{"id":13841937,"url":"https://github.com/step-security/secure-repo","last_synced_at":"2026-01-17T01:20:36.654Z","repository":{"id":36958374,"uuid":"416141899","full_name":"step-security/secure-repo","owner":"step-security","description":"Orchestrate GitHub Actions Security","archived":false,"fork":false,"pushed_at":"2026-01-13T04:45:51.000Z","size":18272,"stargazers_count":302,"open_issues_count":563,"forks_count":50,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-01-13T07:51:20.930Z","etag":null,"topics":["actions","github","github-actions","golang","security","security-tools","supply-chain-security","workflow"],"latest_commit_sha":null,"homepage":"https://app.stepsecurity.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/step-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-10-12T01:31:29.000Z","updated_at":"2026-01-12T04:21:11.000Z","dependencies_parsed_at":"2024-06-10T09:17:19.921Z","dependency_job_id":"341104f3-0da5-4690-aa01-806528debe7e","html_url":"https://github.com/step-security/secure-repo","commit_stats":{"total_commits":819,"total_committers":23,"mean_commits":"35.608695652173914","dds":0.6532356532356532,"last_synced_commit":"a21a27db7f4ffc5039c51d81c43fea838935cce6"},"previous_names":[],"tags_count":27,"template":false,"template_full_name":null,"purl":"pkg:github/step-security/secure-repo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fsecure-repo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fsecure-repo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fsecure-repo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fsecure-repo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/step-security","download_url":"https://codeload.github.com/step-security/secure-repo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fsecure-repo/sbom","scorecard":{"id":1239043,"data":{"date":"2025-10-15T16:40:49Z","repo":{"name":"github.com/step-security/secure-repo","commit":"48c05bac3ee824094e5177362e800d5bb4ae71cb"},"scorecard":{"version":"v5.1.1","commit":"cd152cb6742c5b8f2f3d2b5193b41d9c50905198"},"score":7.8,"checks":[{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#code-review"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dependency-update-tool"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":6,"reason":"8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'actions' permission set to 'write': .github/workflows/automatePR.yml:16","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32","Info: jobLevel 'contents' permission set to 'read': .github/workflows/int.yml:14","Info: jobLevel 'contents' permission set to 'read': .github/workflows/kb-test.yml:14","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/kbanalysis.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:15","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/automatePR.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/int.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/kb-test.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/kbanalysis.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:10","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:11"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#token-permissions"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU Affero General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#license"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#cii-best-practices"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":7,"reason":"dependency not pinned by hash detected -- score normalized to 7","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/kbanalysis.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/step-security/secure-repo/kbanalysis.yml/main?enable=pin","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-multiple-images:1","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-multiple-images:22: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-multiple-images:24: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-multiple-images:26: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-not-pinned:16: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-not-pinned-as:16","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-not-pinned-as:22","Warn: pipCommand not pinned by hash: testfiles/dockerfiles/input/Dockerfile-not-pinned:36-38","Warn: pipCommand not pinned by hash: testfiles/dockerfiles/input/Dockerfile-not-pinned:36-38","Warn: pipCommand not pinned by hash: testfiles/dockerfiles/output/Dockerfile-not-pinned:36-38","Warn: pipCommand not pinned by hash: testfiles/dockerfiles/output/Dockerfile-not-pinned:36-38","Info:  18 out of  18 GitHub-owned GitHubAction dependencies pinned","Info:  22 out of  23 third-party GitHubAction dependencies pinned","Info:  17 out of  24 containerImage dependencies pinned","Info:   0 out of   4 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/int.yml:12"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#packaging"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"49 