step-security · stepsecurity-app · Dec 2, 2025
diff --git a/.github/workflows/Hiero.yml b/.github/workflows/Hiero.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@rc-20-int
+        uses: step-security/harden-runner@b458cf61e24e167c05a441dec5234b240974af45 # rc-20-int
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/LargeMatrixWorkflow.yml b/.github/workflows/LargeMatrixWorkflow.yml
@@ -10,21 +10,25 @@ on:
   pull_request:
 
 
+permissions: {}
+
 jobs:
   generate-jobs:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     name: Generate Jobs
     runs-on: ubuntu-latest
     strategy:
       matrix:
         job_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20]
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc-20-int
+        uses: step-security/harden-runner@b458cf61e24e167c05a441dec5234b240974af45 # rc-20-int
         with:
           egress-policy: audit
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Sleep for 3 minutes on push
         if: github.event_name == 'push'

diff --git a/.github/workflows/LargeMatrixWorkflow2.yml b/.github/workflows/LargeMatrixWorkflow2.yml
@@ -9,20 +9,26 @@ on:
         default: '100' # Default value as a string
   pull_request:
 
+permissions: {}
+
 jobs:
   setup-job:
+    permissions:
+      contents: read
     name: Setup Job
     runs-on: ubuntu-24.04-arm
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc-20-int
+        uses: step-security/harden-runner@b458cf61e24e167c05a441dec5234b240974af45 # rc-20-int
         with:
           egress-policy: audit
 
       - name: Sleep for 60 seconds
         run: sleep 60
 
   generate-jobs:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     name: Generate Jobs
     needs: setup-job
     runs-on: ubuntu-latest
@@ -31,12 +37,12 @@ jobs:
         job_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20]
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc-20-int
+        uses: step-security/harden-runner@b458cf61e24e167c05a441dec5234b240974af45 # rc-20-int
         with:
           egress-policy: audit
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Make a curl request
         run: curl https://google.com

diff --git a/.github/workflows/agent-tracer-block.yml b/.github/workflows/agent-tracer-block.yml
@@ -7,7 +7,12 @@ jobs:
     if: always()
     runs-on: ARMLinuxRunner
     steps:
-      - uses: h0x0er/harden-runner@int
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
+      - uses: h0x0er/harden-runner@0d80ddb713b0355047ffbd4af2aabdca3cdef5da # int
         with:
          egress-policy: block
          agent-env: int-pull

diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml
@@ -6,15 +6,19 @@ on:
 # permissions:
 #   contents: read
 
+permissions: {}
+
 jobs:
   overwrite:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     if: always()
     runs-on: ARMLinuxRunner
     steps:
-      - uses: step-security/harden-runner@rc
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # rc
         with:
           egress-policy: audit
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: echo overwrite
         run: echo "## Overwritten" >> README.md
@@ -23,17 +27,19 @@ jobs:
         run: echo "# Replaced" >> README2.md; mv README2.md README.md
 
   egress-test:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     if: always()
     runs-on: ARMLinuxRunner
     steps:
-      - uses: step-security/harden-runner@rc
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # rc
         with:
           egress-policy: block
           disable-sudo: true
           allowed-endpoints: |
             www.google.com:443
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - run: curl https://www.google.com
       - run: curl https://microsoft.com
diff --git a/.github/workflows/broadcast-ip.yml b/.github/workflows/broadcast-ip.yml
@@ -3,12 +3,16 @@ name: Broadcast IP Test
 on:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   broadcast-test-hr-latest:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
 
-      - uses: step-security/harden-runner@rc
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # rc
         with:
           egress-policy: block
           allowed-endpoints: >

diff --git a/.github/workflows/buildkit.yml b/.github/workflows/buildkit.yml
@@ -7,6 +7,8 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions: {}
+
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
@@ -16,28 +18,28 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@int-sh
+      uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh
       with:
         egress-policy: audit
 
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       with:
           buildkitd-flags: --debug
 
     - name: Log in to the Container registry
-      uses: docker/login-action@v3
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
       with:
         registry: ${{ env.REGISTRY }}
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Extract metadata (tags, labels) for Docker
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
       with:
         images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
@@ -50,7 +52,7 @@ jobs:
         EOF
 
     - name: Build and push Docker image
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
       with:
         context: .
         push: true

diff --git a/.github/workflows/bulk-requests.yml b/.github/workflows/bulk-requests.yml
@@ -8,7 +8,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-      - uses: rohan-stepsecurity/harden-runner@int
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
+      - uses: rohan-stepsecurity/harden-runner@c118b4b2af1f1935b62f3f065df3d5ffdbd11a13 # int
         with:
          egress-policy: audit
 

diff --git a/.github/workflows/bulk.yml b/.github/workflows/bulk.yml
@@ -3,12 +3,16 @@ name: Bulk API
 on:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   bulk-request:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     runs-on: ubuntu-latest
     steps:
 
-      - uses: step-security/harden-runner@rc
+      - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # rc
         with:
          egress-policy: block
          allowed-endpoints: >
@@ -118,9 +122,9 @@ jobs:
 
 
       - run: sleep 5
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: '1.21'
       - name: Run Extended Domain Check

diff --git a/.github/workflows/config-change-test.yml b/.github/workflows/config-change-test.yml
@@ -2,12 +2,16 @@ name: Config change test
 on: 
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   test-host-outbound:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -18,7 +22,7 @@ jobs:
       - run: cat /etc/systemd/resolved.conf
       - run: cat /etc/resolv.conf
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Run outbound calls from host
         run: |
@@ -32,10 +36,12 @@ jobs:
           done
 
   test-docker-outbound:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -51,7 +57,7 @@ jobs:
       - run: cat /run/systemd/resolve/resolv.conf
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Run outbound calls from within Docker container
         continue-on-error: true
@@ -84,10 +90,12 @@ jobs:
       - run: cat /etc/resolv.conf
       - run: cat /run/systemd/resolve/resolv.conf
   test-docker-build-outbound:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     runs-on: ubuntu-24.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -103,7 +111,7 @@ jobs:
       - run: cat /etc/resolv.conf
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Build Docker image and test outbound calls during build
         continue-on-error: true
@@ -133,15 +141,22 @@ jobs:
       - run: cat /etc/resolv.conf
       - run: cat /run/systemd/resolve/resolv.conf
   test-long-running-docker:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     runs-on: ubuntu-latest
     steps:
 
 
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - run: cat /etc/resolv.conf
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Run long-running Docker container with outbound calls
         continue-on-error: true

diff --git a/.github/workflows/container-test-job.yml b/.github/workflows/container-test-job.yml
@@ -1,8 +1,12 @@
 name: CI
 on:
   workflow_dispatch:
+permissions: {}
+
 jobs:
   container-test-job:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     container:
       image: node:18

diff --git a/.github/workflows/cvdupdate.yml b/.github/workflows/cvdupdate.yml
@@ -4,15 +4,19 @@ on:
   workflow_dispatch:
 
 
+permissions: {}
+
 jobs:
 
   build:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     runs-on: ubuntu-latest
     #runs-on: [self-hosted, ec2]
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@rc
+      uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # rc
       with:
         egress-policy: audit
         allowed-endpoints: >
@@ -25,7 +29,7 @@ jobs:
           pypi.org:443
           registry-1.docker.io:443
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
     - name: Build the Docker image
       run: docker build . --file Dockerfile