.png)
We've been helping our customers secure their CI/CD pipelines with StepSecurity Maintained Actions and Policy Driven PRs for automated security fixes.
But there was one manual step remaining - replacing risky third-party Actions with StepSecurity's secure drop-in replacement actions required tedious, repo-by-repo updates.
Today, we're thrilled to announce that Policy Driven PRs now automate the replacement of third-party GitHub Actions with StepSecurity Maintained Actions across your entire organization.
Why This Matters
Before diving into how it works, let’s first look at what StepSecurity Maintained Actions are and why they’re a game-changer for securing your CI/CD pipelines.
What Are StepSecurity Maintained Actions?
StepSecurity Maintained Actions are a curated set of trusted GitHub Actions maintained by our security engineering team. They are designed to reduce the risk of supply chain attacks caused by compromised third-party actions, while also enhancing security, reliability, and consistency across workflows.
Why We Maintain These Actions
We onboard actions based on enterprise customer demand, especially when they:
- Have been abandoned by the original maintainers
- Are maintained by a single developer
- Receive low security scores (based on OpenSSF ScoreCard)
- Require elevated permissions (like access to repository secrets), which could increase security risk
Case Study Comparisons
To understand the importance of these mitigations, let’s look at two recent real-world security incidents involving GitHub Actions:
- tj-actions/changed-files: A compromise occurred when a persistent bot account with repository access was exploited to update tags.
StepSecurity actions eliminate this risk by avoiding persistent credentials and requiring environment-based approvals for releases.
- reviewdog actions: Security was compromised due to overly permissive access control where contributors who submitted to reviewdog/action-* repositories were automatically invited to the reviewdog/actions-maintainer team, which had write access to these repositories.
StepSecurity restricts access exclusively to our dedicated maintenance team.
Automate Secure Replacements with Policy Driven PRs
Even when a secure StepSecurity Maintained Action exists, updating every workflow manually across all your repos is tedious and error-prone—especially if you manage dozens of them.
That’s why we’ve extended Policy Driven PRs to automate third-party Action replacements.
Benefits
- No more manual search and replace
- No more repetitive PRs per repository
- Enforce organization-wide security policies in minutes
How It Works
Here’s how to configure automated Action replacements:
Step 1: Navigate to your StepSecurity dashboard
Step 2: Click the Orchestrate Security dropdown
Step 3: Click "Policy Driven PRs"
Step 4: Click "Select Actions" to select all the Actions that you want to be replaced by StepSecurity Maintained Action
Step 5: In this step, you’ll see a list of third-party Actions currently used in your organization that have a secure, drop-in replacement maintained by StepSecurity.
Step 6: When the PR is automatically created, you can see that the Action has been replaced by a StepSecurity Action
Secure Actions at Scale
This enhancement makes it easier than ever to ensure your workflows use secure, audited Actions with minimal effort from your team.
🔒 This feature is currently available only to Enterprise tier users.
Start your 14-day free trial by installing the StepSecurity app.
🛡️ Already using StepSecurity Enterprise Tier? Log in to your dashboard to begin automating third-party Action replacements today.
🎙️ Join the Webinar
Join us live as we walk through how StepSecurity helps you reduce risk and save time by automating GitHub Actions governance. We’ll demo the new capabilities, share implementation tips, and answer your questions.
.png)
.png)
.png)
