# Getting Started with Secure Workflow

#### **Step 1:** **Navigate to** [Secure Workflow](https://app.stepsecurity.io/secure-workflow) **on your browser**

#### **Step 2: Paste Your Workflow File**

* Copy your GitHub Actions workflow file and paste it into the editor on the StepSecurity tool interface.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FX26sivFLMK37fZozo11u%2FHow%20to%20Apply%20Security%20Best%20Practices%20in%20GitHub%20-%20Step%201.png?alt=media&#x26;token=7a4e23e9-0b69-443d-8e2a-8cf57070dd82" alt="StepSecurity Secure Workflow Page"><figcaption><p>StepSecurity Secure Workflow Page</p></figcaption></figure>

#### **Step 3: Click on the “Secure Workflow” Button**

* Click the **“Secure Workflow”** button.
* The tool will automatically enhance the security of your workflow by applying recommended settings:
  * Restrict permissions for \[\[GITHUB\_TOKEN]].
  * Add [Harden-Runner ](https://docs.stepsecurity.io/harden-runner)for the GitHub-hosted runner.
  * Pin actions to full-length commit SHAs.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2F9xx7XKyMA05QSf4aaB9b%2FHow%20to%20Apply%20Security%20Best%20Practices%20in%20GitHub%20-%20Step%203.png?alt=media&#x26;token=37b56d9a-372c-45ba-8b51-8787dec11089" alt="StepSecurity Secure Workflow Page showing the Secure Workflow button"><figcaption><p>StepSecurity Secure Workflow Page</p></figcaption></figure>

#### **Step 4: Review and Apply the Suggested Changes**

* The tool will show a diff view of your original workflow versus the secure version.
* Key enhancements include:
  * Adjusted permissions to follow the principle of least privilege.
  * Integration of the StepSecurity Harden Runner with an audit egress policy.
  * Pinning all GitHub Actions to specific commit SHAs for better security

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FRICxVKzj84ikOgV3T9Pu%2FHow%20to%20Apply%20Security%20Best%20Practices%20in%20GitHub%20-%20Step%205.png?alt=media&#x26;token=194e7429-4142-4472-b6fe-2523d4cbc55a" alt="StepSecurity Secure Workflow Page showing the difference in changes in the workflow file"><figcaption><p>StepSecurity Secure Workflow Page</p></figcaption></figure>

#### **Step 5: Save and Commit the Changes**

* After reviewing the updates, copy the secure workflow provided by the platform.
* Apply the updated workflow manually to your repository by pasting it into the appropriate file in your project.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/getting-started/quickstart-community-tier/getting-started-with-secure-workflow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.