Skip to content

StepSecurity Actions Security

GitHub App

StepSecurity Actions Security

GitHub App

Introduction

GitHub Actions execute untrusted code in a privileged environment. StepSecurity Actions Security App can help if you are worried about the following:

  1. Theft of CI/CD credentials compromising your cloud infrastructure
  2. Tampering of release builds leading to supply chain attacks

Features:

For more details, check out https://www.stepsecurity.io

GitHub Actions Runtime Security

Protect against SolarWinds and Codecov-style attacks, whether in GitHub-hosted or self-hosted Actions Runner Controller (ARC) environments.

  • Security Observability: Gain insight into network and file events associated with each job step
  • Runtime Security Policies: Set runtime policies right in the workflow file based on security observablity
  • Real-Time Enforcement: Synchronous monitoring, filtering, and enforcement during the workflow run based on policies

Manage risk from third-party GitHub Actions

Discover and manage third-party GitHub Actions being used across your organization

  • Discover: Discover all third-party GitHub Actions across your GitHub organization
  • Govern: Review and enforce the use of third-party GitHub Actions
  • Standardize: Standardize GitHub Actions across all workflows

Manage GitHub Actions secrets

Handle your GitHub Actions secrets with the same caution as cloud secrets

  • Efficient Analysis: Quickly analyze GitHub Actions secrets across your organization for a secure
  • Maintain Secret Hygiene: Uncover non-rotated and unused secrets
  • Restrict GITHUB_TOKEN: Audit and set least privileged GitHub token permissions

Permission requirements

This App only needs actions: read, secrets: read and organization_secrets: read permissions on your repositories.

secrets: read and organization_secrets: read only give access to the metadata about the secrets. It does not give access to the actual secret.

We use this to show secrets that have not been rotated for a long time.
https://docs.stepsecurity.io/review-github-actions-secrets/review-secrets

As you can see from this GitHub API documentation, it only returns the name of the secret, when it was created, and when it was last updated.
https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#list-repository-secrets

We have designed our App to not have access to customer code or secrets.

Support

If you have any problems or questions about this App, please email info@stepsecurity.io.

Developer

StepSecurity Actions Security is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

Report abuse