StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Guides
    • How to enable network and runtime monitoring (Harden-Runner) for runners
    • How to restrict network connections to explicitly allowed endpoints
    • How do I authenticate with the StepSecurity app
    • How should I improve the security of third-party actions in my organization
    • How should I reduce the number of Harden-Runner anomalous endpoint alerts
    • How can developers see and fix StepSecurity findings without security’s help?
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Policy Driven PRs
    • Secure Workflow
    • Secure Repo
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Harden-Runner

Policy Store

PreviousSuppression RulesNextSelf-Hosted Runners

Last updated 1 month ago

Was this helpful?

The policy store holds a collection of customized policies for your workflows, allowing you to easily manage and update policies in a single location.

Steps To Create and Use a Policy

Step 1: Navigate to the Policy Store

  • Open StepSecurity, then navigate to the Harden Runner section and click on Policy Store

StepSecurity Policy Store page

Step 2: Click "Create policy"

Step 3: Create a New Policy

  • Enter a policy name.

  • Configure the policy settings (e.g., allowed endpoints, telemetry settings).

  • Click Add Policy to save.

Step 4: Apply the Policy in Your Workflow

  • Remove any existing manual policy configurations.

  • Add the policy name under the Harden Runner step.

  • Ensure id-token: write permission is explicitly set in your workflow file. This permission is required to authenticate with the StepSecurity backend API and fetch the policy.

Here’s an example:

name: CI

on:
  pull_request:

permissions:
  contents: read
  id-token: write

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
      with:
        policy: Test-policy

Step 5: Verify the Integration

  • Run a test workflow to ensure the policy is applied correctly.

StepSecurity Policy Store page
StepSecurity Policy Store page
StepSecurity Policy Store page
StepSecurity Policy Store page
StepSecurity Policy Store page showing how to create a new policy