miroapp-dev · stepsecurity-app · Jan 26, 2026
diff --git a/.github/workflows/AddLabel.yaml b/.github/workflows/AddLabel.yaml
@@ -31,6 +31,11 @@ jobs:
     needs: solutionPublisherDetail
     if: ${{ github.actor != 'dependabot[bot]' && needs.solutionPublisherDetail.outputs.solutionPublisherId != '' && !contains(fromJson(vars.INTERNAL_PUBLISHERS),needs.solutionPublisherDetail.outputs.solutionPublisherId) }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

diff --git a/.github/workflows/IssueComment.yml b/.github/workflows/IssueComment.yml
@@ -14,6 +14,11 @@ jobs:
     permissions:
       issues: write
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+      with:
+        egress-policy: audit
+
     - name: Generate a token
       id: generate_token
       uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

diff --git a/.github/workflows/ScanSecrets.yaml b/.github/workflows/ScanSecrets.yaml
@@ -7,6 +7,11 @@ jobs:
   Scan_Secrets_in_commit:
     runs-on: ubuntu-latest
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+      with:
+        egress-policy: audit
+
     - name: Checkout code
       uses: actions/checkout@v4
       with:

diff --git a/.github/workflows/addComment.yaml b/.github/workflows/addComment.yaml
@@ -18,6 +18,11 @@ jobs:
   comment:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

diff --git a/.github/workflows/addCommentOnPackagedPR.yaml b/.github/workflows/addCommentOnPackagedPR.yaml
@@ -16,6 +16,11 @@ jobs:
       pull-requests: write
       contents: write
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+      with:
+        egress-policy: audit
+
     - uses: actions/github-script@29423367f079522048aa7c63f671593b0556ffd5
       id: addComment
       with:

diff --git a/.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml b/.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml
@@ -13,6 +13,11 @@ jobs:
     outputs:
       hasAutoDetectionComment: ${{ steps.job1.outputs.hasAutoDetectionComment }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - name: Find Comment
         uses: peter-evans/find-comment@v3
         id: fc

diff --git a/.github/workflows/addLabelOnPr.yaml b/.github/workflows/addLabelOnPr.yaml
@@ -16,6 +16,11 @@ jobs:
     if: ${{ !github.event.pull_request.head.repo.fork }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

diff --git a/.github/workflows/allowedWorkflowRun.yaml b/.github/workflows/allowedWorkflowRun.yaml
@@ -18,6 +18,11 @@ jobs:
     outputs:
       isWorkflowRunAllowed: ${{ steps.getWorkflowRunAllowedStatus.outputs.isWorkflowRunAllowed }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - name: Is Current User Allowed
         shell: pwsh
         id: getWorkflowRunAllowedStatus

diff --git a/.github/workflows/arm-ttk-validations.yaml b/.github/workflows/arm-ttk-validations.yaml
@@ -18,6 +18,11 @@ jobs:
       mainTemplateChanged: ${{ steps.step1.outputs.mainTemplateChanged }}
       createUiChanged: ${{ steps.step1.outputs.createUiChanged }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 10

diff --git a/.github/workflows/checkAutomatedPR.yaml b/.github/workflows/checkAutomatedPR.yaml
@@ -16,6 +16,11 @@ jobs:
     outputs:
       isAutomatedPR: ${{ steps.ValidateAutomatedPR.outputs.isAutomatedPR }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - shell: pwsh
         id: ValidateAutomatedPR
         run: |

diff --git a/.github/workflows/checkPRContentChange.yaml b/.github/workflows/checkPRContentChange.yaml
@@ -26,6 +26,11 @@ jobs:
     outputs:
       hasContentPackageChange: ${{ steps.changesInPR.outputs.hasContentPackageChange }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           fetch-depth: 2

diff --git a/.github/workflows/checkSkipPackagingInfo.yaml b/.github/workflows/checkSkipPackagingInfo.yaml
@@ -22,6 +22,11 @@ jobs:
     outputs:
       isPackagingRequired: ${{ steps.getPackagingSkipStatus.outputs.isPackagingRequired }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           fetch-depth: 2

