Introduction
StepSecurity’s Secure Repo feature has been helping developers secure their GitHub Actions workflows by automatically generating pull requests that apply security best practices. Over 2,000 open-source projects and several StepSecurity enterprise customers have already leveraged this capability to strengthen their CI/CD security.
We’ve been listening to feedback from our users, and today, we’re excited to announce new enhancements that make Secure Repo even more powerful and customizable! These features are available across both community and enterprise tiers.
Support for pinning GitHub’s New Immutable Actions
GitHub recently introduced immutable actions, where action authors can publish versions that are inherently immutable. For these actions, pinning by commit SHA is no longer required—instead, developers can safely pin to a semantic version (e.g., v1.2.3) without worrying about unexpected updates.
With this enhancement in Secure Repo, when users enable “Pin to Immutable Actions,” the system will:
• Pin regular actions to their full commit SHA for security.
• Pin immutable actions to their latest published semantic version (vX.Y.Z), ensuring security while improving maintainability.
This new capability ensures that developers get the best of both worlds—security for regular actions and ease of management for immutable ones.
Granular Control Over Action Pinning
We’ve introduced exemptions for pinning GitHub Actions, allowing users to:
• Exclude specific actions from being pinned (e.g., actions/checkout).
• Exclude actions from an entire organization (e.g., actions/*).
This flexibility ensures that developers can follow best practices while accommodating excluding pinning of trustworthy GitHub Actions.
Persistent Best Practice Selection
Users can now configure their preferences once in their User Settings. This means no more repeatedly selecting security fixes every time a pull request is created—your chosen best practices will be applied automatically.
How It Works
1. Go to User Settings in Secure Repo. https://app.stepsecurity.io/github/user-settings
2. Select which best practices you want to apply.
3. Configure the Pull request title, commit message, and description.
Once set up, these preferences will automatically apply when Secure Repo analyzes a new repository, making the process more seamless and efficient.
A Smoother, More Secure Developer Experience
These enhancements make it easier than ever for developers to enforce security best practices across their repositories with minimal effort. By setting their preferences once, teams can now ensure consistency and compliance without additional manual work.
Try out the new Secure Repo settings today and take control of your GitHub Actions security!
.png)
.png)
