Linux Foundation Rewards StepSecurity’s Impact on CI/CD Pipeline Security Fixes for Critical Open Source Projects

  • SecureWorkflows was used to update CI/CD pipelines for 10 critical Open Source Security Foundation (OSSF) projects including Python, Gatsby, Ruby on Rails, and Babel, so that each project’s automated workflow tokens follow the principle of least privilege.

SEATTLE--()--Security attacks targeting software supply chains have dramatically increased over the past several years. According to the Open Source Security Foundation (OpenSSF) Scorecard project, over-privileged automated workflow tokens are a high-risk issue because attackers can use a compromised token with write access to push malicious code into projects. Elevated GitHub tokens can lead to serious security incidents with bad actors installing malicious code in trusted software.

StepSecurity's impact was recently recognized by the Linux Foundation for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure.” Using SecureWorkflows, StepSecurity fixed projects selected from the OpenSSF’s list of critical open source projects including Python, Gatsby, Ruby on Rails, Babel etc.

As per Varun Sharma, CEO of StepSecurity, who presented SecureWorkflows at the annual Linux Foundation Open Source Summit in Austin, Texas, “Fixing security problems at scale is hard and there is a huge opportunity to improve the security of software by automated one-click remediation.

StepSecurity created SecureWorkflows in early 2022 to enable automatic security updates to CI/CD pipelines and significantly reduce the amount of developer time and effort required to apply security settings. Additionally, SecureWorkflows is now integrated with the OpenSSF’s Scorecard project.

About StepSecurity

Founded by security software veterans, StepSecurity’s mission is to empower open-source communities and enterprises to produce software with confidence. The company offers a multipoint end-to-end platform for security software release and distribution pipelines and is partnering with The Open-Source Security Foundation (OSSF) to help open-source project maintainers remediate critical software supply chain security issues.

Learn more at