StepSecurity Actions Security

Introduction

GitHub Actions execute untrusted code in a privileged environment. StepSecurity Actions Security App can help if you are worried about the following:

For more details, check out https://www.stepsecurity.io

Protect against SolarWinds and Codecov-style attacks, whether in GitHub-hosted or self-hosted Actions Runner Controller (ARC) environments.

Security Observability: Gain insight into network and file events associated with each job step
Runtime Security Policies: Set runtime policies right in the workflow file based on security observablity
Real-Time Enforcement: Synchronous monitoring, filtering, and enforcement during the workflow run based on policies

Discover and manage third-party GitHub Actions being used across your organization

Discover: Discover all third-party GitHub Actions across your GitHub organization
Govern: Review and enforce the use of third-party GitHub Actions
Standardize: Standardize GitHub Actions across all workflows

Handle your GitHub Actions secrets with the same caution as cloud secrets

Efficient Analysis: Quickly analyze GitHub Actions secrets across your organization for a secure
Maintain Secret Hygiene: Uncover non-rotated and unused secrets
Restrict GITHUB_TOKEN: Audit and set least privileged GitHub token permissions

This App only needs actions: read, secrets: read and organization_secrets: read permissions on your repositories.

secrets: read and organization_secrets: read only give access to the metadata about the secrets. It does not give access to the actual secret.

As you can see from this GitHub API documentation, it only returns the name of the secret, when it was created, and when it was last updated.
https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#list-repository-secrets

We have designed our App to not have access to customer code or secrets.

If you have any problems or questions about this App, please email info@stepsecurity.io.