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -37,6 +37,11 @@ jobs:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@v3
 

diff --git a/.github/workflows/content-validations.yaml b/.github/workflows/content-validations.yaml
@@ -18,6 +18,11 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - run: npm install -g npm@6.14.18;which npm;npm -v
       - name: npm install

diff --git a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml
@@ -27,6 +27,11 @@ jobs:
     if: ${{ !github.event.pull_request.head.repo.fork }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

diff --git a/.github/workflows/data-connector-validations.yaml b/.github/workflows/data-connector-validations.yaml
@@ -18,6 +18,11 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - run: npm install -g npm@6.14.18;which npm;npm -v
       - name: npm install

diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml
@@ -14,6 +14,11 @@ jobs:
         dotnetSdkVersion: 3.1.401
         PRNUM: ${{ github.event.pull_request.number }}
       steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }}
         uses: actions/setup-dotnet@v4

diff --git a/.github/workflows/detection-validations.yaml b/.github/workflows/detection-validations.yaml
@@ -18,6 +18,11 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - run: npm install -g npm@6.14.18;which npm;npm -v
       - name: npm install

diff --git a/.github/workflows/documents-link-validation.yaml b/.github/workflows/documents-link-validation.yaml
@@ -18,6 +18,11 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - run: npm install -g npm@6.14.18;which npm;npm -v
       - name: npm install

diff --git a/.github/workflows/getSolutionName.yaml b/.github/workflows/getSolutionName.yaml
@@ -17,6 +17,11 @@ jobs:
     outputs:
       sName: "${{ steps.getSolutionName.outputs.solutionName }}"
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           fetch-depth: 2

diff --git a/.github/workflows/hyperlinkValidator.yaml b/.github/workflows/hyperlinkValidator.yaml
@@ -17,6 +17,11 @@ jobs:
     if: ${{ !github.event.pull_request.head.repo.fork && !contains(github.event.client_payload.pull_request.head.ref , 'dependabot/') && !contains(github.event.client_payload.pullRequestBranchName , 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

diff --git a/.github/workflows/json-syntax-validation.yaml b/.github/workflows/json-syntax-validation.yaml
@@ -18,6 +18,11 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - run: npm install -g npm@6.14.18;which npm;npm -v
       - name: npm install

diff --git a/.github/workflows/kql-validations.yaml b/.github/workflows/kql-validations.yaml
@@ -14,6 +14,11 @@ jobs:
         dotnetSdkVersion: 6.0.x
         PRNUM: ${{ github.event.pull_request.number }}
       steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }}
         uses: actions/setup-dotnet@v4

diff --git a/.github/workflows/logo-validation.yaml b/.github/workflows/logo-validation.yaml
@@ -18,6 +18,11 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - run: npm install -g npm@6.14.18;which npm;npm -v
       - name: npm install

diff --git a/.github/workflows/neworexistingsolution.yaml b/.github/workflows/neworexistingsolution.yaml
@@ -29,6 +29,11 @@ jobs:
       solutionOfferId: "${{ steps.IdentifyNewOrExistingSolution.outputs.solutionOfferId }}"
       solutionPublisherId: "${{ steps.IdentifyNewOrExistingSolution.outputs.solutionPublisherId }}"
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           fetch-depth: 2

diff --git a/.github/workflows/non-ascii-validations.yaml b/.github/workflows/non-ascii-validations.yaml
@@ -14,6 +14,11 @@ jobs:
         buildConfiguration: Release
         dotnetSdkVersion: 3.1.401
       steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }}
         uses: actions/setup-dotnet@v4

diff --git a/.github/workflows/package-command.yaml b/.github/workflows/package-command.yaml
@@ -27,6 +27,11 @@ jobs:
       is-automated-pr: ${{ steps.checkAutomatedPR.outputs.isAutomatedPR }}
       package-created: ${{ steps.validateAndCreatePackage.outputs.isCreatePackage }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - name: Validate inputs
         run: |
           if [ -z "${{ env.BRANCH_NAME }}" ]; then

diff --git a/.github/workflows/playbook-validations.yaml b/.github/workflows/playbook-validations.yaml
@@ -18,6 +18,11 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - run: npm install -g npm@6.14.18;which npm;npm -v
       - name: npm install

diff --git a/.github/workflows/pullRequestStatus.yaml b/.github/workflows/pullRequestStatus.yaml
@@ -14,6 +14,11 @@ jobs:
     outputs:
         isPullRequestMerged: ${{ steps.getPullRequestStatus.outputs.isPullRequestMerged }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
+        with:
+          egress-policy: audit
+
       - name: Get Pull Request Status
         shell: pwsh
         id: getPullRequestStatus