Secure Workflows is an open-source API to secure GitHub Actions Workflow files.
The API takes in a GitHub Actions workflow file as an input and returns a transformed workflow file with the following changes:
- Minimum
GITHUB_TOKEN
permissions are set for each job - Step Security Harden Runner GitHub Action is added to each job
- Actions are pinned to a full length commit SHA
To calculate minimum token permissions for a given workflow, and to set allowed endpoints for workflows, a Knowledge Base of GitHub Actions has been setup. The knowledge base has information about what permissions a GitHub Action needs when using the GITHUB_TOKEN
and what outbound calls the GitHub Action is expected to make.
The knowledge base enables you to:
- Automatically calculate minimum token permissions for the
GITHUB_TOKEN
for your workflows. - Restrict outbound traffic for your GitHub Actions workflows to allowed endpoints using the Harden Runner GitHub Action.
If you are the owner of a GitHub Action, please contribute to the knowledge base. This will increase trust for your GitHub Action and more developers would be comfortable using it, and it will improve security for everyone's GitHub Actions workflows.
To try Secure workflows, visit https://app.stepsecurity.io/