-
-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Develop a zizmor
GitHub Action
#69
Comments
First draft of such a workflow (based on the ESLint one): name: "Scan workflows"
on:
pull_request:
branches:
- "**"
paths:
# Run for changes to *any* workflow file
- ".github/workflows/*.yml"
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install zizmor
run: cargo install zizmor
- name: Scan workflows
run:
zizmor --format=sarif . | tee workflow-scan.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
# Path to SARIF file relative to the root of the repository
sarif_file: workflow-scan.sarif |
Also see #71 |
Thanks for the issue @ncoghlan! Completely agreed -- ideally there'd be an action hosted within this repo itself so people could do: - uses: woodruffw/zizmor/action@tag
with: ... ...and get SARIF, etc. integration right out of the box 🙂 |
Related request: #89. |
zizmor
GitHub Action
Leaving this open since I still want to build a full-fledged action for zizmor, but the docs now include an example annotated workflow based on the one @ncoghlan and @colindean |
Please note that code scanning is only available for public repositories or for organizations with GitHub Enterprise Cloud. |
What does a user see when they cannot use code scanning but try to use the tools that upload the SARIF file to GH? |
For us, we'd like to have an action that will simply fail PRs, etc if there are security issues. So maybe having two Actions or two "modes" makes sense: one to perform code scanning and one to gate changes. |
I believe you can configure this with GitHub's advanced security feature: you can set a required check for no alerts raised by all security tools, or by a specific tool like (With that being said, this is what the standalone action will do -- it'll optionally integrate with advanced security via SARIF, but by default it'll just spit out a render and fail if there are any errors.) |
@tobiastornros would you be interested in sending a PR adding that as a note to the docs? I'd greatly appreciate it! |
Done. See #121 |
I've tried out the example but the compilation of zizmor is slow and it would be nice to have it precompiled. In lieu of the security checks (which are an additional cost on enterprise cloud too) you can use a custom matcher and get the info as annotations My workflow's steps: - uses: actions/checkout@v4
with:
ref: ${{ github.sha }}
# optimize fetching for big repos
sparse-checkout: |
.github/actions
.github/workflows
.github/zizmor-matcher.json
zizmor.yml
requirements.txt
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
cache: 'pip'
- name: Install requirements
run: pip install -r requirements.txt
- name: Run Zizmor checks
env:
# need more wide permissions to look up shared actions from other repos
GH_TOKEN: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
run: |
echo "::add-matcher::.github/zizmor-matcher.json"
zizmor --format plain ${{ github.workspace }} With my {
"problemMatcher": [
{
"owner": "zizmor-error",
"severity": "error",
"pattern": [
{
"regexp": "^error\\[([\\w-]+)\\]: (.+)$",
"code": 1,
"message": 2
},
{
"regexp": "^\\s+-->\\s+(.+):(\\d+):(\\d+)",
"file": 1,
"line": 2,
"column": 3
}
]
},
{
"owner": "zizmor-warning",
"severity": "warning",
"pattern": [
{
"regexp": "^warning\\[([\\w-]+)\\]: (.+)$",
"code": 1,
"message": 2
},
{
"regexp": "^\\s+-->\\s+(.+):(\\d+):(\\d+)",
"file": 1,
"line": 2,
"column": 3
}
]
}
]
} |
Thanks for sharing your matcher! I didn't know about that GHA feature.
FWIW, the example was updated recently to use https://woodruffw.github.io/zizmor/usage/#use-in-github-actions |
It would be handy if https://github.com/woodruffw/zizmor?tab=readme-ov-file#use-in-github-actions linked to a GitHub action in this repo which ran zizmor over the repo whenever any of the files in the workflow folder changed.
In the meantime, I'll submit a PR with a direct link to the upload-sarif example at https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-that-runs-the-eslint-analysis-tool
The text was updated successfully, but these errors were encountered: