> For the complete documentation index, see [llms.txt](https://docs.stepsecurity.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stepsecurity.io/github-actions/actions/stepsecurity-maintained-actions.md).

# StepSecurity Maintained Actions

StepSecurity maintains a set of trusted GitHub Actions to reduce risk from supply chain attacks due to compromise of third-party actions and enhance security and consistency across workflows.

<figure><img src="/files/BDIosBFK8HpY052JwiA5" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Read the announcement: [StepSecurity Maintained Actions Are Now Free for Public Repos](https://www.stepsecurity.io/blog/stepsecurity-maintained-actions-are-now-free-for-public-repos)
{% endhint %}

{% hint style="info" %}
The current list of maintained actions can be found at <https://app.stepsecurity.io/github-action-advisor>

New action requests are fulfilled within 2 business days per action (e.g., 5 actions = 10 business days). Upstream changes from the original action repository are incorporated within 30 days of release.
{% endhint %}

We onboard StepSecurity Maintained Actions based on requests from our enterprise customers who typically ask us to onboard actions that:

* Have been abandoned by original maintainers
* Have single maintainers
* Receive low security scores (based on [OpenSSF Scorecard](https://github.com/ossf/scorecard))
* Present high security risks due to credential access requirements

### Pricing and Access

* **Public repositories**: StepSecurity Maintained Actions are free to use. No subscription is required.
* **Private repositories**: Maintained actions include a subscription check and require a StepSecurity subscription. This funds the ongoing security maintenance, reviews, and vulnerability management.

Because maintained actions are drop-in replacements, switching is typically a one-line change in your workflow YAML: replace the original action reference with the StepSecurity equivalent.

{% hint style="info" %}
**Automated replacement for Enterprise tier:** Enterprise tier customers can replace third-party actions with StepSecurity Maintained equivalents across many repositories automatically using [Policy-Driven PRs](/github/orchestrate-security/policy-driven-prs.md#replace-third-party-actions-with-stepsecurity-maintained-actions).&#x20;
{% endhint %}

### Our Secure Maintenance Process

1. **Rigorous Onboarding**: Every action undergoes a thorough manual secure code review before being onboarded as a StepSecurity Maintained Action
2. **AI-Assisted Secure Code Review**: Before an action is released, we run an AI-assisted secure code review across the upstream source to surface vulnerable or risky code, then fix those issues as part of onboarding
3. **Strict Access Control**: All action repositories are created in the StepSecurity organization with write access strictly limited to our engineering team
4. **Robust Branch Protection**:
   * Requires cryptographically signed commits
   * Mandates approval from a reviewer other than the PR creator
   * Enforces security tool status checks before merging, such as:
     * CodeQL&#x20;
     * Dependency Review
     * OpenSSF Scorecard
     * GuardDog
5. **Tag Protection**: By default, no tags can be created or changed. We use just-in-time access to create tags during the release process
6. **Secure Release Process**:
   * For Node actions: The dist folder is built from scratch and validated within a GitHub Actions workflow
   * For Docker actions: New images are built and pushed to StepSecurity's GitHub container registry
7. **Release Safeguards**:
   * Uses environment-based approvals to require explicit verification before release
   * Utilizes ephemeral GitHub Actions tokens instead of persistent bot accounts
8. **Industry Best Practices**:
   * Follows Open Source Security Foundation Scorecard recommendations
   * Pins dependencies in GitHub Actions workflows to specific versions
   * Implements minimal GITHUB\_TOKEN  permissions
   * Utilizes CodeQL and Dependabot
9. **Proactive Vulnerability Management**: Continuously monitors for security vulnerabilities in dependencies with a defined SLA for patches
   * Critical vulnerabilities (CVSS 9.0 and higher): 2 days
   * High-risk vulnerabilities (CVSS 7.0 and higher): 30 days
   * Moderate-risk vulnerabilities (CVSS 4.0 to 6.9): 90 days
   * Low-risk vulnerabilities (CVSS under 4.0): 180 days
10. **Upstream Coordination**: Monitors for upstream changes and incorporates them using the same rigorous review and release process. Upstream changes from the original action repository are incorporated within **30** days of release.
11. **Comprehensive Testing**:
    * Implements integration tests for all actions
    * Tests run automatically before updating dependencies or merging from upstream
    * Ensures reliability and consistent behavior across updates
12. **Runtime Security Monitoring**:
    * Runs actions with StepSecurity Harden Runner to observe and analyze network traffic
    * Monitors runtime behavior for anomalies or unexpected activities

### Real-World Security Benefits

**Case Study Comparisons:**

* **tj-actions/changed-files**: A compromise occurred when a [persistent bot account](https://github.com/tj-actions/changed-files/issues/2464#issuecomment-2727130040) with repository access was exploited to update tags. StepSecurity actions eliminate this risk by avoiding persistent credentials and requiring environment-based approvals for releases.
* **reviewdog actions**: Security was compromised due to [overly permissive access control](https://github.com/reviewdog/reviewdog/issues/2079) where contributors who submitted to `reviewdog/action-*` repositories were automatically invited to the reviewdog/actions-maintainer team, which had write access to these repositories. StepSecurity restricts access exclusively to our dedicated maintenance team.

**Follow this interactive demo to see it in action:**

{% embed url="<https://app.storylane.io/share/v7tntzghtcr1>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.stepsecurity.io/github-actions/actions/stepsecurity-maintained-actions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
