Code Repo SecurityEvery PR screened.
Every PR screened.
Every repo hardened.
Two engines guard your repos: GitHub Checks stop bad dependencies at review time, and Orchestrate Security fixes insecure configurations across thousands of repos with policy-driven pull requests, before any incident. And Apps & PATs governance shows exactly who can touch your code, whether human, app, or token.
Protects Code ReposPull request #482: bump dependencies3 StepSecurity checks ran on this PR
✓Compromised packagesNo known-compromised versions introduced
⏸Cooldown periodleft-pad-utils@4.0.0 published 6h ago, held until the 72h cooldown passes
✕Risky dependency changesaxios@1.12.4 flagged by StepSecurity threat intelligence. Merge blocked
Two engines, one goal
Catch what's incoming. Fix what's already there.
PR screening protects the next merge. Orchestration repairs the last thousand.
GitHub Checks
The gate on every merge
Native GitHub checks on every pull request. There is no new tool for developers to learn.
- Block PRs that pull in compromised package versions
- Enforce cooldown periods before new releases are adopted
- Screen every PR for risky dependency changes
- Findings developers can fix without security's help
- Posture controls like default branch protection, checked daily with guided fixes
Orchestrate SecurityOrchestrate Security docs ↗
Hardening at fleet scale
Define a policy once; StepSecurity opens the PRs that bring every repo up to it.
- Pin GitHub Actions to commit SHAs across all repos
- Replace risky third-party actions with drop-in StepSecurity Maintained Actions, shipped as PRs
- Set least-privilege token permissions automatically
- Roll out secure Dependabot configs org-wide
- Apply workflow and repo hardening from a policy, not a spreadsheet
This is prevention, not response: the fixes land before an attacker finds the gap. After tj-actions, teams with pinned SHAs weren't exploitable. Orchestration is how you get there across thousands of repos.
1 · Policy
pin actions to SHAs
pin actions to SHAs
2 · Scan
1,847 repos out of policy
1,847 repos out of policy
3 · PRs
1,847 fix PRs opened
1,847 fix PRs opened
4 · Done
merged & monitored
merged & monitored
Posture controls
AI agents push code. Branch protection decides what lands.
Coding agents open and push more changes than any human team ever did. Required reviews, blocked force pushes, and admin enforcement on the default branch are what stand between an agent's output and the branch that ships. StepSecurity checks every repo for these protections daily, shows exactly which piece is missing, and helps you fix it across the org.
Control: default branch should be protectedChecked daily on every repository
✕ Failedpayments-apiMissing: required pull request reviews; force pushes not blocked
✕ Failedweb-frontendMissing: admin enforcement, admins can bypass protections
✓ Passeddesign-systemRequired reviews, blocked force pushes, and admin enforcement enabled
Dependency intelligence, shared across the platform
"Are we affected?" is one query, not a war room.
The same dependency graph powers every surface: org-wide package search across repos, pull records from Secure Registry, and local installs from Dev Machine Guard. When the next npm attack lands, you search once and see repos, pipelines, and laptops together, including whether you were exposed in the past, via the historical dependency timeline.
Package search docs ↗Repos · package search CI & laptops · registry pull records Dev machines · local installs History · dependency timeline
npmPyPIMavenSeen in: PRs, default branch & dev machines
Packages included in this search: 1,845 known compromised versions, maintained by StepSecurity threat intelligence
2 results found
Pull RequestBump dependencies #214 · payments-api · detected in package-lock.json+ axios@1.12.4
Developer Machineeng-laptop-042.local · darwin · SN C02XK1ANJGH5axios@1.12.4
Access governance · Apps & PATs
Bad code isn't the only way in. Overprivileged access is the other.
Every GitHub App and personal access token with reach into your repos is an attack path, and most orgs can't list them. StepSecurity inventories all of them, shows what each can actually do, and flags the ones that are overprivileged, stale, or unused, so you can cut access before someone else uses it.
Apps & PATs docs ↗⚙ci-deploy-bot · GitHub Appwrite access to 214 repos · admin on 3Overprivileged
🔑PAT · j.doe (classic)full repo scope · last used 11 months agoStale
⚙legacy-linter · GitHub Appinstalled 2022 · zero API calls in 90 daysUnused
🔑PAT · release-automation (fine-grained)single repo · contents:write onlyScoped
“
StepSecurity enables us to scale security enforcement across thousands of repositories by automatically generating consistent, policy-driven pull requests. This ensures a uniform security baseline without adding manual overhead.
Lynn Tran
Manager, Product Security, Omnissa
From the Omnissa case study →Manager, Product Security, Omnissa
