StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Guides
    • How to enable network and runtime monitoring (Harden-Runner) for runners
    • How to restrict network connections to explicitly allowed endpoints
    • How do I authenticate with the StepSecurity app
    • How should I improve the security of third-party actions in my organization
    • How should I reduce the number of Harden-Runner anomalous endpoint alerts
    • How can developers see and fix StepSecurity findings without security’s help?
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Policy Driven PRs
    • Secure Workflow
    • Secure Repo
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
Powered by GitBook
On this page

Was this helpful?

Export as PDF

Run Policies

PreviousPull RequestsNextPolicies

Last updated 16 days ago

Was this helpful?

This feature is currently available for early access. If you installed the before May 1st, 2025, you will need to accept a new permission to enable Workflow Run policies:

  • actions: write

This permissions is required for StepSecurity Advanced App to cancel GitHub workflow runs.

Available for Enterprise Tier only

Workflow Run Policies allow you to enforce security controls by blocking GitHub Actions workflow runs that violate organization-defined policies. This is particularly useful for preventing misconfigurations and supply chain attacks in your CI/CD pipelines.

How It Works

When a workflow run violates a policy, the run is automatically blocked. You can define policies such as:

  • Automatically block compromised GitHub Actions, preventing them from executing in your workflows

  • Whether secrets can be used on non-default branches

  • Which GitHub Actions are permitted, including internal/private actions

  • Which runner labels are allowed or disallowed

Below are the supported policy types and example runs where the policy enforcement blocked workflow execution:

Policy Type
Description
Example Blocked Run
Workflow File

Blocks runs of compromised GitHub Actions

Prevents unauthorized access to Secrets

Blocks runs if a third-party or internal action is not on the allowed list.

Blocks runs if the runner label is not in an allowed list.

When a workflow run is blocked, you will see this message in the workflow run:

The run was canceled by @stepsecurity-app[bot].

Compliant workflow runs continue without any impact—everything runs as expected.

Use this interactive demo to learn how to set up an Actions policy in your organization:

StepSecurity Advanced App
Run
Workflow
Run
Workflow
Run
Workflow
Run
Workflow
Compromised Actions Policy
Secret Exfiltration Policy
Actions Policy
Runner Label Policy