StepSecurity

?? Enterprise Case Study: Chainguard Secures GitHub Actions with StepSecurity Chainguard is building the safe source for open source. This requires sourcing the latest versions of open source software across myriad repositories and interacting with them via GitHub Actions. ? Chainguard’s approach to security is to lead by example and not check boxes for the sake of having checked the box.? At StepSecurity, we’re grateful to have Chainguard as an enterprise customer and proud to provide the secure foundation they need to use GitHub Actions at scale—through automation and comprehensive visibility. A big thank you to Evan Gibler, Staff Security Engineer at Chainguard, for taking the time to write this case study based on Chainguard’s experience using StepSecurity at scale. I highly recommend reading this case study (?? link in the comments) to see how Chainguard thinks about CI/CD security and how they go about securing their pipelines at scale—especially in light of the recent tj-actions supply chain attack. It’s full of practical insights from real-world experience.?

?? Announcing: Policy-Driven Pull Requests for CI/CD Security ?? The Challenge:? In fast-paced enterprise environments, security policy deviations are inevitable—manual remediation methods (emails, spreadsheets, and manual PRs) are slow and error-prone. The need to pin third-party GitHub Actions at scale after the recent tj-actions breach highlights these challenges. ? The Solution:? StepSecurity's Policy-Driven Pull Requests automate and simplify remediation by opening GitHub Issues or Pull Requests whenever policy deviations occur. ?? How It Works:? ?? Define security policies (pinned actions, minimal permissions, Harden-Runner)? ?? Continuous Monitoring instantly detects deviations? ?? Automated Issues and PRs created directly in GitHub for immediate action ?? To learn more, check out the blog post in the comments.?

Thanks to everyone who joined our Community Office Hour and for the insightful questions! We provided an overview of the incident, how it was detected, and how one can recover from it. We also discussed several questions from the community and it was a very interactive session! You can find the recording here: https://lnkd.in/gY39JuNS

??? New Feature Alert: Detect Leaked Secrets from tj-actions/changed-files Incident ??? In response to the tj-actions/changed-files incident, StepSecurity implemented a new control in the StepSecurity dashboard to automatically detect if credentials were leaked in the build log. The compromised tj-actions/changed-files action dumps secrets from memory and logs them in the build log in a double base64-encoded format. Looking for workflow runs manually to find such leaked secrets is cumbersome. ??? How it works: 1?? Navigate to the new control on your StepSecurity Enterprise dashboard. 2?? Review workflow runs flagged for leaked secrets in the "Failed Runs" section. 3?? Confirm the leaked secrets in the build logs. 4?? Rotate leaked persistent credentials immediately. Delete the affected workflow run logs to prevent further exposure. ?? If you are not an enterprise customer, you can take advantage of our self-service 14-day free trial to access this feature. The GitHub App installation link to start the free trial is in the comments.

?? Community Office Hour: tj-actions/changed-files Security Incident We greatly appreciate the proactive engagement from the community following StepSecurity's recent disclosure of the critical security incident involving the tj-actions/changed-files GitHub Action. To support you in understanding this incident and recovering swiftly, we're hosting an Office Hour: ?? Date: March 17, 2025 10:00 AM Pacific Time (PT) During this session, we will: ?? Answer your questions about the incident. ?? Provide guidance on securing your repositories. ?? Help you implement the secure drop-in replacement Action (step-security/changed-files). ?? Add the event to your calendar here: https://lnkd.in/g3mixRG7

??? Secure Alternative Available Now: step-security/changed-files (Free for Everyone) ??? StepSecurity was the first to discover and notify the community about a critical supply chain compromise affecting the widely used GitHub Action, tj-actions/changed-files (tracked as CVE-2025-30066). This incident impacts over 23,000 public repositories. We quickly identified this through our Harden-Runner anomaly detection capability, which flagged unexpected network connections during workflow runs. To support the community, StepSecurity has released a secure, drop-in replacement Action, freely available to everyone: ?? https://lnkd.in/g8CAJX2S We strongly recommend replacing any usage of the compromised Action immediately: - uses: step-security/changed-files@v45 Or use the specific commit hash: - uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1 ?? Recovery Steps: 1?? Immediately replace instances of tj-actions/changed-files. 2?? Review your public workflow logs for leaked secrets. 3?? Rotate any potentially compromised secrets. For full incident details, please refer to our blog post ( ?? in the comments).

