GitHub Checks

This is a new feature. If you installed the StepSecurity Actions Security GitHub App before January 10th, 2025, you will need to accept two new permissions to enable GitHub Checks:

pull_requests: read
checks: write

These permissions are required for StepSecurity App to write checks within GitHub.

This feature integrates Harden-Runner insights into the GitHub Checks UI, providing developers with immediate feedback on outbound network activity.

With this integration, developers no longer need to rely on email or Slack notifications or visit the StepSecurity dashboard to monitor anomalous network calls.

How It Works

To enable GitHub Check for your repositories, follow the instructions provided in this guide

Pull Request Creation:

When a pull request is created, the StepSecurity Harden Runner Check will display the network monitoring status for all associated workflow runs.

List of GitHub Checks including StepSecurity Harden-Runner check

Completion of Workflow Runs:

Once all workflow runs linked to the pull request are completed, the status check will indicate either Pass or Fail:

✅ Pass: No anomalous outbound calls detected.

❌ Fail: At least one anomalous outbound call detected.

Clicking the Details link next to the check provides:

A list of monitored workflow runs.
Links to insights pages for each run.
If the check has failed, a list of anomalous outbound calls detected.

StepSecurity Harden-Runner Check showing the report

Approving a Failed StepSecurity GitHub Check

This guide explains how to approve a failed StepSecurity GitHub check when an alert is triggered due to unexpected network calls from CI/CD runners.

Step 1: Navigate to the Pull Request

Open the Pull Request (PR) that contains the failed StepSecurity check.

StepSecurity Harden-Runner Check failing in a PR

Step 2: Click on the Failed Check

Locate the StepSecurity Harden-Runner check under the failed checks section.
Click on the failed check to view more details.

Step 3: Review the Failure Details and Approve

The check failure page will display details about unexpected network calls detected from the Harden-Runner.
Identify the endpoint and the workflow that triggered the alert.
If you want to approve the check run, click the approval link provided in the failure details.

Step 4: Approve the Check Run

On the approval page, review the detected outbound network calls.
Click “Approve” to confirm that you are aware of the anomalous call.

Step 5: Verify Approval Status

Return to the check run status tab in GitHub.
You will now see that the check has been approved by your GitHub username.

Step 6: Confirm the StepSecurity Check Passed

After approval, the StepSecurity check should now be successful.
The PR is now ready for merging.

StepSecurity Harden-Runner check successful

View past GitHub Checks

This guide walks you through how to view past GitHub Actions workflow checks using StepSecurity Harden-Runner

Step 1: Navigate to the GitHub Checks Section

Open StepSecurity and go to the Harden Runner section.
Click on GitHub Checks to view a list of all past workflow runs in your organization.

Step 2: View a Specific Check

Locate the workflow check you want to inspect.
Click View Check next to it.

Step 3: Review Check Details

On the Check details page, look for any security alerts or anomalous network activity.
If necessary, approve the Check or take additional security actions.

Step 4: Apply Filters to Find Specific Checks

You can refine the list of checks by applying filters:

Filter by Conclusion (Success or Failure)

Click the Conclusion dropdown.
Select:
- Success to view successful runs.
- Failure to see failed checks.
- All to view everything.

StepSecurity GitHub Checks page showing different conclusions

Filter by Repository

Click the Select Repository dropdown.
Choose a specific repository to view only its checks.

StepSecurity GitHub Checks page showing all the repositories

PreviousDetections NextSuppression Rules

Last updated 2 months ago

Was this helpful?