Introduction
StepSecurity's Orchestration platform serves as a gatekeeper of GitHub repositories, identifying missing security tools and gaps in CI/CD pipeline best practices. By providing developers with a curated list of recommendations, it empowers them to make the choices that fit their projects' needs. They can then leverage the platform to create a pull request, seamlessly integrating the necessary tools and best practices into their repository.
Today, we have hit an important milestone, reaching over 500 open-source projects that have used our platform to improve their security posture. It's a journey worth celebrating, with each step marking our collective progress toward more secure open-source projects.
A Rapid Journey of Growth
On April 6th, we celebrated the adoption of our platform by 300 open-source projects. Just two months later, on June 8th, we were thrilled to announce that the number had risen to 400. In a mere month, that number has increased from 400 to over 500 projects, signifying the increasing trust in and need for effective security practices in the developer community.
StepSecurity Platform in Action
To illustrate how the StepSecurity platform integrates within developers' workflow, we've prepared a video tutorial. The video showcases how developers navigate and use the platform and, most importantly, how it saves them time and reduces complexity.
Curious to see it for yourself? Feel free to give our platform a try at app.stepsecurity.io/securerepo. Note that you'll need to log in using your GitHub account, but rest assured, our platform doesn't ask for any permissions or personal data. We access public data only to ensure that only past contributors can create a pull request in a project.
Five organizations that have used our platform stand out for their extensive usage: Apache, NodeSecure, Google, Microsoft Azure, and Eclipse. These are our top users in terms of engagement and use, underscoring their high trust in the StepSecurity platform.
You can also browse the pull requests created by the top 50 of the 500 open-source projects that have benefited from our platform at app.stepsecurity.io/securerepo/trending.
The Strength Behind Our Platform
What makes StepSecurity's platform so effective? The answer lies in its ability to integrate various tools and the hardening aspects it offers for the CI/CD pipelines.
We seamlessly enable the following:
- StepSecurity Harden-Runner GitHub Action for CI/CD Runtime Security
- Static Application Security Testing (SAST) tool
- Software Composition Analysis (SCA) tool
- OpenSSF Scorecard
- Dependabot configuration for dependency and CI/CD tool updates
When it comes to hardening aspects of the CI/CD pipelines, our platform ensures:
- Setting the least permissions for GitHub action tokens
- Pinning of GitHub Actions
- Docker image pinning
To represent this visually, the diagram below provides a high-level view of the integrations and hardening measures undertaken across these 500+ projects.
Conclusion
We are immensely grateful to all the developers and projects that have used our platform and contributed to this milestone.
As of now, StepSecurity's capabilities work for both public and private repositories. Harden-Runner works seamlessly on GitHub-Hosted, Actions Runner Controller (ARC), and self-hosted Virtual Machine (VM) Runners for contextualized insight into network and file events and control over network egress traffic. If you're curious to try it out, you can start with our free trial!