StepSecurity Platform

Network & Infrastructure Security for CI/CD Runners

Compromised workflows, dependencies, and build tools typically make outbound calls to exfiltrate credentials, or may tamper source code, dependencies, or artifacts during the build.

StepSecurity offers a network and runtime security solution for GitHub-hosted and self-hosted environments. This is a purpose built platform based on the learnings from past CI/CD security attacks (e.g., the SolarWinds and Codecov incidents). Our platform monitors process, file, and network activity to detect poisoned workflows and compromised dependencies. It has the following capabilities: Provide contextualized runtime security insights correlated with each step of the workflow. Block egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4) to prevent exfiltration of code and CI/CD credentials. Detect if source code is being tampered during the build process to inject a backdoor Use baselines to detect deviations from the expected runtime behavior.

Harden-Runner detected the tj-actions supply chain incident.

Governance of third-party GitHub Actions

The current enterprise environment faces several challenges regarding the use of third-party GitHub Actions: Lack of Maintenance and Security Controls: Many third-party Actions are not regularly maintained and often fall short of implementing fundamental security best practices, such as branch protection, the utilization of security tools, and the updating of vulnerable dependencies.

Dilemma for Security Teams: Confronted with third-party Actions, security teams in enterprises usually have two choices: Approve an Action deemed high-risk, thereby accepting the associated risks. Reject the Action, leading to potential conflict with developers and decreased productivity. Unfortunately, neither option aligns well with the needs of an enterprise.

StepSecurity offers a novel solution, 'StepSecurity Maintained Actions,' to address these challenges. This solution is tailored for StepSecurity's enterprise clients, streamlining the management and maintenance of third-party GitHub Actions.

Key Features of StepSecurity Maintained Actions:

GitHub Actions Security Score: StepSecurity automatically calculates a score for each GitHub Action based on criteria like use of appropriate license, popularity, vulnerable dependencies, branch protection, use of security tools etc.

Managed and Maintained Third-Party Actions: For our enterprise customers, StepSecurity takes on the responsibility of managing and maintaining third-party Actions. If a customer wishes to onboard a third-party Action not sourced from GitHub or other well-known organizations, StepSecurity will fork the Action. We then apply rigorous security best practices and ensure the Action remains in good standing.

Secure and Reliable for Developers: Developers can confidently use StepSecurity Maintained Actions, assured of their safety and reliability. These Actions meet high security standards, significantly reducing risks.

Benefits for Enterprise Customers:

Enhanced Security: StepSecurity Maintained Actions adhere to stringent security criteria, offering a tangible and measurable improvement in security. This reduces the risk associated with using third-party Actions.

Time Efficiency for Security Teams: By offloading the tasks of reviewing, forking, and maintaining Actions to StepSecurity, security teams can realize substantial time savings. This shift allows security teams to focus on other critical aspects of their role, enhancing overall productivity and security posture within the enterprise.

Orchestrate GitHub Actions Security Best Practices

GitHub recommends security best practices for GitHub Actions in their documentation but does not provide automated checks for them. This makes it hard to know if the best practices are being followed across multiple repositories. StepSecurity automates the status of each of these checks and shows the results in an easy to use dashboard.

Addressing security misconfigurations in GitHub Actions can be laborious for Security and DevOps teams. They aim for developers to adopt uniform, standardized workflows across various repositories yet find it challenging to streamline this process efficiently.

StepSecurity offers a solution with its automated pull request feature. This tool specifically targets misconfigurations in GitHub Actions, facilitating the adoption of standard workflows across different repositories effortlessly. Over 850 open-source projects have benefited from this automation, applying security best practices with ease.