# Orchestrate Security

Orchestrate Security analyzes your GitHub Actions workflows against security best practices and automatically fixes the gaps it finds. You choose the scope (a single workflow, a full repository, or your entire organization) and StepSecurity handles the remediation.

### Tools

| Tool                                                                                     | Scope                         | Description                                                                                                      |
| ---------------------------------------------------------------------------------------- | ----------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| [Secure Workflow](https://docs.stepsecurity.io/orchestrate-security/secure-workflow)     | Single workflow               | Paste a workflow file and get a hardened version back instantly                                                  |
| [Secure Repo](https://docs.stepsecurity.io/orchestrate-security/secure-repo)             | All workflows in a repository | Analyze an entire repo and generate a single PR with all fixes                                                   |
| [Policy-Driven PRs](https://docs.stepsecurity.io/orchestrate-security/policy-driven-prs) | Organization-wide             | Define policies centrally, get automated PRs or Issues across all selected repositories *(Enterprise Tier only)* |

### What Gets Fixed

Across all three tools, StepSecurity can apply the following security enhancements to your workflows and repositories:

* Restrict `GITHUB_TOKEN` permissions to least privilege
* Add [Harden-Runner](https://docs.stepsecurity.io/harden-runner) for runtime security monitoring
* Pin GitHub Actions to full-length commit SHAs
* Pin Docker image tags to immutable digests
* Update or create [Dependabot](https://docs.github.com/en/code-security/dependabot) configuration
* Add [CodeQL](https://codeql.github.com/) static analysis (SAST)
* Add [Dependency Review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) for PR-level vulnerability scanning
* Add [OpenSSF Scorecard](https://securityscorecards.dev/) for security posture scoring
* Update [pre-commit](https://pre-commit.com/) hook configuration

For details on each enhancement — including what the fixes look like, exemption options, and configuration — see the individual tool pages above.

{% hint style="info" %}
Not every tool applies every enhancement. [Secure Workflow](https://docs.stepsecurity.io/orchestrate-security/secure-workflow) focuses on workflow-level fixes (permissions, Harden-Runner, SHA pinning), while [Secure Repo](https://docs.stepsecurity.io/orchestrate-security/secure-repo) and [Policy-Driven PRs](https://docs.stepsecurity.io/orchestrate-security/policy-driven-prs) cover the full set including Dependabot, CodeQL, Scorecard.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/orchestrate-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.