StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Guides
    • How to enable network and runtime monitoring (Harden-Runner) for runners
    • How to restrict network connections to explicitly allowed endpoints
    • How do I authenticate with the StepSecurity app
    • How should I improve the security of third-party actions in my organization
    • How should I reduce the number of Harden-Runner anomalous endpoint alerts
    • How can developers see and fix StepSecurity findings without security’s help?
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Policy Driven PRs
    • Secure Workflow
    • Secure Repo
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Getting Started
  2. Quickstart (Community Tier)

Getting Started with Secure Workflow

PreviousQuickstart (Community Tier)NextGetting Started with Secure Repo

Last updated 2 months ago

Was this helpful?

Step 1: Navigate to on your browser

Step 2: Paste Your Workflow File

  • Copy your GitHub Actions workflow file and paste it into the editor on the StepSecurity tool interface.

Step 3: Click on the “Secure Workflow” Button

  • Click the “Secure Workflow” button.

  • The tool will automatically enhance the security of your workflow by applying recommended settings:

    • Restrict permissions for [[GITHUB_TOKEN]].

    • Pin actions to full-length commit SHAs.

Step 4: Review and Apply the Suggested Changes

  • The tool will show a diff view of your original workflow versus the secure version.

  • Key enhancements include:

    • Adjusted permissions to follow the principle of least privilege.

    • Integration of the StepSecurity Harden Runner with an audit egress policy.

    • Pinning all GitHub Actions to specific commit SHAs for better security

Step 5: Save and Commit the Changes

  • After reviewing the updates, copy the secure workflow provided by the platform.

  • Apply the updated workflow manually to your repository by pasting it into the appropriate file in your project.

Add for the GitHub-hosted runner.

Harden-Runner
Secure Workflow
StepSecurity Secure Workflow Page
StepSecurity Secure Workflow Page
StepSecurity Secure Workflow Page
StepSecurity Secure Workflow Page
StepSecurity Secure Workflow Page showing the Secure Workflow button
StepSecurity Secure Workflow Page showing the difference in changes in the workflow file