Linux Foundation Rewards StepSecurity’s Impact on CI/CD Pipeline Security Fixes for Critical Open Source Projects

Logo of SOS Rewards

Security attacks targeting software supply chains have dramatically increased over the past several years. According to the Open Source Security Foundation (OpenSSF) Scorecard project, over-privileged automated workflow tokens are a high-risk issue because attackers can use a compromised token with write access to push malicious code into projects. Elevated GitHub tokens can lead to serious security incidents with bad actors installing malicious code in trusted software.

StepSecurity's impact was recently recognized by the Linux Foundation for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure.” Using SecureWorkflows, StepSecurity fixed projects selected from the OpenSSF’s list of critical open source projects including Python, Gatsby, Ruby on Rails, Babel etc.

As per Varun Sharma, CEO of StepSecurity, who presented SecureWorkflows at the annual Linux Foundation Open Source Summit in Austin, Texas, “Fixing security problems at scale is hard and there is a huge opportunity to improve the security of software by automated one-click remediation.

StepSecurity created SecureWorkflows in early 2022 to enable automatic security updates to CI/CD pipelines and significantly reduce the amount of developer time and effort required to apply security settings. Additionally, SecureWorkflows is now integrated with the OpenSSF’s Scorecard project.

This press release is also available on BusinessWire.