GitHub Cloud is hosted by GitHub whereas GitHub Server is self-hosted by the customer
Public repositories are visible to everyone on the internet and typically host open-source code. Private repositories are only accessible to specific users and typically host proprietary code
GitHub-hosted runners are managed by GitHub and run in GitHub's environment. Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and scales self-hosted runners for GitHub Actions in customer's environment
Support Channels to engage with the StepSecurity team
Harden-Runner can block traffic to remote endpoints that have not been explicitly authorized. This stops attackers from stealing credentials and sensitive data
Harden-Runner monitors the behavior of build tools and dependencies. It flags deviations in baseline.
CI/CD jobs typically don't overwrite source code, this is a potential indicator of compromise. Malicious source code overwrites have caused major supply chain security breaches in the past.
Sudo allows the user to delegate privileges to run commands as a root or another user. Harden-Runner can disable sudo access in CI/CD
For each GitHub Actions workflow run, Harden-Runner monitors run-time network, file, and process events and makes runtime insights available via the StepSecurity Web App.
StepSecurity wait-for-secrets allows project owners to implement multi-factor authentication (MFA) in their release workflows
Harden-Runner can send important runtime CI/CD events to Slack and email workflow execution logs.
Harden-Runner monitors and detects suspicious events for outbound HTTPS encrypted connections from Actions runners.
Organizations can access Harden-Runner runtime insights and detections via APIs. This is useful for central monitoring and SIEM integrations.
Harden-Runner can send important runtime CI/CD events to Slack and email workflow execution logs.
StepSecurity GitHub App enables enterprises to use numerous CI/CD runtime and infrastructure features. You can learn more about the app here: https://github.com/apps/stepsecurity-actions-security
StepSecurity maintained Actions provide secure alternatives for risky third-party Actions in use
The platform indexes all GitHub Actions workflows across the GitHub account and provides an organizational view of all third-party GitHub Actions in use
Discover if you are relying on unmaintained GitHub Actions in your environment
StepSecurity provides a risk score for GitHub Actions based on runtime profile and Actions code analysis
The platform indexes metadata of all GitHub Actions secrets across the GitHub account and provides an organizational view. The platform does not have access to secrets itself.
Discover old secrets in use that have not been rotated
Discover secrets that are not being used by any GitHub Actions workflows
The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. The platform can set least privileged permissions for the token
Detect release workflows that are using long-lived privileged secrets. These workflows could use OIDC that can help eliminate these privileged secrets
