StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Guides
    • How to enable network and runtime monitoring (Harden-Runner) for runners
    • How to restrict network connections to explicitly allowed endpoints
    • How do I authenticate with the StepSecurity app
    • How should I improve the security of third-party actions in my organization
    • How should I reduce the number of Harden-Runner anomalous endpoint alerts
    • How can developers see and fix StepSecurity findings without security’s help?
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Policy Driven PRs
    • Secure Workflow
    • Secure Repo
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
Powered by GitBook
On this page
  • Restrict Permissions for GITHUB_TOKEN
  • Add stepsecurity/harden-runner
  • Pin Actions to a Full-length Commit SHA
  • Pin Image Tags to Digests in Dockerfiles
  • Update Dependabot Configuration
  • Add CodeQL Workflow (SAST Tool)
  • Add Dependency Review Workflow
  • Add OpenSSF Scorecard Workflow
  • Update Pre-commit Configuration

Was this helpful?

Export as PDF

Orchestrate Security

PreviousHow to Determine Minimum Token PermissionsNextPolicy Driven PRs

Last updated 2 months ago

Was this helpful?

The Orchestrate Security section in StepSecurity allows you to analyze your GitHub Actions workflows against security best practices and automatically fix security gaps through automation

You can use to fix security issues in a single workflow and to apply fixes across all workflows in a repository.

Once these fixes are applied and merged, they will enforce the following security enhancements:

Restrict Permissions for GITHUB_TOKEN

The GITHUB_TOKEN is an automatically generated secret that grants authenticated access to the GitHub API.

To minimize security risks, StepSecurity enforces the principle of least privilege, restricting token access to only the necessary scopes. This reduces the risk of privilege escalation and unauthorized access.

Add stepsecurity/harden-runner

The Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies.

This ensures that workflows are protected against supply chain attacks and unauthorized data leaks.

Pin Actions to a Full-length Commit SHA

Pinning GitHub Actions to a full-length commit SHA ensures that workflows remain immutable and protected from upstream modifications.

This prevents the risk of a compromised action repository introducing security vulnerabilities. Users should verify that the SHA comes from the official action repository rather than a fork.

StepSecurity also supports pinning to immutable Actions, adding an extra layer of protection to your workflows.

Pin Image Tags to Digests in Dockerfiles

To prevent unauthorized updates and potential supply chain attacks, container images referenced in workflows are locked to a specific commit SHA.

This ensures that images remain consistent and are not silently updated with unverified changes.

Update Dependabot Configuration

StepSecurity automates the discovery of languages and technologies (e.g., Golang, GitHub Actions, etc.) used in repositories, enabling Dependabot to proactively upgrade dependencies with the latest security patches and improvements.

This automation helps reduce the risk of vulnerabilities caused by outdated third-party libraries.

Add CodeQL Workflow (SAST Tool)

Static Application Security Testing (SAST) scans source code during development to detect security vulnerabilities early in the software development lifecycle.

By proactively identifying potential weaknesses, you can remediate issues before deployment.

Add Dependency Review Workflow

The Dependency Review Workflow scans package version changes in pull requests to detect vulnerabilities introduced by new dependencies.

This provides visibility into potential security risks before merging a PR, helping you maintain a secure software supply chain.

Add OpenSSF Scorecard Workflow

OpenSSF Scorecard evaluates repository security based on multiple heuristics and assigns a security score from 0 to 10.

This helps users understand areas for improvement and strengthen their security posture. Additionally, repositories can display a Scorecard badge to showcase security best practices.

Update Pre-commit Configuration

Pre-commit hooks enforce security by scanning code before it is committed.

This helps detect hardcoded secrets, enforce code quality, and prevent security vulnerabilities at an early stage

Secure Workflow
Secure Repo
Restrict Permissions for GITHUB_TOKEN
Add stepsecurity/harden-runner
Pin Actions to a Full-length Commit SHA
Pin Image Tags to Digests in Dockerfiles
Update Dependabot Configuration
Add CodeQL Workflow (SAST Tool)
Add Dependency Review Workflow
Add OpenSSF Scorecard Workflow
Update Pre-commit Configuration