Add pre-commit hook zizmor a static analysis tool for GitHub Actions #6557
Description
zizmor can find many common security issues in typical GitHub Actions CI/CD setups.
https://github.com/zizmorcore/zizmor
https://github.com/zizmorcore/zizmor-pre-commit
zizmor comes with audit rules and you use a configuration file zizmor.yml
So just ran the hook here on a new branch and below is the output. No config file being used for this:
run zizmor...............................................................Failed
- hook id: zizmor
- exit code: 14
INFO zizmor: skipping impostor-commit: can't run without a GitHub API token
INFO zizmor: skipping ref-confusion: can't run without a GitHub API token
INFO zizmor: skipping known-vulnerable-actions: can't run without a GitHub API token
INFO zizmor: skipping forbidden-uses: audit not configured
INFO zizmor: skipping stale-action-refs: can't run without a GitHub API token
INFO audit: zizmor: 🌈 completed .github/workflows/build.yml
INFO audit: zizmor: 🌈 completed .github/workflows/coverage.yml
INFO audit: zizmor: 🌈 completed .github/workflows/labeler.yml
INFO audit: zizmor: 🌈 completed .github/workflows/lint.yml
INFO audit: zizmor: 🌈 completed .github/workflows/oss-fuzz.yml
INFO audit: zizmor: 🌈 completed .github/workflows/release.yml
INFO audit: zizmor: 🌈 completed .github/workflows/super-linter.yml
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build.yml:33:9
|
33 | - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
| _________-
34 | | uses: actions/checkout@v4
| |_________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build.yml:48:9
|
48 | - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
| _________-
49 | | uses: actions/checkout@v4
| |_________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
help[template-injection]: code injection via template expansion
--> .github/workflows/build.yml:37:9
|
37 | - name: Compiler version
| ---------------------- help: this step
38 | run: ${{ env.CC }} --version
| ---------------------------- help: env.CC may expand into attacker-controllable code
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/coverage.yml:18:9
|
18 | - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
| _________-
19 | | uses: actions/checkout@v4
| |_________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/coverage.yml:6:3
|
6 | / coverage:
7 | | name: Coverage
... |
40 | | path: coverage/
41 | | retention-days: 3
| | -
| |____________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/labeler.yml:3:1
|
3 | / on:
4 | | - pull_request_target
| |_______________________^ pull_request_target is almost always used insecurely
|
= note: audit confidence → Medium
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/lint.yml:14:9
|
14 | - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
| _________-
15 | | uses: actions/checkout@v4
| |_________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/lint.yml:32:9
|
32 | - uses: actions/checkout@v4
| ------------------------- does not set persist-credentials: false
|
= note: audit confidence → Low
error[unpinned-uses]: unpinned action reference
--> .github/workflows/lint.yml:33:9
|
33 | - uses: ls-lint/action@v2.3.1
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/oss-fuzz.yml:12:9
|
12 | uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/oss-fuzz.yml:17:9
|
17 | uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/release.yml:21:9
|
21 | - name: "Checkout ${{ github.ref_name }} ( ${{ github.sha }} )"
| _________-
22 | | uses: actions/checkout@v4
| |_________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
error[unpinned-uses]: unpinned action reference
--> .github/workflows/release.yml:41:9
|
41 | uses: softprops/action-gh-release@v2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/super-linter.yml:17:9
|
17 | - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
| _________-
18 | | uses: actions/checkout@v4
19 | | with:
20 | | # Full git history is needed to get a proper list of changed files within `super-linter`
21 | | fetch-depth: 0
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
error[unpinned-uses]: unpinned action reference
--> .github/workflows/super-linter.yml:23:9
|
23 | uses: super-linter/super-linter/slim@v7.4.0
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
20 findings (5 suppressed): 0 unknown, 0 informational, 1 low, 8 medium, 6 high