StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Guides
    • How to enable network and runtime monitoring (Harden-Runner) for runners
    • How to restrict network connections to explicitly allowed endpoints
    • How do I authenticate with the StepSecurity app
    • How should I improve the security of third-party actions in my organization
    • How should I reduce the number of Harden-Runner anomalous endpoint alerts
    • How can developers see and fix StepSecurity findings without security’s help?
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Policy Driven PRs
    • Secure Workflow
    • Secure Repo
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
Powered by GitBook
On this page
  • Key Features
  • How to Secure Your GitHub Actions Workflow

Was this helpful?

Export as PDF
  1. Orchestrate Security

Secure Workflow

PreviousPolicy Driven PRsNextSecure Repo

Last updated 2 months ago

Was this helpful?

The Secure Workflow feature in StepSecurity helps improve the security of GitHub Actions workflows by applying industry best practices. With a single click, users can harden their workflow configurations, restrict unnecessary permissions, and enhance security without manually modifying YAML files.

Key Features

  • Restrict permissions for GITHUB_TOKEN to follow the principle of least privilege.

  • Add StepSecurity's Harden-Runner security agent for monitoring and controlling the GitHub-hosted runner.

  • Pin all GitHub Actions to full-length commit SHAs to prevent supply chain attacks.

How to Secure Your GitHub Actions Workflow

Step 1: Access the StepSecurity Dashboard

  • Visit or navigate to “Secure Workflow” under the Orchestrate Security section in your StepSecurity dashboard.

Step 2: Paste Your Workflow File

  • Copy your GitHub Actions workflow file and paste it into the editor on the StepSecurity tool interface.

Step 3: Click on the “Secure Workflow” Button

  • Click the “Secure Workflow” button.

  • The tool will automatically enhance the security of your workflow by applying recommended settings:

    • Restrict permissions for [[GITHUB_TOKEN]].

    • Pin actions to full-length commit SHAs.

Step 4: Review and Apply the Suggested Changes

  • The tool will show a diff view of your original workflow versus the secure version.

  • Key enhancements include:

    • Adjusted permissions to follow the principle of least privilege.

    • Integration of the StepSecurity Harden Runner with an audit egress policy.

    • Pinning all GitHub Actions to specific commit SHAs for better security

Step 5: Save and Commit the Changes

  • After reviewing the updates, copy the secure workflow provided by the platform.

  • Apply the updated workflow manually to your repository by pasting it into the appropriate file in your project.

Add for the GitHub-hosted runner.

Harden-Runner
StepSecurity Secure Workflow
StepSecurity Secure Workflow Page
StepSecurity Secure Workflow Page
StepSecurity Secure Workflow Page