GitHub Issues and Alerts
Last updated
Last updated
To use this setting, Install the StepSecurity App
The GitHub Issues and Alerts setting enables automatic issue creation when security or configuration problems are detected in your repositories.
You can specify the repositories where this setting should be applied and choose to enable GitHub Advanced Security Alerts for enhanced vulnerability detection and monitoring.
When enabled, this setting helps identify and mitigate potential security threats by automatically creating GitHub Issues for the following risks:
Pin Actions to Full-Length Commit SHA: GitHub Action tags and Docker tags are mutable, which poses a security risk. GitHub’s Security Hardening Guide recommends pinning actions to full-length commit SHAs for better security.
Harden GitHub-Hosted Runner: Ensures that Harden-Runner is installed on GitHub-hosted runners to prevent credential exfiltration, monitor build processes, and detect compromised dependencies.
Restrict GitHub Token Permissions: GitHub Actions workflows have read/write permissions by default, which can pose a security risk. It is recommended to restrict permissions to the minimum required.
Provides additional security alerts alongside GitHub Issues, helping to identify and address vulnerabilities more effectively.
