.png)
Enterprise
Enterprise
How Neon Secures Its CI/CD Pipelines with StepSecurity
Neon rolled out StepSecurity’s enterprise solution to harden CI/CD pipelines—without compromising developer velocity.
GitHub Actions Security ROI Calculator
Assess your current security posture and discover time savings with StepSecurity
Third-party actions review process
Do you have a formal process to review and approve third-party GitHub Actions before they're used in your workflows?
Know why its important?
Action version pinning
Do you pin third-party GitHub Actions to specific commit SHAs instead of using mutable tags?
Know why its important?
Runner Monitoring & Security
Do you have monitoring and security controls implemented for your GitHub Actions runners?
Know why its important?
Incident Response Readiness
If a third-party action (like tj-actions) gets compromised, are you prepared for incident response? Can you immediately block that action from being used?
Know why its important?
STEPSECURITY CAPABILITIES
RISKS
Real-World Risk: Marketplace Vulnerabilities
Without a formal approval process, developers can use any action from the 25,000+ actions in the GitHub Marketplace. Many of these actions may be:
- Abandoned - No longer maintained or updated
- Malicious - Designed to steal secrets or compromise workflows
- Poorly secured - Don't follow security best practices
Case Study: ReviewDog Action Compromise
The popular ReviewDog action was compromised because anyone could get write access to the action. This weakness allowed attackers to inject malicious code that could access secrets and compromise CI/CD pipelines across thousands of repositories using this action.
️ Real-World Risk: Tag Hijacking Attacks
Using mutable tags instead of pinned commit SHAs leaves your workflows vulnerable to tag hijacking attacks where malicious actors change what code the tag points to.
Case Study: tj-actions Compromise
In 2024, the tj-actions organization was compromised. Attackers modified popular action tags to point to malicious commits instead of the original code. Organizations using these actions with mutable tags (like @v1 or @main) automatically pulled the malicious code, resulting in CI/CD credential theft across hundreds of repositories. Companies that pinned to specific commit SHAs were protected.
Real-World Risk: Blind Spot in Security
Most organizations have comprehensive monitoring for desktops, laptops, and production systems, but CI/CD runners are often a blind spot. This creates an unmonitored attack vector.
Case Study: Codecov Incident
In the Codecov supply chain attack, attackers gained access to CI/CD environments and exfiltrated credentials for months without detection. The breach went unnoticed because organizations had monitoring for their production systems but not for their CI/CD runners. This resulted in thousands of compromised developer credentials and access tokens.
Real-World Risk: Incident Response Chaos
Without incident response capabilities, organizations scramble when supply chain attacks occur, often taking days or weeks to identify and remediate compromised workflows.
Case Study: tj-actions Response Crisis
When the tj-actions compromise was discovered, development and security teams across hundreds of companies scrambled to:
- Find all instances of compromised workflows in their repositories
- Identify which secrets may have been exposed
- Determine the scope of potential credential theft
Companies without proper incident response capabilities took weeks to assess their exposure, during which time attackers continued to have access to compromised credentials.
.png)
