StepSecurity Platform Plans

Community
Best for open source repositories
Free
Unlimited Public Repositories
No Notifications
Get Started For Free
Team
Best for private repositories
$16/dev/month
For up to 100 Developers
Slack & Email Notifications
Start 30-Day Free trial
Enterprise
Best for enterprise
Custom
Volume Discount for 100+ Developers
Contact us
Community
Best for open source repositories
Free
Unlimited Public Repositories
No Notifications
Get Started For Free
Enterprise
Best for enterprise
custom
Private Repos & Self-Hosted Runners
Slack & Email Notifications
Start 30-Day Free trial

GitHub Environments

Community
GitHub Cloud account
Public repository
GitHub hosted Actions runner
Community support
Enterprise
GitHub Cloud & GitHub Enterprise Server accounts
Private & Public repositories
GitHub Hosted & Actions Runner Controller (ARC) runners
Priority support
Feature
Community
Enterprise
GitHub account

GitHub Cloud is hosted by GitHub whereas GitHub Server is self-hosted by the customer

GitHub Cloud
GitHub Cloud & GitHub Enterprise Server
Repository types

Public repositories are visible to everyone on the internet and typically host open-source code. Private repositories are only accessible to specific users and typically host proprietary code

Public
Private & Public
Actions Runner environments

GitHub-hosted runners are managed by GitHub and run in GitHub's environment. Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and scales self-hosted runners for GitHub Actions in customer's environment

GitHub-Hosted
GitHub-Hosted & Self-Hosted Runners
Support

Support Channels to engage with the StepSecurity team

Community
Priority

GitHub Actions Runtime Security

Community
Block network egress traffic with domain allowlist
Detect compromised packages, dependencies & build tools
Detect modification of source code
Disable sudo access
Runtime insights for Actions runs
Publish from GitHub Actions using multi-factor authentication (MFA)
Enterprise
Prevent secret & code exfiltration
Detect compromised build tools & dependencies
Detect modification of source code
Disable sudo access
Runtime insights for Actions runs
Publish from GitHub Actions using multi-factor authentication (MFA)
Slack & email notifications
HTTPS monitoring
API access
Detection summary
StepSecurity GitHub App
Feature
Community
Enterprise
Block network egress traffic with domain allowlist

Harden-Runner can block traffic to remote endpoints that have not been explicitly authorized. This stops attackers from stealing credentials and sensitive data

plan check icon
plan check icon
Detect compromised packages, dependencies & build tools

Harden-Runner monitors the behavior of build tools and dependencies. It flags deviations in baseline.

plan check icon
plan check icon
Detect modification of source code

CI/CD jobs typically don't overwrite source code, this is a potential indicator of compromise. Malicious source code overwrites have caused major supply chain security breaches in the past.

plan check icon
plan check icon
Disable sudo access

Sudo allows the user to delegate privileges to run commands as a root or another user. Harden-Runner can disable sudo access in CI/CD

plan check icon
plan check icon
Insights page for CI/CD runs

For each GitHub Actions workflow run, Harden-Runner monitors run-time network, file, and process events and makes runtime insights available via the StepSecurity Web App.

plan check icon
plan check icon
Publish from GitHub Actions using multi-factor authentication (MFA)

StepSecurity wait-for-secrets allows project owners to implement multi-factor authentication (MFA) in their release workflows

plan check icon
plan check icon
Notifications

Harden-Runner can send important runtime CI/CD events to Slack and email workflow execution logs.

plan check icon
HTTPS monitoring

Harden-Runner monitors and detects suspicious events for outbound HTTPS encrypted connections from Actions runners.

plan check icon
API access

Organizations can access Harden-Runner runtime insights and detections via APIs. This is useful for central monitoring and SIEM integrations.

plan check icon
Detection summary

Harden-Runner can send important runtime CI/CD events to Slack and email workflow execution logs.

plan check icon
StepSecurity GitHub App

StepSecurity GitHub App enables enterprises to use numerous CI/CD runtime and infrastructure features. You can learn more about the app here: https://github.com/apps/stepsecurity-actions-security

plan check icon

Third-party Actions Governance

Community
Enterprise
Use StepSecurity maintained Actions
Discover all third party GitHub Actions across GitHub organization
Discover in-use unmaintained Actions
Perform risk assessment on Actions
Feature
Community
Enterprise
Use StepSecurity Maintained Actions

StepSecurity maintained Actions provide secure alternatives for risky third-party Actions in use

plan check icon
Discover all third party GitHub Actions across GitHub organization

The platform indexes all GitHub Actions workflows across the GitHub account and provides an organizational view of all third-party GitHub Actions in use

plan check icon
Discover in-use unmaintained Actions

Discover if you are relying on unmaintained GitHub Actions in your environment

plan check icon
Perform risk assessment on Actions

StepSecurity provides a risk score for GitHub Actions based on runtime profile and Actions code analysis

plan check icon

GitHub Actions secrets management

Community
Enterprise
List GitHub Actions secrets metadata across GitHub organization
Discover secrets that have not been rotated
Discover ununsed secrets
Detect workflows with elevated GITHUB_TOKEN permissions
Detect deployment workflows that are not using OIDC
Feature
Community
Enterprise
List GitHub Actions secrets metadata across GitHub organization

The platform indexes metadata of all GitHub Actions secrets across the GitHub account and provides an organizational view. The platform does not have access to secrets itself.

plan check icon
Discover secrets that have not been rotated

Discover old secrets in use that have not been rotated

plan check icon
Discover ununsed secrets

Discover secrets that are not being used by any GitHub Actions workflows

plan check icon
Detect workflows with elevated GITHUB_TOKEN permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. The platform can set least privileged permissions for the token

plan check icon
Detect deployment workflows that are not using OIDC

Detect release workflows that are using long-lived privileged secrets. These workflows could use OIDC that can help eliminate these privileged secrets

plan check icon

Frequently Asked Questions

How do you count developers?

Steps to use StepSecurity with private repositories?

How can I terminate my subscriptions?

What is the best way to reach you?

Subscription Plans

Runtime CI/CD Security Using StepSecurity Harden-Runner

Community

Best for open source repositories
Free
Unlimited Repositories
Get Started for Free
Free Forever

Enterprise

Best for enterprise and private repositories
$
20
/ month
Per Developer
Get Started Today
7-Day Free Trial

Feature

Community

Enterprise

Supported Repository Types
Public
Private & Public
Prevent Secret and Code Exfiltration
Detect Compromised Build Tools & Dependencies
Detect Modification of Source Code
Disable sudo access
Insights page for CI/CD runs
Notifications
Slack & Email
Support
Community
Priority

Upcoming Solutions

GitHub Repository Posture Management

card icon
plan check icon
Policy Driven Secure GitHub Resource Creation
plan check icon
Track Governance Violations Against Industry Standards
plan check icon
Automated Remediations through Pull Requests

Get Early Beta Access ->

Frequently Asked Questions

How do you count developer seats?

Steps to use Harden Runner with private repositories?

How can I terminate my subscriptions?

What is the best way to reach you?

Upcoming
Useful Links
HomeWhy StepSecurityDocsPricingContact UsBook a DemoPrivacy PolicyTerms
Community