Policies
Last updated
Was this helpful?
Last updated
Was this helpful?
Use this page to view and manage all workflow run policies created in your organization.
There are three policy types you can create:
Use this policy to block untrusted GitHub-hosted runners or allow only specific self-hosted runners.
Step 1: Navigate to the Policies page
Go to your StepSecurity dashboard, then to Run Policies → Policies in the sidebar.
Step 2: Click “Create Policy”
Click the Create Policy button on the top right of the page.
Step 3: Fill in Policy Details
Policy Name – e.g., Do not allow GitHub-Hosted Runners
Policy Type – Select Runner Label Policy
Action – Choose between:
Enforce: Actively blocks disallowed runner labels
Dry Run: Sends notifications but does not block
Step 4: Specify Disallowed Runner Labels
Type in the runner labels you want to block (e.g., ubuntu-latest, macos-latest) and press Enter to add.
Step 5: Select Repositories
Choose whether to apply the policy to:
All current and future repositories (default), or
Select specific repositories manually
Step 6: Save the Policy
After configuring all settings, click Save to create the policy.
Use this policy to enforce an allowlist of GitHub Actions. Any action not listed is blocked (Enforce) or flagged (Dry Run).
Step 1: Select “Actions Policy” and Actions to Allowlist
Manually type and add actions (e.g., actions/checkout
) OR
Use All Actions (Used) to select from known usage
17. Select one Action and click "Add to Allowed List"
Decide whether to allow all versions (default) or select specific commit versions OR
Use Repository Filter (Optional): Go to By Repository (Used) tab → Select a repo → Add used actions
Step 2: Click "Save"
Use this policy to ensure that only certain branches have access to secrets. This helps prevent accidental or malicious exposure of secrets, especially from untrusted branches like those in pull requests from forks.
Step 1: Select “Secret Exfiltration Policy”
Step 2: Choose Target Repositories
Step 3: Save the Policy
- Prevent or monitor usage of specific runners
- Block specific GitHub Actions
- Ensure only certain branches have access to Secrets