How should I improve the security of third-party actions in my organization
Assess the Security of Your GitHub Actions
Before you can improve the security of the Actions you use, you need to know how they score.
Start this interactive demo to assess the security score of your GitHub Actions:
Handling Low-Scoring Actions
If an Action has a low score, you can either:
Replace it with a maintained alternative (if one exists), or
Submit a request for a maintained version if none is currently available.
Start this interactive demo to see how to replace an Action with a low score:
Enforce Safer Defaults Across Your Organization
Replace Third-Party Actions with Maintained Alternatives
You can use Policy Based PRs to replace all the third party actions in your Organization with StepSecurity maintained actions
Follow this interactive walkthrough to see how it works:
Enforce Usage Policies with Workflow Run Policies
Allowed Actions Policy
Use the Allowed Actions Workflow Run Policy to define and enforce a list of approved GitHub Actions that can run in your organization.
Follow this interactive walkthrough to see how it works:
Compromised Actions Policy
Use the Compromised Actions Workflow Run Policy to prevent known compromised Actions from executing within your workflows. This ensures that if an Action is found to be vulnerable or malicious, it is blocked immediately across your organization.
Follow this interactive walkthrough to see how it works:
Last updated
Was this helpful?