GitHub Cloud is hosted by GitHub whereas GitHub Server is self-hosted by the customer
Public repositories are visible to everyone on the internet and typically host open-source code. Private repositories are only accessible to specific users and typically host proprietary code
GitHub-hosted runners are managed by GitHub and run in GitHub's environment. Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and scales self-hosted runners for GitHub Actions in customer's environment
Support Channels to engage with the StepSecurity team
Harden-Runner can block traffic to remote endpoints that have not been explicitly authorized. This stops attackers from stealing credentials and sensitive data
Harden-Runner monitors the behavior of build tools and dependencies. It flags deviations in baseline.
CI/CD jobs typically don't overwrite source code, this is a potential indicator of compromise. Malicious source code overwrites have caused major supply chain security breaches in the past.
Sudo allows the user to delegate privileges to run commands as a root or another user. Harden-Runner can disable sudo access in CI/CD
For each GitHub Actions workflow run, Harden-Runner monitors run-time network, file, and process events and makes runtime insights available via the StepSecurity Web App.
Harden-Runner can send important runtime CI/CD events to Slack and email workflow execution logs.
StepSecurity wait-for-secrets allows project owners to implement multi-factor authentication (MFA) in their release workflows
The platform indexes all GitHub Actions workflows across the GitHub account and provides an organizational view of all third-party GitHub Actions in use
Discover if you are relying on unmaintained GitHub Actions in your environment
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release
Evaluate security posture of all third-party GitHub Actions in use objectively based on OpenSSF Scorecard
The platform indexes metadata of all GitHub Actions secrets across the GitHub account and provides an organizational view. The platform does not have access to secrets itself.
Discover old secrets in use that have not been rotated
Discover secrets that are not being used by any GitHub Actions workflows
The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. The platform can set least privileged permissions for the token
Detect release workflows that are using long-lived privileged secrets. These workflows could use OIDC that can help eliminate these privileged secrets