StepSecurity Actions Security
GitHub App
StepSecurity Actions Security
GitHub App
π‘οΈ What is StepSecurity?
StepSecurity is a robust security platform specifically designed to enhance the security of GitHub Actions. It safeguards the following layers:
- Action Runners
- GitHub Action Workflow Files
- Third-party GitHub Actions
GitHub Actions execute untrusted code in a privileged environment. StepSecurity's App is essential for those concerned about:
- Theft of CI/CD credentials, which can compromise your cloud infrastructure.
- Tampering of release builds, leading to supply chain attacks.
- Risk of 3rd party GitHub Actions, leading to potential security vulnerabilities in your CI/CD pipeline.
π Trusted by Industry Leaders
Harden-Runner, a flagship solution from StepSecurity, safeguards over 15,000 open-source projects and enterprises, including industry giants like Microsoft, Google, and Kubernetes.
π Permission Requirements
| Permission | Access | Feature |
|---|---|---|
| Metadata | Read | Default permission for all GitHub Apps; mandatory and cannot be opted out of. |
| Actions | Read | Harden Runner insights (listing workflows across repositories). |
| Pull requests | Read | Getting pull request information to create checks, as part of the GitHub Checks feature. |
| Secrets | Read | Listing GitHub Actions repository secrets. Returns secret metadata only (name, created/updated dates, and when the secret was last rotated); not secret values. |
| Organization secrets | Read | Listing GitHub Actions organization secrets. Metadata only (name, created/updated dates, and when the secret was last rotated); not secret values. |
| Checks | Read & Write | GitHub Checks feature: cool-down period and GitHub Actions checks. |
π Why These Permissions?
The secrets: read and organization_secrets: read permissions provide access only to metadata about secrets. StepSecurity does not access the actual secret values. These permissions enable the App to:
- Identify secrets that have not been rotated for a long time.
- Enhance security insights without compromising sensitive data.
Additionally, as outlined in the official GitHub API documentation, these permissions return only:
- The name of the secret.
- When it was created.
- When it was last updated.
π Commitment to Security
StepSecurity is built with a security-first mindset, ensuring that it never accesses customer code or secret values. By focusing on metadata insights, it strengthens security without compromising user privacy.
π Support
Need help? Our support team is here to assist you with any questions or security concerns.
π§ Email: support@stepsecurity.io
Developer
StepSecurity Actions Security is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
Report abuse