StepSecurity Actions Security
GitHub App
StepSecurity Actions Security
GitHub App
Introduction
GitHub Actions execute untrusted code in a privileged environment. StepSecurity Actions Security App can help if you are worried about the following:
- Theft of CI/CD credentials compromising your cloud infrastructure
- Tampering of release builds leading to supply chain attacks
Features:
For more details, check out https://www.stepsecurity.io
GitHub Actions Runtime Security
Protect against SolarWinds and Codecov-style attacks, whether in GitHub-hosted or self-hosted Actions Runner Controller (ARC) environments.
- Security Observability: Gain insight into network and file events associated with each job step
- Runtime Security Policies: Set runtime policies right in the workflow file based on security observablity
- Real-Time Enforcement: Synchronous monitoring, filtering, and enforcement during the workflow run based on policies
Manage risk from third-party GitHub Actions
Discover and manage third-party GitHub Actions being used across your organization
- Discover: Discover all third-party GitHub Actions across your GitHub organization
- Govern: Review and enforce the use of third-party GitHub Actions
- Standardize: Standardize GitHub Actions across all workflows
Manage GitHub Actions secrets
Handle your GitHub Actions secrets with the same caution as cloud secrets
- Efficient Analysis: Quickly analyze GitHub Actions secrets across your organization for a secure
- Maintain Secret Hygiene: Uncover non-rotated and unused secrets
- Restrict GITHUB_TOKEN: Audit and set least privileged GitHub token permissions
Permission requirements
This App only needs actions: read
, secrets: read
and organization_secrets: read
permissions on your repositories.
secrets: read
and organization_secrets: read
only give access to the metadata about the secrets. It does not give access to the actual secret.
We use this to show secrets that have not been rotated for a long time.
https://docs.stepsecurity.io/review-github-actions-secrets/review-secrets
As you can see from this GitHub API documentation, it only returns the name of the secret, when it was created, and when it was last updated.
https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#list-repository-secrets
We have designed our App to not have access to customer code or secrets.
Support
If you have any problems or questions about this App, please email info@stepsecurity.io.
Developer
StepSecurity Actions Security is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
Report abuse