Orchestrate Security

Orchestrate Security analyzes your GitHub Actions workflows against security best practices and automatically fixes the gaps it finds. You choose the scope (a single workflow, a full repository, or your entire organization) and StepSecurity handles the remediation.

Tools

Tool

Scope

Description

Secure Workflow

Single workflow

Paste a workflow file and get a hardened version back instantly

Secure Repo

All workflows in a repository

Analyze an entire repo and generate a single PR with all fixes

Policy-Driven PRs

Organization-wide

Define policies centrally, get automated PRs or Issues across all selected repositories (Enterprise Tier only)

What Gets Fixed

Across all three tools, StepSecurity can apply the following security enhancements to your workflows and repositories:

Restrict GITHUB_TOKEN permissions to least privilege
Add Harden-Runner for runtime security monitoring
Pin GitHub Actions to full-length commit SHAs
Pin Docker image tags to immutable digests
Update or create Dependabot configuration
Add CodeQL static analysis (SAST)
Add Dependency Review for PR-level vulnerability scanning
Add OpenSSF Scorecard for security posture scoring
Update pre-commit hook configuration

For details on each enhancement — including what the fixes look like, exemption options, and configuration — see the individual tool pages above.

Not every tool applies every enhancement. Secure Workflow focuses on workflow-level fixes (permissions, Harden-Runner, SHA pinning), while Secure Repo and Policy-Driven PRs cover the full set including Dependabot, CodeQL, Scorecard.

PreviousChecks NextPolicy Driven PRs

Last updated 1 month ago

Was this helpful?