chore(sec): run zizmor in CI#6575
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR adds the zizmor security scanning tool to the CodeQL workflow to detect insecure CI configurations in GitHub Actions workflows.
Key Changes
- Added a new
zizmorjob to the CodeQL workflow that runs the zizmorcore/zizmor-action (v0.3.0) - Configured appropriate permissions for the security scanning job (security-events: write, contents: read, actions: read)
- Applied security best practices with
persist-credentials: falseon checkout
| runs-on: ubuntu-latest | ||
| permissions: | ||
| security-events: write | ||
| contents: read | ||
| actions: read | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | ||
| with: { persist-credentials: false } | ||
| - name: Run zizmor | ||
| uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 |
There was a problem hiding this comment.
The indentation of the zizmor job properties is inconsistent with the rest of the file. The job name "zizmor" is correctly indented with 2 spaces, but the properties underneath (runs-on, permissions, steps) are indented with 6 spaces instead of 4 spaces. This should match the indentation pattern used in the "analyze" job above, where properties are indented with 4 spaces relative to the job name.
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: { persist-credentials: false } | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: { persist-credentials: false } | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 |
A tool to detect insecure CI configurations now and in the future.