.png)
Background
Neon is a Series B startup building a serverless Postgres platform for modern development workflows. The product combines the power of Postgres with features like autoscaling and branching to support fast iteration. As a cloud-native database company, Neon places a strong emphasis on security, with both its architecture and internal practices designed to support secure development at scale. The company is compliant with SOC 2 Type II, ISO 27001/27701, and HIPAA, and is currently preparing for PCI-DSS.
Challenge
CI/CD environments are complex and often difficult to secure—especially when workflows can be edited or extended by many contributors. Despite having strong policies and controls in place, Neon faced a visibility gap when it came to GitHub Actions runtime behavior, particularly regarding network activity and the potential for abuse. Detecting certain classes of misconfigurations or attacks remained a challenge, even with existing security measures.
“We were concerned about the lack of visibility into what our GitHub Actions were doing at runtime—particularly in terms of network activity and potential abuse”
— Busra Kugler, Lead Security Engineer at Neon
Neon initially relied on access controls, best practices, and developer education to reduce workflow-related risks. While effective to an extent, this approach lacked enforcement. More restrictive alternatives—like isolating workflows or locking down repositories—would have introduced friction for engineering teams, slowing down development.
Solution
Neon chose StepSecurity to address the visibility and enforcement gaps in its CI/CD pipeline. StepSecurity’s focus on GitHub Actions security, especially around outbound network monitoring and enforcement, aligned closely with Neon’s needs. The platform provided runtime insights that were previously unavailable and helped enforce security guardrails without impacting developer velocity.
“StepSecurity provided a level of runtime insight and control that we hadn’t seen elsewhere. Their focus on GitHub Actions security, especially around outbound network monitoring and enforcement, aligned well with our needs.”
— Busra Kugler, Lead Security Engineer at Neon
Neon has rolled out StepSecurity across most of its repositories, prioritizing those that handle infrastructure and production workflows. The platform now plays a central role in the company’s CI/CD security strategy. The security team monitors and triages alerts as part of daily operations and uses the insights from StepSecurity to continuously improve pipeline hardening.
StepSecurity has filled a critical gap in Neon’s CI/CD security stack. It gave the team visibility into what their GitHub Actions runners are actually doing—not just what they’re configured to do. Neon now has:
• Network-level protection on runners, with automatic detection of unexpected outbound traffic
• Enforcement of least privilege at the network layer, reducing the risk of data exfiltration or lateral movement
• Early alerts on potentially unsafe workflows or misconfigurations
• A practical way to harden pipelines without slowing teams down or relying solely on policy and review
• A clearer understanding of runner behavior across all environments, from infrastructure to app-level repositories
“StepSecurity has filled a critical gap in our CI/CD security stack. It gave us visibility into what our GitHub Actions runners are actually doing, not just what they’re configured to do. StepSecurity is now an integral part of how Neon secures its CI/CD pipelines.”
— Busra Kugler, Lead Security Engineer at Neon
.png)
.png)
