PricingInstall StepSecurity AppLogin

Policy Driven PRs

Available for Enterprise Tier only

This allows you to automate security remediation across your repositories by either creating GitHub Issues to track vulnerabilities or automatically generating Pull Requests to fix them.

With this setting, you can configure how StepSecurity responds when security misconfigurations or vulnerabilities are detected in your workflows or repositories.

Policy Driven PRs page

You can also edit the PR template to customize it as needed—just click “Edit PR template”

We recommend keeping the placeholder below unchanged so that actual security fixes are displayed correctly:

## Security Fixes
{{STEPSECURITY_SECURITY_FIXES}}

Remediation Options

Choose how StepSecurity should remediate the vulnerabilities:

  • Pull Requests: Automatically generates PRs that fix security issues (e.g., hardening actions, updating tags).

GitHub Issues: Automatically creates GitHub Issues to track and discuss detected security vulnerabilities.

Controls

These controls enable automatic detection and remediation of specific risks:

  • Harden GitHub-Hosted Runner: Ensures Harden-Runner is installed on GitHub-hosted runners to:

    • Prevent exfiltration of credentials

    • Monitor the build process

    • Detect compromised dependencies

  • Pin Actions to Full-Length Commit SHA: GitHub Action tags and Docker tags are mutable, which poses a security risk. GitHub’s Security Hardening Guide recommends pinning actions to full-length commit SHAs for better security.

    • You can exempt specific actions using the Exempted Actions input (e.g., actions/checkout@v3 or actions/*).

  • Restrict GitHub Token Permissions: GitHub Actions workflows have read/write permissions by default, which can pose a security risk. It is recommended to restrict permissions to the minimum required.

  • Pin image tags to digests in Dockerfiles: Docker tags are mutable, so use digests in place of tags when pulling images

  • Replace third party actions with StepSecurity maintained actions: Use secure, audited GitHub actions maintained by StepSecurity to reduce supply chain risks.

  • Update Dependabot configuration: With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest dependency version.

  • Update the pre-commit configuration: Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities.

  • Add GitHub Actions from the Workflows Templates: Add workflows that are part of the organization's recommended set and were previously missing from the repository.

Repository Selection

Once you enable this feature on your repositories, automated Issues/Pull Requests should appear within 24 hours

You can specify which repositories should use this configuration by selecting them individually from the list, or by applying it to All Repositories.

If you select All Repositories, the configuration will apply organization-wide. However, you can still set up repository-level configurations to override the organization-level settings for specific repositories.

Setting Up Repository-Level Configuration

To create a repository-specific configuration that overrides the organization-wide policy:

Step 1: Click the three dots next to the repository you want to configure.

Step 2: Click "Configure repository settings"

Step 3: Enable Use repository-level configuration and customize the settings for that repository as needed

Repositories with custom configurations will display a “Uses Repo Config” tag next to their name.

PreviousOrchestrate SecurityNextSecure Workflow

Last updated

Was this helpful?