sign=481c4f68&sv=2)
Step 11: Verify Security Fixes
After merging, confirm that the security fixes have been successfully applied by viewing the updated repository.
You can also re-analyze the repository in StepSecurity to verify the changes.
![Screenshot of a merged GitHub pull request titled ”[StepSecurity] Apply security best practices #1.” The pull request (PR) was merged into the repository from the step-security-bot branch. The interface shows 1 commit, 29 files changed, and 0 checks. A comment from step-security-bot provides a summary, stating that the PR was created by StepSecurity at the request of a user (blurred name) to incorporate security enhancements. The message instructs the user to tag the requestor in case of any questions. A section titled “Security Fixes” follows, though its content is not fully visible.](https://docs.stepsecurity.io/~gitbook/image?url=https%3A%2F%2Fajeuwbhvhr.cloudimg.io%2Fcolony-recorder.s3.amazonaws.com%2Ffiles%2F2025-01-28%2F8481e744-a0cb-48f1-a8e8-3c608f41c647%2Fuser_cropped_screenshot.jpeg%3Ftl_px%3D0%2C210%26br_px%3D1528%2C1065%26force_format%3Djpeg%26q%3D100%26width%3D1120.0%26wat%3D1%26wat_opacity%3D1%26wat_gravity%3Dnorthwest%26wat_url%3Dhttps%3A%2F%2Fcolony-recorder.s3.amazonaws.com%2Fimages%2Fwatermarks%2F8B5CF6_standard.png%26wat_pad%3D69%2C-56&width=768&dpr=4&quality=100&sign=370a236d&sv=2)
Last updated
Was this helpful?