Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Develop a zizmor GitHub Action #69

Open
ncoghlan opened this issue Oct 29, 2024 · 14 comments
Open

Develop a zizmor GitHub Action #69

ncoghlan opened this issue Oct 29, 2024 · 14 comments
Labels
enhancement New feature or request

Comments

@ncoghlan
Copy link
Contributor

It would be handy if https://github.com/woodruffw/zizmor?tab=readme-ov-file#use-in-github-actions linked to a GitHub action in this repo which ran zizmor over the repo whenever any of the files in the workflow folder changed.

In the meantime, I'll submit a PR with a direct link to the upload-sarif example at https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-that-runs-the-eslint-analysis-tool

@ncoghlan
Copy link
Contributor Author

ncoghlan commented Oct 29, 2024

First draft of such a workflow (based on the ESLint one):

name: "Scan workflows"

on:
    pull_request:
      branches:
        - "**"
      paths:
        # Run for changes to *any* workflow file
        - ".github/workflows/*.yml"
    push:
      branches:
        - main

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      # required for all workflows
      security-events: write
      # only required for workflows in private repositories
      actions: read
      contents: read
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Install zizmor
        run: cargo install zizmor

      - name: Scan workflows
        run:
          zizmor --format=sarif . | tee workflow-scan.sarif
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    
      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: workflow-scan.sarif

@ncoghlan
Copy link
Contributor Author

Also see #71

@woodruffw
Copy link
Owner

Thanks for the issue @ncoghlan! Completely agreed -- ideally there'd be an action hosted within this repo itself so people could do:

- uses: woodruffw/zizmor/action@tag
  with: ...

...and get SARIF, etc. integration right out of the box 🙂

@woodruffw
Copy link
Owner

Related request: #89.

@woodruffw woodruffw changed the title Add a GH workflow that scans the zizmor repo workflows Develop a zizmor GitHub Action Oct 31, 2024
@woodruffw
Copy link
Owner

woodruffw commented Nov 1, 2024

Leaving this open since I still want to build a full-fledged action for zizmor, but the docs now include an example annotated workflow based on the one @ncoghlan and @colindean
contributed!

Screenshot 2024-11-01 at 10 36 20 AM

@tobiastornros
Copy link
Contributor

Please note that code scanning is only available for public repositories or for organizations with GitHub Enterprise Cloud.

@colindean
Copy link
Contributor

Please note that code scanning is only available for public repositories or for organizations with GitHub Enterprise Cloud.

What does a user see when they cannot use code scanning but try to use the tools that upload the SARIF file to GH?

@tobiastornros
Copy link
Contributor

tobiastornros commented Nov 4, 2024

Please note that code scanning is only available for public repositories or for organizations with GitHub Enterprise Cloud.

What does a user see when they cannot use code scanning but try to use the tools that upload the SARIF file to GH?

image

and github/codeql-action/upload-sarif@v3 will fail.

@daviddavis
Copy link

For us, we'd like to have an action that will simply fail PRs, etc if there are security issues. So maybe having two Actions or two "modes" makes sense: one to perform code scanning and one to gate changes.

@woodruffw
Copy link
Owner

For us, we'd like to have an action that will simply fail PRs, etc if there are security issues. So maybe having two Actions or two "modes" makes sense: one to perform code scanning and one to gate changes.

I believe you can configure this with GitHub's advanced security feature: you can set a required check for no alerts raised by all security tools, or by a specific tool like zizmor.

(With that being said, this is what the standalone action will do -- it'll optionally integrate with advanced security via SARIF, but by default it'll just spit out a render and fail if there are any errors.)

@woodruffw
Copy link
Owner

Please note that code scanning is only available for public repositories or for organizations with GitHub Enterprise Cloud.

@tobiastornros would you be interested in sending a PR adding that as a note to the docs? I'd greatly appreciate it!

@tobiastornros
Copy link
Contributor

Please note that code scanning is only available for public repositories or for organizations with GitHub Enterprise Cloud.

@tobiastornros would you be interested in sending a PR adding that as a note to the docs? I'd greatly appreciate it!

Done. See #121

@jazmon
Copy link

jazmon commented Dec 11, 2024

I've tried out the example but the compilation of zizmor is slow and it would be nice to have it precompiled.

In lieu of the security checks (which are an additional cost on enterprise cloud too) you can use a custom matcher and get the info as annotations

My workflow's steps:

- uses: actions/checkout@v4
  with:
    ref: ${{ github.sha }}
    # optimize fetching for big repos
    sparse-checkout: |
      .github/actions
      .github/workflows
      .github/zizmor-matcher.json
      zizmor.yml
      requirements.txt

- name: Set up Python
  uses: actions/setup-python@v5
  with:
    python-version: '3.12'
    cache: 'pip'

- name: Install requirements
  run: pip install -r requirements.txt

- name: Run Zizmor checks
  env:
    # need more wide permissions to look up shared actions from other repos
    GH_TOKEN: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
  run: |
    echo "::add-matcher::.github/zizmor-matcher.json"
    zizmor --format plain ${{ github.workspace }}

With my zizmor-matcher.json

{
  "problemMatcher": [
    {
      "owner": "zizmor-error",
      "severity": "error",
      "pattern": [
        {
          "regexp": "^error\\[([\\w-]+)\\]: (.+)$",
          "code": 1,
          "message": 2
        },
        {
          "regexp": "^\\s+-->\\s+(.+):(\\d+):(\\d+)",
          "file": 1,
          "line": 2,
          "column": 3
        }
      ]
    },
    {
      "owner": "zizmor-warning",
      "severity": "warning",
      "pattern": [
        {
          "regexp": "^warning\\[([\\w-]+)\\]: (.+)$",
          "code": 1,
          "message": 2
        },
        {
          "regexp": "^\\s+-->\\s+(.+):(\\d+):(\\d+)",
          "file": 1,
          "line": 2,
          "column": 3
        }
      ]
    }
  ]
}

@woodruffw
Copy link
Owner

Thanks for sharing your matcher! I didn't know about that GHA feature.

I've tried out the example but the compilation of zizmor is slow and it would be nice to have it precompiled.

FWIW, the example was updated recently to use uvx, which installs a pre-compiled version. That should make installations nearly instantaneous:

https://woodruffw.github.io/zizmor/usage/#use-in-github-actions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

6 participants