Secure-Workflows is an open-source API to secure GitHub Actions workflows by automatically updating the workflow (YAML) files. To use secure workflows, go to https://app.stepsecurity.io/
The API takes in a GitHub Actions workflow file as an input and returns a transformed workflow YAML file with the following changes:
- Minimum
GITHUB_TOKENpermissions are set for each job - Actions are pinned to a full length commit SHA
- Harden-Runner GitHub Action is added to each job
GitHub Actions Hardening Guide recommends #1 and #2 as security best practices. OSSF Scorecards recommends using SecureWorkflows for #1 and #2.
Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies.
Secure-Workflows will be demoed at SupplyChainSecurityCon! Goal is to fix token permissions in top 100 most critical open source projects by then.
To calculate minimum token permissions for a given workflow, a Knowledge Base of GitHub Actions has been setup. The knowledge base has information about what permissions a GitHub Action needs when using the GITHUB_TOKEN.
If you are the owner of a GitHub Action, please contribute to the knowledge base. This will increase trust for your GitHub Action and more developers would be comfortable using it, and it will improve security for everyone's GitHub Actions workflows.
To use SecureWorkflows, visit https://app.stepsecurity.io/