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-7r3h-m5j6-3q42","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-4hjh-wcwx-xvwj","Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6","Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx","Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp","Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc","Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GHSA-hqxw-f8mx-cpmw","Warn: Project is vulnerable to: GO-2023-1699 / GHSA-232p-vwff-86mp","Warn: Project is vulnerable to: GO-2023-1700 / GHSA-33pg-m6jh-5237","Warn: Project is vulnerable to: GO-2025-3829 / GHSA-4vq8-7jfc-9cvp","Warn: Project is vulnerable to: GO-2023-1701 / GHSA-6wrf-mxfj-pf5p","Warn: Project is vulnerable to: GHSA-jq35-85cj-fj4p","Warn: Project is vulnerable to: GHSA-mq39-4gv4-mvpx","Warn: Project is vulnerable to: GO-2022-0985 / GHSA-rc4r-wh2q-q6c4","Warn: Project is vulnerable to: GO-2024-3005 / GHSA-v23v-6jw2-98fq","Warn: Project is vulnerable to: GO-2022-1107 / GHSA-vp35-85q5-9f25","Warn: Project is vulnerable to: GO-2024-2512 / GHSA-xw73-rw38-6vjc","Warn: Project is vulnerable to: GO-2025-3553 / GHSA-mh63-6h87-95cp","Warn: Project is vulnerable to: GO-2023-2379 / GHSA-7f9x-gw85-8grf","Warn: Project is vulnerable to: GO-2024-2632 / GHSA-hj3v-m684-v259","Warn: Project is vulnerable to: GO-2024-2454 / GHSA-pvcr-v8j8-j5q3","Warn: Project is vulnerable to: GO-2023-1859 / GHSA-rm8v-mxj3-5rmq","Warn: Project is vulnerable to: GO-2024-2494 / GHSA-4v98-7qmw-rqr8","Warn: Project is vulnerable to: GO-2024-2492 / GHSA-9p26-698r-w4hx","Warn: Project is vulnerable to: GHSA-gc89-7gcr-jxqc","Warn: Project is vulnerable to: GO-2024-2493 / GHSA-m3r6-h7wv-7xxv","Warn: Project is vulnerable to: GO-2024-2497 / GHSA-wr6v-9f75-vh2g","Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2024-2961","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2022-0969 / GHSA-69cg-p879-7622","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2022-1144 / GHSA-xrjj-mj9h-534m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9","Warn: Project is vulnerable to: GO-2024-2611 / GHSA-8r3f-844c-mc37","Warn: Project is vulnerable to: GO-2022-0603 / GHSA-hp87-p4gw-j4gq"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#sast"}},{"name":"CI-Tests","score":10,"reason":"9 out of 9 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 3 contributing companies or organizations -- score normalized to 10","details":["Info: found contributions from: ait pune, step-security, stepsecurity"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#contributors"}}]},"last_synced_at":"2025-10-21T12:31:53.514Z","repository_id":36958374,"created_at":"2025-10-21T12:31:53.514Z","updated_at":"2025-10-21T12:31:53.514Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28491392,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T00:50:05.742Z","status":"ssl_error","status_checked_at":"2026-01-17T00:43:11.982Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","github","github-actions","golang","security","security-tools","supply-chain-security","workflow"],"created_at":"2024-08-04T17:01:24.488Z","updated_at":"2026-01-17T01:20:36.636Z","avatar_url":"https://github.com/step-security.png","language":"Go","funding_links":[],"categories":["github","security-tools","Workflow and runner hardening","Go"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\u003cimg src=\"images/banner1.png\" width=\"350\" /\u003e\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[![Maintained by stepsecurity.io](https://img.shields.io/badge/maintained%20by-stepsecurity.io-blueviolet)](https://stepsecurity.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=secure-repo)\n[![Go Report Card](https://goreportcard.com/badge/github.com/step-security/secure-repo)](https://goreportcard.com/report/github.com/step-security/secure-repo)\n[![codecov](https://codecov.io/gh/step-security/secure-repo/branch/main/graph/badge.svg?token=02ONA6U92A)](https://codecov.io/gh/step-security/secure-repo)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/step-security/secure-repo/badge)](https://api.securityscorecards.dev/projects/github.com/step-security/secure-repo)\n\n\u003c/div\u003e\n\n\u003cp align=\"center\"\u003e\nAutomatically apply security best practices in your GitHub repository\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/secure-repo-1.gif\" alt=\"Secure repo screenshot\" \u003e\n\u003c/p\u003e\n\n\u003ch3\u003e\n  \u003ca href=\"#catalog-of-fixes\"\u003eCatalog of Fixes\u003c/a\u003e \n   \u003cspan\u003e • \u003c/span\u003e\n  \u003ca href=\"#quickstart\"\u003eQuickstart\u003c/a\u003e\n   \u003cspan\u003e • \u003c/span\u003e\n  \u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e  \n\u003c/h3\u003e\n\n## Catalog of Fixes\n\n1. [Automatically set minimum GITHUB_TOKEN permissions](#1-automatically-set-minimum-github_token-permissions)\n2. [Add Harden-Runner GitHub Action to each job](#2-add-harden-runner-github-action-to-each-job)\n3. [Pin Actions to a full length commit SHA](#3-pin-actions-to-a-full-length-commit-sha)\n4. [Pin image tags to digests in Dockerfiles](#4-pin-image-tags-to-digests-in-dockerfiles)\n5. [Add or update Dependabot configuration](#5-add-or-update-dependabot-configuration)\n6. [Add CodeQL workflow (SAST)](#6-add-codeql-workflow-sast)\n7. [Add Dependency review workflow](#7-add-dependency-review-workflow)\n8. [Add OpenSSF Scorecard workflow](#8-add-openssf-scorecard-workflow)\n\n### 1. Automatically set minimum GITHUB_TOKEN permissions\n\n#### Why is this needed?