StepSecurity

StepSecurity offers a comprehensive platform designed to detect, prevent, and respond to software supply chain attacks across various development lifecycle stages. The company's core product provides end-to-end defense for AI agents, developer machines, npm packages, and CI/CD pipelines. Its technical approach includes visibility and control over AI agents and IDE extensions, detection of compromised npm packages, and real-time threat detection and response for GitHub Actions CI/CD pipelines through capabilities like Harden-Runner.

The company was founded by Varun Sharma, who serves as CEO, and Ashish Kurmi, the CTO. Both are seasoned security professionals with prior experience building hyper-scale security functions at companies like Microsoft, Uber, and Plaid. Their entrepreneurial insight stemmed from the critical security vulnerabilities exposed by incidents such as SolarWinds and Codecov, revealing a significant gap in CI/CD pipeline security that propelled them to establish StepSecurity a couple of years ago.

StepSecurity's product is utilized by enterprises worldwide, as well as by open-source communities seeking to secure their CI/CD pipelines. The company's mission is to build the premier CI/CD security platform, aiming to close critical software supply chain security gaps and provide complete protection throughout the software development lifecycle, thus fostering a more secure future for software delivery.

High-Level Overview

StepSecurity is a cybersecurity startup that builds a CI/CD security platform focused on securing GitHub Actions and software supply chains.[1][2][3] It serves developers, open-source communities, and enterprises by providing multi-layered protection through visibility, detection, response, and remediation of risks in CI/CD pipelines, addressing vulnerabilities like over-privileged tokens and supply chain attacks.[3][4] The platform solves critical problems exposed by breaches such as SolarWinds and Codecov, enabling teams to baseline network behavior, block unauthorized traffic, vet third-party Actions, and apply one-click security fixes, with strong growth evidenced by recognitions like the Linux Foundation's Secure Open Source Rewards and adoption by companies like Kapiche and endorsements from CISOs at Coinbase, Zscaler, and others.[1][4][5]

Origin Story

StepSecurity was founded by Varun Sharma (CEO & Co-Founder) and Ashish Kurmi (CTO & Co-Founder), both veteran security leaders who previously drove CI/CD security initiatives at major companies including Microsoft, Uber, and Plaid.[1][2] The idea emerged around 2022 amid high-profile supply chain breaches like SolarWinds and Codecov, which highlighted the lack of dedicated CI/CD security tools; after consulting peers and finding no adequate solutions, they began building their product in the open, initially offering it for free to secure open-source developers' pipelines.[1][4] Early traction came swiftly through the open-source SecureWorkflows project, which automated CI/CD fixes for critical projects like Python, Ruby on Rails, and Babel, earning Linux Foundation recognition and integration with OpenSSF Scorecard.[4]

Core Differentiators

• Multi-layered GitHub Actions Security: Delivers visibility into network connections (pinpointing Actions and processes), automated baselining of job behavior, real-time alerts for anomalies, and policy enforcement to block unauthorized traffic—surpassing traditional CNAPPs or IDS tools.[3][5]
• Harden Runner Agent: A low-friction, purpose-built agent that monitors builds for suspicious activities like source code overwrites or unexpected outbound calls, deployed across public/private repos for immediate detection and prevention of attacks like tj-actions supply chain breaches.[3][5]
• Action Management and Scoring: Vets, approves, and maintains hardened replacements for third-party Actions; assigns security scores to help select safe options; tracks usage across repos to enforce best practices and compliance.[3]
• One-Click Remediation and Open-Source Integration: SecureWorkflows enables automated security updates (e.g., least-privilege tokens), reducing developer effort; powers fixes at scale for OSS projects and integrates with tools like OpenSSF Scorecard.[4]
• Developer-Friendly Experience: Provides real-time feedback in workflows, easy policy application without YAML rewrites, and a single pane for egress visibility, earning praise for boosting confidence in supply chains.[3][5]

Role in the Broader Tech Landscape

StepSecurity rides the surging wave of software supply chain security, fueled by escalating attacks on CI/CD pipelines—over-privileged GitHub tokens alone pose high risks, as noted by OpenSSF Scorecard, with incidents like Codecov enabling prolonged data exfiltration.[1][4][5] Timing is ideal amid 2020s breaches and regulatory pushes for secure open-source (e.g., Linux Foundation SOS Rewards), positioning it to protect critical projects and enterprises adopting GitHub Actions at scale.[4] Market forces like rising adoption of DevSecOps, AI-driven feedback platforms (e.g., Kapiche case), and supply chain threats favor its specialized, open-source-rooted approach, influencing the ecosystem by hardening OSS pipelines, partnering with OpenSSF, and setting standards for Action vetting that reduce industry-wide risks.[3][4][5]

Quick Take & Future Outlook

StepSecurity is poised for expansion by deepening GitHub integrations, scaling enterprise adoption (building on Coveo, Kapiche, and CISO endorsements), and extending beyond Actions to broader CI/CD environments amid persistent supply chain threats.[1][3][5] Trends like zero-trust pipelines, automated remediation, and OSS security mandates will propel growth, potentially evolving it into a full-spectrum release security leader. As pioneers who turned breach-driven urgency into open-source impact, StepSecurity exemplifies how targeted CI/CD defenses fortify the foundational pipelines powering modern software.