GitHub Checks

PreviousDetections NextSuppression Rules

Last updated 1 month ago

Was this helpful?

GitHub Checks

This is a new feature. If you installed the StepSecurity Actions Security GitHub App before January 10th, 2025, you will need to accept two new permissions to enable GitHub Checks:

pull_requests: read
checks: write

These permissions are required for StepSecurity App to write checks within GitHub.

This feature integrates Harden-Runner insights into the GitHub Checks UI, providing developers with immediate feedback on outbound network activity.

With this integration, developers no longer need to rely on email or Slack notifications or visit the StepSecurity dashboard to monitor anomalous network calls.

How It Works

To enable GitHub Check for your repositories, follow the instructions provided in this

Pull Request Creation:

When a pull request is created, the StepSecurity Harden Runner Check will display the network monitoring status for all associated workflow runs.

Completion of Workflow Runs:

Once all workflow runs linked to the pull request are completed, the status check will indicate either Pass or Fail:

✅ Pass: No anomalous outbound calls detected.

❌ Fail: At least one anomalous outbound call detected.

Clicking the Details link next to the check provides:

A list of monitored workflow runs.
Links to insights pages for each run.
If the check has failed, a list of anomalous outbound calls detected.

Approving a Failed StepSecurity GitHub Check

This guide explains how to approve a failed StepSecurity GitHub check when an alert is triggered due to unexpected network calls from CI/CD runners.

Step 1: Navigate to the Pull Request

Open the Pull Request (PR) that contains the failed StepSecurity check.

Step 2: Click on the Failed Check

Locate the StepSecurity Harden-Runner check under the failed checks section.
Click on the failed check to view more details.

Step 3: Review the Failure Details and Approve

The check failure page will display details about unexpected network calls detected from the Harden-Runner.
Identify the endpoint and the workflow that triggered the alert.
If you want to approve the check run, click the approval link provided in the failure details.

Step 4: Approve the Check Run

On the approval page, review the detected outbound network calls.
Click “Approve” to confirm that you are aware of the anomalous call.

Step 5: Verify Approval Status

Return to the check run status tab in GitHub.
You will now see that the check has been approved by your GitHub username.

Step 6: Confirm the StepSecurity Check Passed

After approval, the StepSecurity check should now be successful.
The PR is now ready for merging.

View past GitHub Checks

This guide walks you through how to view past GitHub Actions workflow checks using StepSecurity Harden-Runner

Step 1: Navigate to the GitHub Checks Section

Open StepSecurity and go to the Harden Runner section.
Click on GitHub Checks to view a list of all past workflow runs in your organization.

Step 2: View a Specific Check

Locate the workflow check you want to inspect.
Click View Check next to it.

Step 3: Review Check Details

On the Check details page, look for any security alerts or anomalous network activity.
If necessary, approve the Check or take additional security actions.