\n\n- The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API\n- If the token is compromised, it can be abused to compromise your environment (e.g., to overwrite releases or source code). This compromise will also impact everyone using your software in their supply chain.\n- To limit the damage, [GitHub recommends setting minimum token permissions for the GITHUB_TOKEN](https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/).\n\n#### Before and After the fix\n\n**Pull request example**: https://github.com/nginxinc/kubernetes-ingress/pull/3134\n\nIn this pull request, minimum permissions are set automatically for the GITHUB_TOKEN\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/token-perm-example.png\" alt=\"Screenshot of token permissions set in a workflow\" width=\"600\" /\u003e\u003c/p\u003e\n\n#### How does Secure-Repo fix this issue?\n\n- Secure-Repo stores the permissions needed by different GitHub Actions in a [knowledge base](\u003c(https://github.com/step-security/secure-repo/tree/main/knowledge-base/actions)\u003e)\n- It looks up the permissions needed by each Action in your workflow and sums the permissions up to come up with a final recommendation\n- If you are the owner of a GitHub Action, please [contribute to the knowledge base](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md)\n\n### 2. Add Harden-Runner GitHub Action to each job\n\n#### Why is this needed?\n\n[Harden-Runner GitHub Action](https://github.com/step-security/harden-runner) installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies.\n\n#### Before and After the fix\n\n**Pull request example**: https://github.com/python-attrs/attrs/pull/1034\n\nThis pull request adds the Harden Runner GitHub Action to the workflow file.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/harden-runner-example.png\" width=\"600\" alt=\"Screenshot of Harden-Runner GitHub Action added to a workflow\" /\u003e\u003c/p\u003e\n\n#### How does Secure-Repo fix this issue?\n\nSecure-Repo updates the YAML file and adds [Harden-Runner GitHub Action](https://github.com/step-security/harden-runner) as the first step to each job.\n\n### 3. Pin Actions to a full length commit SHA\n\n#### Why is this needed?\n\n- GitHub Action tags and Docker tags are mutable, which poses a security risk\n- If the tag changes you will not have a chance to review the change before it gets used\n- GitHub's Security Hardening for GitHub Actions guide [recommends pinning actions to full length commit for third party actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions).\n\n#### Before and After the fix\n\nBefore the fix, your workflow may look like this (use of `v1` and `latest` tags)\n\nAfter the fix, Secure-Repo pins each Action and docker image to an immutable checksum.\n\n**Pull request example**: https://github.com/electron/electron/pull/36343\n\nIn this pull request, the workflow file has the GitHub Actions tags pinned automatically to their full-length commit SHA.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/pin-example.png\" alt=\"Screenshot of Action pinned to commit SHA\" width=\"600\" /\u003e\u003c/p\u003e\n\n#### How does Secure-Repo fix this issue?\n\n- Secure-Repo automates the process of getting the commit SHA for each mutable Action version or Docker image tag\n- It does this by using GitHub and Docker registry APIs\n\n### 4. Pin image tags to digests in Dockerfiles\n\n#### Why is this needed?\n\n- Docker tags are mutable, so use digests in place of tags when pulling images\n- If the tag changes you will not have a chance to review the change before it gets used\n- OpenSSF Scorecard [recommends pinning image tags for Dockerfiles used in building and releasing your project](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies).\n\n#### Before and After the fix\n\nBefore the fix, your Dockerfile uses image:tag, e.g. `rust:latest`\n\nAfter the fix, Secure-Repo pins each docker image to an immutable checksum, e.g. `rust:latest@sha256:02a53e734724bef4a58d856c694f826aa9e7ea84353516b76d9a6d241e9da60e`.\n\n**Pull request example**: https://github.com/fleetdm/fleet/pull/10205\n\nIn this pull request, the Docker file has tags pinned automatically to their checksum.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/pin-docker-example.png\" alt=\"Screenshot of docker image pinned to checksum\" width=\"600\" /\u003e\u003c/p\u003e\n\n#### How does Secure-Repo fix this issue?\n\n- Secure-Repo automates the process of getting the checksum for each Docker image tag\n- It does this by using Docker registry APIs\n\n### 5. Add or update Dependabot configuration\n\n#### Why is this needed?\n\n- You enable Dependabot version updates by checking a `dependabot.yml` configuration file into your repository\n- Dependabot ensures that your repository automatically keeps up with the latest releases of the packages and applications it depends on\n\n#### Before and After the fix\n\nBefore the fix, you might not have a `dependabot.yml` file or it might not cover all ecosystems used in your project.