Enterprise customer credentials

Enterprise customers receive their credentials to access to the Step Enterprise artifacts (Enterprise release, Docker images and Helm Chart) from the Step support upon request.

Main point of contact for any issue related to access request is support@exense.ch.

Nexus and Docker private repository

Nexus access

Step Enterprise artifacts are now published to our Nexus in the ‘distribution’ repository.

The Enterprise repository can be accessed via https, preferably using a Web browser at https://nexus-enterprise.exense.ch/#browse/browse:distribution:step-enterprise and the provided credentials.

Docker private repository access

Docker private repository hosting the Step images can be setup using the below command, using the same credentials as for the Nexus repository:

docker login docker.exense.ch -u YOUR_USERNAME -p YOUR_PASSWORD

Then you can pull the images locally using below command (example for Step version 3.27.0):

docker pull docker.exense.ch/step-enterprise/controller:3.27.0-java-21
docker pull docker.exense.ch/step-enterprise/agent:3.27.0-java-21
docker pull docker.exense.ch/step-enterprise/agent:3.27.0-dotnet-8

Along with Step 27, Exense also provides a basic Agent runtime image containing Java 21 and NodeJS 20 on debian-12-slim OS (used as default Agent runtime image in the corresponding Helm Chart), as per below:

docker.exense.ch/step-enterprise/base:21-debian-12-slim

Also, an Agent runtime image containing the most used browsers, their associated drivers and Java 21 on debian-12-slim OS has been published at:

docker.exense.ch/step-enterprise/browsers:1.0.4-java-21

References:

License request

The Step Enterprise licenses are provided directly by email to the customer.

Proactive Docker Vulnerability Management Strategy

SBOM (Software Bill of Materials)

For transparency and security compliance, we publish SBOM files for Step Docker images in CycloneDX format. These files provide a complete inventory of all software components included in the Docker images.

SBOM files are available alongside the distribution files on the Exense Nexus repository.

Regular Scanning

We perform a monthly vulnerability scan of the current stable Docker image using Docker Scout to identify any new security issues promptly.

Release-Driven Security Checks

Before every new release of Step, we conduct a full security scan to ensure that no vulnerabilities slip into production.

Rapid Remediation for High-Risk Issues

For vulnerabilities classified as High or Critical and for which a fix exists, we commit to delivering a bugfix release within 14 days of detection for the current stable version.

Risk Assessment Process

Although scans are automated, every flagged vulnerability is manually reviewed by our security team. This manual assessment takes into account the specific context and usage of each dependency within Step.

Support for Older Versions

We back-port critical Step bug fixes for up to three versions prior to the current stable release.

However, for vulnerabilities and as part of the standard subscription, we’re currently not able to offer this service for older versions of Step but only for the current stable one.

Known false positive vulnerability alerts

For the Sikuli plugin, the Sikuli ide jar is included in the distribution so that it can be transferred to the agent solely for the execution of sikuli keywords. This jar is not part of the Step runtime and does not cause any actual security vulnerability. These are the false positive alerts that might be triggered by your scanner.

• commons-compress@1.19
• netty-codec@4.1.45.Final
• log4j@1.2.17
• commons-collections@3.2.1
• commons-beanutils@1.9.2
• commons-io@2.8.0

Note This embedded sikuli jar will be removed with future major distribution to avoid these false positive alerts. Users of the Sikulix plugin will still have the possibility to copy the required jar on their controller installation.