GitHub Checks

This is a new feature. If you installed the StepSecurity Actions Security GitHub App before January 10th, 2025, you will need to accept two new permissions to enable GitHub Checks:

  • pull_requests: read

  • checks: write

These permissions are required for StepSecurity App to write checks within GitHub.

This feature integrates Harden-Runner insights into the GitHub Checks UI, providing developers with immediate feedback on outbound network activity.

With this integration, developers no longer need to rely on email or Slack notifications or visit the StepSecurity dashboard to monitor anomalous network calls.

How It Works

To enable GitHub Check for your repositories, follow the instructions provided in this guide

  1. Pull Request Creation:

When a pull request is created, the StepSecurity Harden Runner Check will display the network monitoring status for all associated workflow runs.

List of GitHub Checks including StepSecurity Harden-Runner check
List of GitHub Checks including StepSecurity Harden-Runner check
  1. Completion of Workflow Runs:

Once all workflow runs linked to the pull request are completed, the status check will indicate either Pass or Fail:

✅ Pass: No anomalous outbound calls detected.

❌ Fail: At least one anomalous outbound call detected.

  1. Clicking the Details link next to the check provides:

  • A list of monitored workflow runs.

  • Links to insights pages for each run.

  • If the check has failed, a list of anomalous outbound calls detected.

StepSecurity Harden-Runner Check showing the report
StepSecurity Harden-Runner Check

Approving a Failed StepSecurity GitHub Check

This guide explains how to approve a failed StepSecurity GitHub check when an alert is triggered due to unexpected network calls from CI/CD runners.

Step 1: Navigate to the Pull Request

  • Open the Pull Request (PR) that contains the failed StepSecurity check.

StepSecurity Harden-Runner Check failing in a PR
StepSecurity Harden-Runner Check failing in a PR

Step 2: Click on the Failed Check

  • Locate the StepSecurity Harden-Runner check under the failed checks section.

  • Click on the failed check to view more details.

StepSecurity Harden-Runner Check failing in a PR
StepSecurity Harden-Runner Check failing in a PR

Step 3: Review the Failure Details and Approve

  • The check failure page will display details about unexpected network calls detected from the Harden-Runner.

  • Identify the endpoint and the workflow that triggered the alert.

  • If you want to approve the check run, click the approval link provided in the failure details.

StepSecurity Harden-Runner failed check
StepSecurity Harden-Runner failed check

Step 4: Approve the Check Run

  • On the approval page, review the detected outbound network calls.

  • Click “Approve” to confirm that you are aware of the anomalous call.

StepSecurity Insights page
StepSecurity Insights page

Step 5: Verify Approval Status

  • Return to the check run status tab in GitHub.

  • You will now see that the check has been approved by your GitHub username.

StepSecurity Harden-Runner check
StepSecurity Harden-Runner check

Step 6: Confirm the StepSecurity Check Passed

  • After approval, the StepSecurity check should now be successful.

  • The PR is now ready for merging.

StepSecurity Harden-Runner check successful
StepSecurity Harden-Runner check successful

View past GitHub Checks

This guide walks you through how to view past GitHub Actions workflow checks using StepSecurity Harden-Runner

Step 1: Navigate to the GitHub Checks Section

  • Open StepSecurity and go to the Harden Runner section.

  • Click on GitHub Checks to view a list of all past workflow runs in your organization.

StepSecurity GitHub Checks page
StepSecurity GitHub Checks page

Step 2: View a Specific Check

  • Locate the workflow check you want to inspect.

  • Click View Check next to it.

StepSecurity GitHub Checks page
StepSecurity GitHub Checks page

Step 3: Review Check Details

  • On the Check details page, look for any security alerts or anomalous network activity.

  • If necessary, approve the Check or take additional security actions.

StepSecurity Harden-Runner check page
StepSecurity Harden-Runner check page

Step 4: Apply Filters to Find Specific Checks

You can refine the list of checks by applying filters:

  1. Filter by Conclusion (Success or Failure)

  • Click the Conclusion dropdown.

  • Select:

    • Success to view successful runs.

    • Failure to see failed checks.

    • All to view everything.

StepSecurity GitHub Checks page showing different conclusions
StepSecurity GitHub Checks page showing different conclusions

  1. Filter by Repository

  • Click the Select Repository dropdown.

  • Choose a specific repository to view only its checks.

StepSecurity GitHub Checks page showing all the repositories
StepSecurity GitHub Checks page showing all the repositories

Last updated

Was this helpful?