🛡️ What is StepSecurity?

StepSecurity is a robust security platform specifically designed to enhance the security of GitHub Actions. It safeguards the following layers:

• Action Runners
• GitHub Action Workflow Files
• Third-party GitHub Actions

GitHub Actions execute untrusted code in a privileged environment. StepSecurity's App is essential for those concerned about:

1. Theft of CI/CD credentials, which can compromise your cloud infrastructure.
2. Tampering of release builds, leading to supply chain attacks.
3. Risk of 3rd party GitHub Actions, leading to potential security vulnerabilities in your CI/CD pipeline.

🚀 Trusted by Industry Leaders

Harden-Runner, a flagship solution from StepSecurity, safeguards over 5,000 open-source projects and enterprises, including industry giants like Microsoft, Google, and Kubernetes.

---

🔑 Permission Requirements

StepSecurity App requires minimal permissions to operate securely. It only needs the following read-only permissions on your repositories:

• actions: read
• secrets: read
• organization_secrets: read

📌 Why These Permissions?

The secrets: read and organization_secrets: read permissions provide access only to metadata about secrets. StepSecurity does not access the actual secret values. These permissions enable the App to:

• Identify secrets that have not been rotated for a long time.
• Enhance security insights without compromising sensitive data.

Additionally, as outlined in the official GitHub API documentation, these permissions return only:

• The name of the secret.
• When it was created.
• When it was last updated.

🔒 Commitment to Security

StepSecurity is built with a security-first mindset, ensuring that it never accesses customer code or secret values. By focusing on metadata insights, it strengthens security without compromising user privacy.

---

📞 Support

Need help? Our support team is here to assist you with any questions or security concerns.

📧 Email: support@stepsecurity.io