GitHub Checks
GitHub Checks is a powerful feature that helps you monitor and improve the quality of your code by running automated checks on your repositories.
By enabling this feature, you can gain better insights into your code’s performance, security, and compliance directly within your GitHub workflow.
Types Of GitHub Checks
Harden Runner Baseline Check
StepSecurity Required Checks
StepSecurity Optional Checks
Harden Runner Baseline Check
This check integrates Harden-Runner insights into the GitHub Checks UI, providing developers with immediate feedback on outbound network activity.
With this integration, developers no longer need to rely on email or Slack notifications or visit the StepSecurity dashboard to monitor anomalous network calls.
StepSecurity Required Checks
These are blocking status checks. When enabled, a pull request cannot be merged until all Required Checks pass. Use this to bucket StepSecurity controls (e.g., the StepSecurity GitHub Check) into the “required” set so merges are blocked on them.
StepSecurity Optional Checks
These provide developers with security and quality insights without blocking pull requests. They surface issues for visibility but allow merges to proceed even if they fail.
How it Works
Step 1: Navigate to Configuration under GitHub Checks in your StepSecurity dashboard

Step 2: Select the Controls you want to enable and choose the check type (Required or Optional)

Step 3: For the npm package cooldown, configure the cooldown period (between 1–30 days)

Step 4: Select the repositories you want this to apply to, then click Save Changes

Step 5: If a developer or bot opens a pull request that adds a package.json referencing a newly released npm package, the StepSecurity check will fail. This happens because the NPM Package Cooldown Check blocks new packages until they have been vetted by the community

Step 6: Click StepSecurity Required/Optional Checks

Step 7: You can see all the different checks that are available:
To view more information, click the failed NPM Package Cooldown Check.

Step 8: You can see the newly released package and the date it was released and also the time it will pass. After the 2-day cooldown period expires, the check automatically passes, and the PR can be merged safely - no manual intervention needed

Step 9: If it’s an emergency and the package must be merged immediately, open the StepSecurity dashboard and go to the recent GitHub check run

Step 10: Click "Approve All"

Step 11: The check will pass immediately

Last updated
Was this helpful?