Orchestrating Security: StepSecurity's Impact on 400+ Repositories and Future Plans 🛡️

I posted in April about how StepSecurity's pull request feature had helped over 300 public repositories adopt secure development practices. In a couple of months since then, the number has crossed 400! 🎉

40 of these over 400 public repositories have over 1000 stars ⭐, showing the trust that important open-source projects place in us to secure their repositories. You can find the list of these projects here: https://app.stepsecurity.io/securerepo/trending  

Here are three examples of automated pull requests created by developers using our application security orchestration platform in the last couple of months:  

nuxt/nuxt has over 47K stars on GitHub and is an intuitive way to create production-grade full-stack web apps and websites with Vue. Daniel Roe, one of the maintainers of the project, used StepSecurity to

    a. Set least privileged GitHub Actions Token Permissions

    b. Pin Dependencies

    c. Add a dependency review workflow (for software composition analysis)

    d. Add OpenSSF Scorecard workflow

    ➡️ Automated pull request: https://github.com/nuxt/nuxt/pull/21328      

ampproject/amphtml has over 14K stars on GitHub and is the AMP web component framework. Daniel Rozenberg, one of the maintainers of the project, used StepSecurity to

    a. Add StepSecurity Harden Runner to the GitHub Actions workflows

    b. Pin Dependencies

    c. Update the Dependabot configuration file

    d. Add a Static Application Security Testing (SAST) workflow

    e. Add a dependency review workflow (for software composition analysis)

    ➡️ Automated pull request: https://github.com/ampproject/amphtml/pull/38759  

nodejs/undici has over 4,700 stars and is an HTTP/1.1 client written from scratch for Node.js. Rafael Gonzaga, one of the maintainers of the project and a member of the Node.js Security Working group, used StepSecurity to

    a. Set least Privileged GitHub Actions Token Permissions

    b. Pin Dependencies

    c. Update the Dependabot configuration file

    d. Add a Static Application Security Testing (SAST) workflow

    e. Add a dependency review workflow (for software composition analysis)

    ➡️ Automated pull request: https://github.com/nodejs/undici/pull/2130  

‍

On the Horizon: New Features and Support for private repositories 💡

Here's a sneak peek into what we're planning for the coming months:

🔒Expanding to Private Repositories: We're excited to announce that we are developing support for private repositories designed with the same user-friendly experience that our public repository users love. Soon, you will be able to analyze your private repositories and orchestrate your security tools using our platform. Sign up for the beta using our website here.

🛠️ Adding More Security Tools: We've heard your requests for more extensive security capabilities. We are actively integrating additional tools:

   a. Pre-commit hooks for linters and to detect secrets in code before they get pushed

   b. Linters in the CI/ CD pipeline

   c. Automation to transition from using long-lived CI/CD secrets to OIDC in GitHub Actions workflows

You can track the status of these features in our open-source project: https://github.com/step-security/secure-repo/issues  

Currently, we support the orchestration of CodeQL, Dependency review, and OpenSSF Scorecard workflows, which require GitHub Advanced Security in private repositories. Our vision is to provide you with more choices for your private repositories, so you can orchestrate tools you've already been using.

‍

Exciting Partnership Opportunities Ahead 🤝

As we continue our journey of orchestrating application security, we recognize the immense potential of collaborating with other industry players. Our vision is to create an ecosystem that optimizes DevSecOps and delivers our users the most comprehensive security solution.

Therefore, we’re opening our doors to strategic partnerships with other security vendors, especially those with a DevSecOps tool that is free for open source and can be integrated using a GitHub Actions workflow. We aim to create a harmonious blend of various security tools on our orchestration platform, giving our users the most robust and flexible security options.

If you're a security vendor with a tool that aligns with our mission, we would love to partner with you to offer it as part of our orchestration platform.  

‍

Conclusion ✅

StepSecurity significantly impacts secure development practices, having already aided over 400 public repositories in orchestrating their security tools and fortifying CI/CD pipelines. Our pull request feature has become a cornerstone for repositories aiming to bolster their security posture.

We urge you to experience the StepSecurity difference yourself. If you manage a public repository, you can try out StepSecurity today and see the difference our security orchestration can make in your CI/CD pipeline. If you have a private repository, we invite you to sign up for our beta program, which will offer the same seamless, security-focused experience for your private projects.