How Kolsetu Secures Elba’s AI Pipelines Against Supply Chain Attacks with StepSecurity

Background

Elba, built by Kolsetu GmbH, is an AI-powered agentic workforce platform purpose-built for regulated enterprises. Elba enables businesses to deploy voice, messaging, and multi-channel AI agents that handle real-time customer interactions, compliance-sensitive workflows, and enterprise automation at scale.

Elba runs across multiple cloud providers and regions, serving enterprise customers in healthcare, insurance, financial services, and the public sector—industries where the standards for security, data residency, and compliance are high and non-negotiable. The engineering team relies on GitHub Actions as the backbone of its CI/CD pipeline, spanning code quality, securityscanning, container builds, and deployments to multi-cloud, multi-region infrastructure.

Challenge

CI/CD pipelines are where code, secrets, credentials, third-party actions, and deployment logic all converge—making them a high-value target. For Kolsetu, the stakes are especially high: Elba is deployed in regulated industries where a security incident isn’t just an engineering problem—it’s a compliance and customer trust problem. Enterprise customers in these sectors conduct deep vendor due diligence and ask hard questions about how software is built and whether the development environment itself could be a vector of attack.

The team needed to address several specific risks without slowing down engineering velocity:

• Mutable action tags: Using @v4 or @latest for third-party GitHub Actions is convenient but dangerous—a compromised maintainer can silently redirect a tag to malicious code, and every downstream workflow runs it.
• Unmonitored outbound network calls: Any workflow step, including third-party actions, can make network calls that exfiltrate build secrets or credentials without triggering any default alert.
• Dependency and licence risk: With a large JavaScript, TypeScript, and Python codebase, newly introduced packages can carry known vulnerabilities or incompatible licences that create security and legal exposure in regulated enterprise deployments.
• No centralised visibility: Without a dedicated tool, spotting anomalous CI behaviour across dozens of workflow runs per day is essentially impossible.

Solution

Kolsetu chose StepSecurity for its ease of adoption, runtime visibility, and ability to enforce security best practices by default—without requiring each engineer to apply them manually. The team deployed harden-runner as the opening step of every GitHub Actions job across the repository, providing a consistent audit trail of all outbound network activity across every build, scan, and deployment run.

StepSecurity now plays a central role in Kolsetu’s CI/CD security strategy. The platform has given the team:

• Runtime egress monitoring across every workflow run—a full audit trail of all outbound network calls per step and per process, in real time.
• Immutable SHA pinning for all third-party actions, ensuring that even if a maintainer’s account is compromised and a tag is silently redirected, workflows will not execute tampered code.
• Automated dependency and license review on every pull request, enforcing a licence allowlist aligned with ISO 27001 requirements and blocking restrictive licences that would create legal exposure in regulated deployments.
• Daily vulnerability scanning with a hard gate— a critical CVE in any production dependency stops the pipeline before it can reach a production deployment.
• Multi-language static analysis via CodeQL Advanced, covering GitHub Actions workflow YAML, JavaScript/TypeScript frontend, and Python backend—catching expression injection and unsafe use of untrusted input in workflow files.
• Continuous OpenSSF Scorecard publication, surfacing results directly into GitHub’s code scanning dashboard as an independently verifiable, third-party assessment of supply chain security posture.

‍
The combination of SHA pinning, runtime hardening, and automated dependency review means Kolsetu’s security posture does not depend on individual engineers remembering to apply best practices. It is enforced at the pipeline level, consistently, across every run. When security teams at enterprise customers ask how Kolsetu protects its software supply chain, the team can give specific, evidenced answers—Scorecard results, dependency review audit trails, daily vulnerability gates—that compliance teams and security auditors can actually evaluate.

‍

“StepSecurity keeps us on top of supply chain attacks and pipeline security. When you’re shipping AI systems into regulated industries, that visibility and control isn’t optional—it’s the baseline your customers expect.”

— Virendra Singh Bhalothia, CTO, Kolsetu

‍