\n\nAfter the fix, the `dependabot.yml` file is added or updated with configuration for all package ecosystems used in your project.\n\n**Pull request example**: https://github.com/muir/libschema/pull/31\n\nThis pull request updates the Dependabot configuration.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/dependabot-example.png\" width=\"600\" alt=\"Screenshot of Dependabot config updated\" /\u003e\u003c/p\u003e\n\n#### How does Secure-Repo fix this issue?\n\nSecure-Repo updates the `dependabot.yml` file to add missing ecosystems. For example, if the Dependabot configuration updates npm packages but not GitHub Actions, it is updated to add the GitHub Actions ecosystem.\n\n### 6. Add CodeQL workflow (SAST)\n\n#### Why is this needed?\n\n- Using Static Application Security Testing (SAST) tools can prevent known classes of bugs from being introduced in the codebase\n\n#### Before and After the fix\n\nBefore the fix, you do not have a CodeQL workflow.\n\nAfter the fix, a `codeql.yml` GitHub Actions workflow gets added to your project.\n\n**Pull request example**: https://github.com/rubygems/rubygems.org/pull/3314\n\nThis pull request adds CodeQL to the list of workflows.\n\n#### How does Secure-Repo fix this issue?\n\nSecure-Repo has a [workflow-templates](https://github.com/step-security/secure-repo/tree/main/workflow-templates) folder. This folder has the default CodeQL workflow, which gets added as part of the pull request. The placeholder for languages in the template gets replaced with languages for your GitHub repository.\n\n### 7. Add Dependency review workflow\n\n#### Why is this needed?\n\n- The Dependency review workflow scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities.\n- This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.\n\n#### Before and After the fix\n\nBefore the fix, you do not have a dependency review workflow.\n\nAfter the fix, a `depdendency-review.yml` GitHub Actions workflow gets added to your project.\n\n**Pull request example**: https://github.com/input-output-hk/catalyst-core/pull/286\n\nThis pull request adds GitHub's `actions/dependency-review-action` workflow to the list of workflows.\n\n#### How does Secure-Repo fix this issue?\n\nSecure-Repo has a [workflow-templates](https://github.com/step-security/secure-repo/tree/main/workflow-templates) folder. This folder has the default dependency review workflow, which gets added as part of the pull request.\n\n### 8. Add OpenSSF Scorecard workflow\n\n#### Why is this needed?\n\n- OpenSSF Scorecard is an automated tool that assesses a number of important heuristics (\"checks\") associated with software security and assigns each check a score of 0-10.\n- You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.\n\n#### Before and After the fix\n\nBefore the fix, you do not have a OpenSSF Scorecard workflow.\n\nAfter the fix, a `scorecards.yml` GitHub Actions workflow gets added to your project.\n\n**Pull request example**: https://github.com/microsoft/CLRInstrumentationEngine/pull/527\n\nThis pull request adds OpenSSF Scorecard to the list of workflows.\n\n#### How does Secure-Repo fix this issue?\n\nSecure-Repo has a [workflow-templates](https://github.com/step-security/secure-repo/tree/main/workflow-templates) folder. This folder has the default Scorecard workflow, which gets added as part of the pull request.\n\n## Quickstart\n\n### Hosted Instance: [app.stepsecurity.io/securerepo](https://app.stepsecurity.io/securerepo)\n\nTo secure your GitHub repo using a pull request:\n\n- Go to https://app.stepsecurity.io/securerepo and enter your public GitHub repository\n- Log in using your GitHub Account (no need to install any App or grant `write` access)\n- View recommendations and click `Create pull request.` Here is an example pull request: https://github.com/electron/electron/pull/36343.\n\n### Integration with OpenSSF Scorecard\n\n- Add [OpenSSF Scorecards](https://github.com/ossf/scorecard-action) starter workflow\n- View the Scorecard results in GitHub Code Scanning UI\n- Follow the remediation tip that points to https://app.stepsecurity.io\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/SecureWorkflowsIntegration.png\" alt=\"Secure repo Scorecard integration screenshot\" width=\"600\"\u003e\n\u003c/p\u003e\n\n### Self Hosted\n\nTo create an instance of Secure Workflows, deploy _cloudformation/ecr.yml_ and _cloudformation/resources.yml_ CloudFormation templates in your AWS account. You can take a look at _.github/workflows/release.yml_ for reference.\n\n## Contributing\n\nContributions are welcome!\n\nIf you are the owner of a GitHub Action, please contribute information about the use of GITHUB_TOKEN for your Action. This will enable the community to automatically calculate minimum token permissions for the GITHUB_TOKEN for their workflows. Check out the [Contributing Guide](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstep-security%2Fsecure-repo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstep-security%2Fsecure-repo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstep-security%2Fsecure-repo/lists"}