Secure Workflow

The Secure Workflow feature in StepSecurity helps improve the security of GitHub Actions workflows by applying industry best practices. With a single click, users can harden their workflow configurations, restrict unnecessary permissions, and enhance security without manually modifying YAML files.

Key Features

  • Restrict permissions for GITHUB_TOKEN to follow the principle of least privilege.

  • Add StepSecurity's Harden-Runner security agent for monitoring and controlling the GitHub-hosted runner.

  • Pin all GitHub Actions to full-length commit SHAs to prevent supply chain attacks.

How to Secure Your GitHub Actions Workflow

Step 1: Access the StepSecurity Dashboard

  • Visit StepSecurity Secure Workflow or navigate to “Secure Workflow” under the Orchestrate Security section in your StepSecurity dashboard.

Step 2: Paste Your Workflow File

  • Copy your GitHub Actions workflow file and paste it into the editor on the StepSecurity tool interface.

StepSecurity Secure Workflow Page

Step 3: Click on the “Secure Workflow” Button

  • Click the “Secure Workflow” button.

  • The tool will automatically enhance the security of your workflow by applying recommended settings:

    • Restrict permissions for [[GITHUB_TOKEN]].

    • Add Harden-Runner for the GitHub-hosted runner.

    • Pin actions to full-length commit SHAs.

StepSecurity Secure Workflow Page

Step 4: Review and Apply the Suggested Changes

  • The tool will show a diff view of your original workflow versus the secure version.

  • Key enhancements include:

    • Adjusted permissions to follow the principle of least privilege.

    • Integration of the StepSecurity Harden Runner with an audit egress policy.

    • Pinning all GitHub Actions to specific commit SHAs for better security

StepSecurity Secure Workflow Page

Step 5: Save and Commit the Changes

  • After reviewing the updates, copy the secure workflow provided by the platform.

  • Apply the updated workflow manually to your repository by pasting it into the appropriate file in your project.

Last updated

Was this helpful?