Secure Workflow
The Secure Workflow feature in StepSecurity helps improve the security of GitHub Actions workflows by applying industry best practices. With a single click, users can harden their workflow configurations, restrict unnecessary permissions, and enhance security without manually modifying YAML files.
Key Features
Restrict permissions for GITHUB_TOKEN to follow the principle of least privilege.
Add StepSecurity's Harden-Runner security agent for monitoring and controlling the GitHub-hosted runner.
Pin all GitHub Actions to full-length commit SHAs to prevent supply chain attacks.
How to Secure Your GitHub Actions Workflow
Step 1: Access the StepSecurity Dashboard
Visit StepSecurity Secure Workflow or navigate to “Secure Workflow” under the Orchestrate Security section in your StepSecurity dashboard.
Step 2: Paste Your Workflow File
Copy your GitHub Actions workflow file and paste it into the editor on the StepSecurity tool interface.

Step 3: Click on the “Secure Workflow” Button
Click the “Secure Workflow” button.
The tool will automatically enhance the security of your workflow by applying recommended settings:
Restrict permissions for [[GITHUB_TOKEN]].
Add Harden-Runner for the GitHub-hosted runner.
Pin actions to full-length commit SHAs.

Step 4: Review and Apply the Suggested Changes
The tool will show a diff view of your original workflow versus the secure version.
Key enhancements include:
Adjusted permissions to follow the principle of least privilege.
Integration of the StepSecurity Harden Runner with an audit egress policy.
Pinning all GitHub Actions to specific commit SHAs for better security

Step 5: Save and Commit the Changes
After reviewing the updates, copy the secure workflow provided by the platform.
Apply the updated workflow manually to your repository by pasting it into the appropriate file in your project.
Last updated
Was this helpful?