?? Security Alert: tj-actions/changed-files GitHub Action Compromised ?? StepSecurity Harden-Runner detected a critical security incident affecting tj-actions/changed-files, a GitHub Action used in 23,000+ repositories. Harden-Runner anomaly detection flagged an unexpected network connection, leading us to uncover a malicious compromise. ?? What Happened? ? Almost all tags of this Action were modified four hours ago, indicating a recent supply chain attack. ? The compromised Action executes a Python script that dumps CI/CD secrets from the Runner Worker process. ? The malicious behavior can be observed in Harden-Runner insights, showing the Action downloading and executing an unauthorized script (see the video). ?? Immediate Action Required Stop using tj-actions/changed-files immediately until further notice. We are continuing to monitor the situation and will provide updates as more details emerge. To stay up to date, please refer to our blog post (link in comments)

?? StepSecurity Harden-Runner is helping secure the Ruby GitHub org! Let’s take a moment to spotlight an awesome open-source project from the Ruby GitHub org that uses Harden-Runner in its publishing workflow! ?? This project is securely publishing to RubyGems—and doing it the right way with:? ? OpenID Connect (OIDC) authentication – no static credentials!? ? Harden-Runner’s network and runtime monitoring – full visibility into every outbound request.? ? What does the network traffic look like?? ? Code checkout from GitHub? ? Dependencies pulled from GitHub & RubyGems? ? Secure publishing to RubyGems ? sigstore usage for supply chain integrity? ?? No unexpected network calls – everything checks out! ?? Why is this exciting?? ?? Software supply chain attacks are on the rise – secure publishing matters more than ever!? ?? Harden-Runner ensures workflows only talk to trusted endpoints – no surprises.?? ?? It ensures only expected processes interact with trusted endpoints, protecting the integrity of the published software. This is community-tier usage – meaning anyone can see these insights and learn from them!?Check out the Harden-Runner insights in action (link in comments) ?? Huge shoutout to the Ruby community for leading by example with secure CI/CD practices! Want to make sure your workflows are secure too? Try Harden-Runner today! ???

StepSecurity Now Integrates with RunsOn for Secure, Cost-Effective CI/CD Pipelines! ?? I'm thrilled to announce that StepSecurity's Harden-Runner now seamlessly integrates with RunsOn – the modern solution for self-hosting GitHub Actions runners on AWS at scale. This partnership combines StepSecurity's robust CI/CD security capabilities with RunsOn's optimized, cost-efficient runners. As software supply chain attacks continue to rise, this integration provides critical protection without disrupting developer workflows. Why choose RunsOn with StepSecurity? 1?? 10x cheaper than GitHub-hosted runners 2?? 30%+ faster performance 3?? 5x faster, unlimited caching with S3-local bucket 4?? Full control within your AWS account 5?? Enhanced security with Harden-Runner's network restrictions and runtime monitoring Implementation is incredibly simple too! Just update your runner image to use the StepSecurity image, and you'll always have the latest Harden-Runner agent without manual updates or configuration hassles. This partnership represents our ongoing commitment to making CI/CD security accessible, effective, and developer friendly. Ready to strengthen your CI/CD security while optimizing costs? Check out our integration guide (in comments) for more details.

?? Secure Repo Just Got Better!? ? StepSecurity’s Secure Repo has already helped 2,000+ open-source projects and several StepSecurity enterprise customers apply GitHub Actions security best practices automatically. Now, we’re making it even more customizable and efficient with these new updates:? ? ? Pin to GitHub’s New Immutable Actions – No need to pin by commit SHA if an action is immutable! Secure Repo will now pin immutable actions to their semantic version (e.g., v1.2.3) for easier maintenance. ?? Exempt Actions from Pinning – You can now exclude specific actions from being pinned, giving you more flexibility. ?? Save Your Security Settings – No more selecting best practices every time! Configure your preferences once in User Settings, and they’ll apply automatically when analyzing new repos.? ? With these updates, Secure Repo makes it even easier for developers to secure their CI/CD pipelines with minimal effort. For more details, check out the ?? in the comments.?