GitHub Issues and PRs

PreviousControl Evaluation NextPartnerships

Last updated 1 day ago

Was this helpful?

GitHub Issues and PRs

To use this setting, Install the StepSecurity App

The GitHub Issues and Pull Requests setting allows you to automate security remediation across your repositories by either creating GitHub Issues to track vulnerabilities or automatically generating Pull Requests to fix them.

With this setting, you can configure how StepSecurity responds when security misconfigurations or vulnerabilities are detected in your workflows or repositories.

Remediation Options

Choose how StepSecurity should remediate the vulnerabilities:

GitHub Issues: Automatically creates GitHub Issues to track and discuss detected security vulnerabilities.
Pull Requests: Automatically generates PRs that fix security issues (e.g., hardening actions, updating tags).

You can also edit the PR template to customize the content of the pull requests.

Controls

These controls enable automatic detection and remediation of specific risks:

Harden GitHub-Hosted Runner: Ensures Harden-Runner is installed on GitHub-hosted runners to:
- Prevent exfiltration of credentials
- Monitor the build process
- Detect compromised dependencies
Pin Actions to Full-Length Commit SHA: GitHub Action tags and Docker tags are mutable, which poses a security risk. GitHub’s Security Hardening Guide recommends pinning actions to full-length commit SHAs for better security.
- You can exempt specific actions using the Exempted Actions input (e.g., actions/checkout@v3 or actions/*).
Restrict GitHub Token Permissions: GitHub Actions workflows have read/write permissions by default, which can pose a security risk. It is recommended to restrict permissions to the minimum required.
Enable GitHub Advanced Security Alerts: Provides additional security alerts alongside GitHub Issues, helping to identify and address vulnerabilities more effectively.

Repository Selection

Specify which repositories should use this configuration by selecting them from the list.

You can search for repositories and apply the configuration individually by checking the corresponding box under Configuration Applied.

PreviousControl Evaluation NextPartnerships

Last updated 1 day ago

Was this helpful?

To use this setting, Install the StepSecurity App

With this setting, you can configure how StepSecurity responds when security misconfigurations or vulnerabilities are detected in your workflows or repositories.

Remediation Options

Choose how StepSecurity should remediate the vulnerabilities:

GitHub Issues: Automatically creates GitHub Issues to track and discuss detected security vulnerabilities.
Pull Requests: Automatically generates PRs that fix security issues (e.g., hardening actions, updating tags).

You can also edit the PR template to customize the content of the pull requests.

Controls

These controls enable automatic detection and remediation of specific risks:

Harden GitHub-Hosted Runner: Ensures Harden-Runner is installed on GitHub-hosted runners to:
- Prevent exfiltration of credentials
- Monitor the build process
- Detect compromised dependencies
Pin Actions to Full-Length Commit SHA: GitHub Action tags and Docker tags are mutable, which poses a security risk. GitHub’s Security Hardening Guide recommends pinning actions to full-length commit SHAs for better security.
- You can exempt specific actions using the Exempted Actions input (e.g., actions/checkout@v3 or actions/*).
Restrict GitHub Token Permissions: GitHub Actions workflows have read/write permissions by default, which can pose a security risk. It is recommended to restrict permissions to the minimum required.
Enable GitHub Advanced Security Alerts: Provides additional security alerts alongside GitHub Issues, helping to identify and address vulnerabilities more effectively.

Repository Selection

Specify which repositories should use this configuration by selecting them from the list.

You can search for repositories and apply the configuration individually by checking the corresponding box under Configuration Applied.