# Secure Workflow

The Secure Workflow feature in StepSecurity helps improve the security of GitHub Actions workflows by applying industry best practices. With a single click, users can harden their workflow configurations, restrict unnecessary permissions, and enhance security without manually modifying YAML files.

### Key Features

* Restrict permissions for GITHUB\_TOKEN to follow the principle of least privilege.
* Add StepSecurity's Harden-Runner security agent for monitoring and controlling the GitHub-hosted runner.
* Pin all GitHub Actions to full-length commit SHAs to prevent supply chain attacks.

### How to Secure Your GitHub Actions Workflow

#### Step 1: Access the StepSecurity Dashboard

* Visit [StepSecurity Secure Workflow](https://app.stepsecurity.io/secure-workflow) or navigate to “Secure Workflow” under the Orchestrate Security section in your StepSecurity dashboard.

#### **Step 2: Paste Your Workflow File**

* Copy your GitHub Actions workflow file and paste it into the editor on the StepSecurity tool interface.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FX26sivFLMK37fZozo11u%2FHow%20to%20Apply%20Security%20Best%20Practices%20in%20GitHub%20-%20Step%201.png?alt=media&#x26;token=7a4e23e9-0b69-443d-8e2a-8cf57070dd82" alt=""><figcaption><p>StepSecurity Secure Workflow Page</p></figcaption></figure>

#### **Step 3: Click on the “Secure Workflow” Button**

* Click the **“Secure Workflow”** button.
* The tool will automatically enhance the security of your workflow by applying recommended settings:
  * Restrict permissions for \[\[GITHUB\_TOKEN]].
  * Add [Harden-Runner](https://docs.stepsecurity.io/harden-runner) for the GitHub-hosted runner.
  * Pin actions to full-length commit SHAs.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2F9xx7XKyMA05QSf4aaB9b%2FHow%20to%20Apply%20Security%20Best%20Practices%20in%20GitHub%20-%20Step%203.png?alt=media&#x26;token=37b56d9a-372c-45ba-8b51-8787dec11089" alt=""><figcaption><p>StepSecurity Secure Workflow Page</p></figcaption></figure>

#### **Step 4: Review and Apply the Suggested Changes**

* The tool will show a diff view of your original workflow versus the secure version.
* Key enhancements include:
  * Adjusted permissions to follow the principle of least privilege.
  * Integration of the StepSecurity Harden Runner with an audit egress policy.
  * Pinning all GitHub Actions to specific commit SHAs for better security

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FRICxVKzj84ikOgV3T9Pu%2FHow%20to%20Apply%20Security%20Best%20Practices%20in%20GitHub%20-%20Step%205.png?alt=media&#x26;token=194e7429-4142-4472-b6fe-2523d4cbc55a" alt=""><figcaption><p>StepSecurity Secure Workflow Page</p></figcaption></figure>

#### **Step 5: Save and Commit the Changes**

* After reviewing the updates, copy the secure workflow provided by the platform.
* Apply the updated workflow manually to your repository by pasting it into the appropriate file in your project.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/orchestrate-security/secure-workflow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.