Getting Started with Secure Workflow

Step 1: Navigate to Secure Workflow on your browser

Step 2: Paste Your Workflow File

• Copy your GitHub Actions workflow file and paste it into the editor on the StepSecurity tool interface.

Step 3: Click on the “Secure Workflow” Button

• Click the “Secure Workflow” button.

• The tool will automatically enhance the security of your workflow by applying recommended settings:

  • Restrict permissions for [[GITHUB_TOKEN]].

  • Add Harden-Runner for the GitHub-hosted runner.

  • Pin actions to full-length commit SHAs.

Step 4: Review and Apply the Suggested Changes

• The tool will show a diff view of your original workflow versus the secure version.

• Key enhancements include:

  • Adjusted permissions to follow the principle of least privilege.

  • Integration of the StepSecurity Harden Runner with an audit egress policy.

  • Pinning all GitHub Actions to specific commit SHAs for better security

Step 5: Save and Commit the Changes

• After reviewing the updates, copy the secure workflow provided by the platform.

• Apply the updated workflow manually to your repository by pasting it into the appropriate file in your project.