Background
Coveo is a market leader in AI-powered search, recommendations and generative experiences that enables enterprises like Dell, United Airlines, SAP, Zoom, and Salesforce to offer relevant experiences across workplace, website, commerce and customer service usecases. Its SaaS-native, multi-tenant platform brings personalization to digital points of experience.
At Coveo, over 200 developers utilize GitHub Actions for continuous integration. They primarily use self-hosted ephemeral runners, with a few GitHub-hosted runners across more than 300 GitHub repositories.
The Challenge
Before transitioning its CI jobs to GitHub Actions, Coveo's security team identified an opportunity to enhance its security strategy around third-party Actions. While GitHub Actions deliver powerful automation, they also bring complex security challenges. Coveo prioritized implementing network and runtime security observability for Actions runners to proactively detect potential threats like tampering software artifacts during build to inject a backdoor or exfiltration of sensitive source code and secrets to unauthorized servers, ensuring robust protection of their software supply chain.
In response to their security goals, Coveo implemented a policy to allow only trusted and vetted Actions within their workflows. While this approach strengthened their security posture, the team sought to further enhance their capabilities with an effective anomaly detection solution. Recognizing that existing security solutions, such as Cloud-Native Application Protection Platforms (CNAPP) and traditional Intrusion Detection Systems (IDS), did not adequately address these specific challenges, Coveo set out to proactively bridge this gap.
“Limiting our developers to only internal solutions was neither practical nor efficient, yet relying on one-time reviews and pinned digests proved too resource-intensive. We needed a solution that could secure our workflows while maintaining the agility and flexibility our developers depend on. StepSecurity offered that balance.”
— Jean-Philippe Lachance, Staff Security Specialist, R&D, Coveo
Coveo also required a solution with an intuitive design to support their diverse development teams. Not all developers were GitHub experts, so a user-friendly interface and clear guidance were essential to ensure adoption and effective use of the tool without steep learning curves or extensive hand-holding.
Finally, Coveo needed a solution to guide the implementation of GitHub Actions security best practices across their workflows to scale their security efforts further. They aimed to gain deeper visibility into where artifacts and dependencies were being downloaded from, providing a clearer understanding of their software supply chain. Additionally, manually reviewing third-party Actions proved to be a resource-intensive challenge, prompting the need for automated scoring and dynamic analysis to assess and manage the security of these Actions effectively.
" StepSecurity provides the security capabilities we needed to safeguard our workflows. This isn’t just theoretical—there have been real-world incidents, including large botnets originating from runners, credential theft, and supply chain compromises like the XZ Utils backdoor. StepSecurity offered a solution where existing tools fell short, enabling us to protect our CI pipelines with confidence."
- Cedric Brisson, SOC & DFIR Lead Analyst, Coveo
Solution: StepSecurity
Coveo turned to StepSecurity to address these challenges and scale their security posture across GitHub Actions workflows without burdening developers.
Securing GitHub Actions Workflows with StepSecurity Harden-Runner
To tackle the security challenges associated with GitHub Actions, Coveo integrated StepSecurity Harden-Runner into their runner image, bringing immediate, detailed security observability to all jobs running on their self-hosted runners without any code changes.
StepSecurity Harden-Runner establishes a baseline for each job, capturing outbound network traffic, processes, and file operations during the build. Deviations from this baseline trigger alerts, enabling Coveo’s security team to quickly detect and respond to potential threats, such as malicious dependencies or attempts to tamper with builds.
"While Github is great at what it does, the visibility it offers to security teams is somewhat limited when it comes to Github Actions. Being able to audit network events and credential access is essential for any SOC or Audit team. Thorough and deep logging is paramount in our rapidly evolving threat landscape as we have to block known threats and be able to retrospectively investigate those we don't know about yet."
- Cedric Brisson, SOC & DFIR Lead Analyst, Coveo
With Harden-Runner in place, Coveo gained the ability to monitor outbound DNS, network, and HTTPS traffic. The solution also provides visibility into where artifacts and dependencies are being downloaded from, enabling greater oversight of the software supply chain.
“Before StepSecurity, detecting the origin of a suspicious outbound network connection was challenging with traditional CNAPPs or IDS solutions, as we’d only see a general alert. StepSecurity gives us complete visibility into which specific Action triggered a connection and even lets us drill down into host processes tied to that Action. Now, we have a clear and actionable picture of every network connection our runners make, and we can respond with confidence.”
— Jean-Philippe Lachance, Staff Security Specialist, R&D, Coveo
Scaling GitHub Actions Security Best Practices with StepSecurity
To support Coveo's goal of guiding the implementation of GitHub Actions security best practices and scaling their security efforts, StepSecurity provided a comprehensive solution. StepSecurity detects and flags security misconfigurations in GitHub Actions workflows, such as overprivileged token permissions, unpinned Actions, and risky 3rd party Actions.
Moreover, StepSecurity goes beyond simple detection by offering automated remediation through high-precision fix recommendations. As an example, StepSecurity leverages detailed insights from Harden-Runner, including analyzing GitHub API calls made during a job to suggest the minimum necessary token permissions.
StepSecurity further enhanced security by providing a comprehensive score for third-party Actions based on static analysis. This scoring evaluates key security attributes, offering quick insights into the trustworthiness of an Action. In addition, StepSecurity uses dynamic analysis to observe and report outbound calls made by third-party Actions, shedding light on their behavior and potential risks. This combined approach allows Coveo to understand the security posture of third-party Actions more thoroughly, eliminating the need for labor-intensive manual reviews and facilitating confident, informed decisions about their usage.
These capabilities helped streamline the process of hardening workflows and reduced the manual effort required from the developers, enabling faster response times and consistent adherence to best practices.
“Working with the StepSecurity team, we’ve crafted a developer experience that truly adds value, bringing security improvements right to our developers’ fingertips. The Harden-Runner Action delivers immediate insights into our workflows and suggests best practices from day one. When StepSecurity automatically opens pull requests with recommended remediations, it makes the security process seamless: our developers can simply review and merge, and their workflows are instantly more secure.”
— Jean-Philippe Lachance, Staff Security Specialist, R&D, Coveo
Summary
Coveo enhanced the security of their GitHub Actions workflows by integrating StepSecurity, gaining deep observability and automated protection against potential threats. StepSecurity enabled Coveo to improve their detection of security misconfigurations, monitor outbound traffic, and assess third-party Actions' security posture through automated scoring and dynamic analysis. Coveo strengthened its GitHub Actions security with StepSecurity, scaling its efforts without burdening developers.
“StepSecurity has been transformative in advancing Coveo’s security posture. This platform goes far beyond checking boxes; it’s about enabling smarter decisions and driving operational efficiency . With StepSecurity, we’re equipped to take our CI/CD security to the next level.”
— Jean-Philippe Lachance, Staff Security Specialist, R&D, Coveo
