Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CI: Add workflow that runs zizmor latest #9110

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

CI: Add workflow that runs zizmor latest #9110

wants to merge 1 commit into from

Conversation

str4d
Copy link
Contributor

@str4d str4d commented Jan 9, 2025
edited
Loading

Source: woodruffw/zizmor@c6fef48

Motivation

This repository has many GitHub Actions workflows. zizmor is a static analysis tool that can find many common security issues in typical GitHub Actions CI/CD setups, such as the recent Ultralytics workflow vulnerability.

Follow-up Work

zizmor identifies a bunch of problems. I'll open a separate PR to fix the ones I can see how to fix. Nope, there are way too many workflows for me to fix in the time I have available.

@str4d str4d requested a review from a team as a code owner January 9, 2025 21:37
@str4d str4d requested review from arya2 and removed request for a team January 9, 2025 21:37
@github-actions github-actions bot added the C-trivial Category: A trivial change that is not worth mentioning in the CHANGELOG label Jan 9, 2025
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

arya2
arya2 approved these changes Jan 9, 2025
View reviewed changes
Copy link
Contributor

@arya2 arya2 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, nice find and thank you for the PR.

Nope, there are way too many workflows for me to fix in the time I have available.

Yep. I tried doing the same. Luckily the vulnerabilities I've seen so far all seem okay until CI is opened up. We may want to ignore the template-injection rule and others to fix the lints one by one.

@arya2 arya2 added A-devops Area: Pipelines, CI/CD and Dockerfiles A-diagnostics Area: Diagnosing issues or monitoring performance labels Jan 9, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@arya2 arya2 arya2 approved these changes

Assignees

@str4d str4d

Labels
A-devops Area: Pipelines, CI/CD and Dockerfiles A-diagnostics Area: Diagnosing issues or monitoring performance C-trivial Category: A trivial change that is not worth mentioning in the CHANGELOG
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@str4d @arya2