PricingInstall StepSecurity AppLogin

GitHub Checks

Available for Enterprise Tier Only

This is a new feature. If you installed the StepSecurity Actions Security GitHub App before January 10th, 2025, you will need to accept two new permissions to enable GitHub Checks:

  • pull_requests: read

  • checks: write

These permissions are required for StepSecurity App to write checks within GitHub.

GitHub Checks is a powerful feature that helps you monitor and improve the quality of your code by running automated checks on your repositories.

By enabling this feature, you can gain better insights into your code’s performance, security, and compliance directly within your GitHub workflow.

Types Of GitHub Checks

  • Harden Runner Baseline Check

  • StepSecurity Required Checks

  • StepSecurity Optional Checks

Harden Runner Baseline Check

This check integrates Harden-Runner insights into the GitHub Checks UI, providing developers with immediate feedback on outbound network activity.

With this integration, developers no longer need to rely on email or Slack notifications or visit the StepSecurity dashboard to monitor anomalous network calls.

StepSecurity Required Checks

These are blocking status checks. When enabled, a pull request cannot be merged until all Required Checks pass. Use this to bucket StepSecurity controls (e.g., the StepSecurity GitHub Check) into the “required” set so merges are blocked on them.

To ensure StepSecurity Required Checks work for your organization:

  • Go to your Organization Settings

  • Navigate to Code, planning and automation → Repository → RuleSets

  • Create a new ruleset

  • Enable the rule “Require status checks to pass” and include StepSecurity Required Checks in the list of required checks.

StepSecurity Optional Checks

These provide developers with security and quality insights without blocking pull requests. They surface issues for visibility but allow merges to proceed even if they fail.

How it Works

Step 1: Navigate to Configuration under GitHub Checks in your StepSecurity dashboard

Step 2: Select the Controls you want to enable and choose the check type (Required or Optional)

Step 3: Set the cooldown period (between 1–30 days). You can also define exemption packages if your team publishes packages that should not be subject to the cooldown

Step 4: Select the repositories you want this to apply to, then click Save Changes

Step 5: If a developer or bot opens a pull request that adds a package.json referencing a newly released npm package, the StepSecurity check will fail. This happens because the NPM Package Cooldown Check blocks new packages until they have been vetted by the community

Step 6: Click StepSecurity Required/Optional Checks

Step 7: You can see all the different checks that are available:

To view more information, click the failed NPM Package Cooldown Check.

Step 8: You can see the newly released package and the date it was released and also the time it will pass. After the 2-day cooldown period expires, the check automatically passes, and the PR can be merged safely - no manual intervention needed

Step 9: If it’s an emergency and the package must be merged immediately, open the StepSecurity dashboard and go to the recent GitHub check run

Step 10: Click "Approve All"

Step 11: The check will pass immediately

PreviousHow to Determine Minimum Token PermissionsNextConfiguration

Last updated

Was this helpful?