# Baseline

Baseline monitoring is the practice of establishing what normal external network calls your CI/CD workflows typically make, and then monitoring for deviations that might indicate a security breach.

At its core, it helps answer the question: *“Is this job making expected and safe outbound network calls?”*

### Baseline Status Categories

Each monitored resource, such as a job or repository, is evaluated for the predictability of its network activity. This evaluation helps uncover anomalies that could signal security issues.

Each resource can be in one of the following baseline states:

* Creating – The system is still collecting data to determine the resource’s baseline behavior.
* Stable – The resource’s network activity is predictable and consistent. A resource is considered stable once it has completed 100 runs without baseline changes.

{% hint style="info" %}
**Note**: You can configure baseline thresholds based on either the [**number of runs**](https://docs.stepsecurity.io/admin-console/settings/anomaly-detection#run-based-detection) or the [**number of days**](https://docs.stepsecurity.io/admin-console/settings/anomaly-detection#time-based-detection). 
{% endhint %}

* Unstable – The resource’s network activity is erratic and prone to triggering frequent alerts. If the baseline has changed within the last 50 runs, the resource is classified as unstable.

### Baseline Coverage at StepSecurity

StepSecurity applies baseline monitoring to four distinct resource types within your CI/CD environment:

#### Jobs

The Jobs tab provides detailed insights into individual workflow jobs and their external network destinations. You can:

* View each job’s Baseline Status (Stable, Unstable, Creating)
* See the Sample Size that indicates how many runs were used to calculate the baseline. A minimum of 100 runs is required
* Track Baseline Changes to know when and why the baseline last changed
* Access the underlying Workflow File, and jump directly to Workflow Runs or Log Samples for investigation
* Generate a [policy](https://docs.stepsecurity.io/policy-store#alternative-way-of-creating-policies) directly from the endpoints observed in a specific job, or export those endpoints to a text file for further analysis.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FaONZPY742hBjckU6YqPI%2FScreenshot%202025-10-08%20at%2000.55.24.png?alt=media&#x26;token=0c8a7c44-f056-41df-be6d-b965d8484719" alt=""><figcaption></figcaption></figure>

**Network Insights per Job**

For each destination contacted by a job, you can view:

* The domain/IP
* Port used (e.g., 443)
* Whether the destination is allowed
* First seen / Last contacted timestamps
* Total number of calls (if available)
* Links to workflow runs making those calls

#### Repositories

The Repositories tab aggregates baseline data across all jobs and workflows within a specific repository. It offers the same insights as the Jobs tab, but from a repository-wide perspective. This helps identify broader behavioral patterns and anomalies.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FN8uRioUbt3ItcWuxtgUw%2FScreenshot%202025-10-08%20at%2000.55.34.png?alt=media&#x26;token=2567bc3e-7ab3-4cc9-a1d2-a63b79bed6dd" alt=""><figcaption></figcaption></figure>

#### ARC Clusters

For environments that use ARC-managed self-hosted runners, the ARC Clusters view lets you monitor network behavior trends. You can see:

* Which destinations self-hosted runners are contacting
* Workflow runs that interacted with those destinations

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FjE8snPq6CPCzaGL25F5w%2FScreenshot%202025-10-08%20at%2000.56.00.png?alt=media&#x26;token=125bca2b-612e-44b2-ae99-fac610589d0a" alt=""><figcaption></figcaption></figure>

#### GitHub Organization

This view aggregates baseline data across all jobs and repositories in your GitHub organization. It enables organization-wide monitoring to detect systemic threats or changes.

You can:

* View all external destinations contacted by any job across the organization
* See job counts for each destination
* Drill into specific workflow runs using the Sample Workflow Runs option
* Detect organization-wide issues, such as unexpected domain access or behavioral shifts
* Generate policies directly from the endpoints observed in the organization

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FdBVS1lzTOFVf8K0yb4Gt%2FScreenshot%202025-10-08%20at%2000.58.48.png?alt=media&#x26;token=c1e70bf5-dedd-4946-aa94-a39a4f9914a2" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/harden-runner/baseline.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.