Configuration
Controls available for GitHub Checks
GitHub Checks can be customized by enabling specific controls. Each control can be set as either a Required Check (blocking merges if failed) or an Optional Check (non-blocking, provides insights only).
Currently, four controls are available:
NPM Package Compromised Updates
This control ensures that no pull request introduces or updates a dependency that is known to be compromised.
StepSecurity continuously monitors the npm ecosystem for emerging threats and maintains an internal database of compromised packages, updated in real time.
In many cases, this database is updated before an official CVE is published, meaning developers can block the use of a malicious package faster than traditional vulnerability scanners allow.
If a pull request uses a compromised package, the check fails and prevents the merge, eliminating a major attack vector and helping teams respond to incidents at the speed of the ecosystem.
NPM Package Cooldown
This control prevents the use of very recently published npm packages.
Detects any dependency introduced or updated in the pull request that was published within the last 2 days (default cooldown).
The cooldown period is configurable to align with your organization’s risk tolerance, giving flexibility based on how quickly your teams want to adopt new releases.
Most supply chain attacks are discovered within the first 24 hours of a malicious package being published, so this waiting period greatly reduces the risk of introducing unvetted dependencies.
If a pull request updates a package released yesterday, the check fails automatically. Once the package version has aged beyond the configured cooldown window, the check passes without requiring any manual intervention.
PWN Request
This control inspects GitHub Actions workflows for patterns that may allow a PWN Request vulnerability.
Detects insecure configurations such as workflows triggered by pull_request_target that can be exploited by malicious forked PRs.
Flags these risks before they can be used to execute unauthorized code in your CI environment.
Script Injection
This control scans GitHub Actions workflows for script injection vulnerabilities.
Flags workflows that use overly permissive triggers or unsanitized external inputs.
Surfaces warnings or blocking checks so issues can be resolved before attackers exploit them.

Repository Configuration Section
You can configure check behavior on a per-repository basis:
Repository: Lists all repositories in your organization
Harden Runner Baseline: Enable/disable baseline checks for each repository
Required Checks: Enable/disable required check enforcement per repository
Optional Checks: Enable/disable optional checks per repository
Last updated
Was this helpful?