In this tutorial you will add an SAST (Static application security testing) tool, a dependency review tool, and the OpenSSF Scorecard workflow to your repository.
-
Navigate to https://app.stepsecurity.io/securerepo. Enter your repository in the textbox and click on
Analyze Repository. You will see several recommendations for improving GitHub Actions Security for your repository. -
Keep the
Add CodeQL Workflow,Add Dependency Review Workflow, andAdd OpenSSF Scorecard Workflowchecked and un-check the rest of the recommendations for now. We will check them in future tutorials. -
Click on
Create Pull Requestbutton. You will see a pull request with three GitHub Actions workflows. -
Merge the pull request.
-
Next, you should see some issues in the
Securitytab of your repository. These issues have been created by these security tools. In the future, these tools will run periodically and find security issues in pull requests.
https://app.stepsecurity.io/securerepo has been used by over 500 public repositories to apply GitHub Actions Security best practices. You can browse pull requests for the Top 50 repositories at https://app.stepsecurity.io/securerepo/trending