File zizmor.changes of Package zizmor
-------------------------------------------------------------------
Mon Jun 30 05:16:04 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.10.0:
* New Features
- New audit: anonymous-definition detects unnamed workflows and
actions. Definitions without a name: field appear anonymously
in the GitHub Actions UI, making them harder to distinguish
(#937)
- Auto-fix mode: zizmor now experimentally supports
--fix=[MODE], which enables the brand new auto-fix mode. This
mode can automatically fix a subset of zizmor's findings. For
this experimental release, auto-fixes are available for
findings from the following audits:
- artipacked: zizmor will attempt to add persist-credentials:
false to actions/checkout steps that do not already have
it.
- template-injection: zizmor will attempt to rewrite run:
blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead,
and will add an appropriate env: block to set FOO_BAR to
the expression's evaluation.
Read more about the new auto-fix mode in the documentation.
https://docs.zizmor.sh/usage/#auto-fixing-results
* Enhancements
- The artipacked audit now produces findings on composite
action definitions, rather than just workflow definitions
(#896)
- The use-trusted-publishing audit now produces findings on
composite action definitions, rather than just workflow
definitions (#899)
- The bot-conditions audit now detects more spoofable actor
checks, including checks against well-known user IDs for bot
accounts (#905)
- The template-injection and other audits now produce more
precise findings when analyzing env context accesses for
static-ness (#911)
- The template-injection audit now produces more precise
findings when analyzing inputs context accesses (#919)
- zizmor now produces more descriptive error messages when it
fails to parse a workflow or action definition (#956)
- The bot-conditions audit now returns precise spans for
flagged actor checks, instead of flagging the entire if:
value (#949)
- The template-injection audit now returns precise spans for
flagged contexts and expressions, instead of flagging the
entire script block (#958)
- The obfuscation audit now returns precise spans for flagged
expressions (#969)
- The obfuscation audit now detects computed indices (e.g.
inputs.foo[inputs.bar]) as a potentially obfuscatory pattern
(#969)
* Bug Fixes
- The template-injection audit no longer crashes when
attempting to evaluate the static-ness of an environment
context within a composite action uses: step (#887)
- The bot-conditions audit now correctly analyzes index-style
contexts, e.g. github['actor'] (#905)
- Fixed a bug where zizmor would fail to parse expressions that
contained >= or <= (#916)
- Fixed a bug where zizmor would fail to parse expressions
containing contexts with interstitial whitespace (#958)
-------------------------------------------------------------------
Sat May 31 06:09:28 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.9.0:
* New Features
- zizmor now supports generating completions for Nushell (#838)
* Enhancements
- The template-injection audit has been rewritten, and is now
significantly more precise and general over contexts supplied
via GitHub's webhook payloads (i.e. github.event.*) (#745)
- The template-injection audit now detects vulnerable template
injections in more actions inputs, thanks to an integration
with CodeQL's sink metadata (#849)
* Bug Fixes
- The insecure-commands now correctly detects different truthy
values in ACTIONS_ALLOW_UNSECURE_COMMANDS (#840)
- The template-injection audit now correctly emits pedantic
findings in a blanket manner, rather than filtering them
based on the presence of other findings (#745)
- CLI: Fixed a misleading error message when zizmor is used
with a GitHub host other than github.com (#863)
* Dependencies
- chore(deps): bump the cargo group with 3 updates (#860)
- chore(deps): bump astral-sh/setup-uv in the github-actions
group (#859)
-------------------------------------------------------------------
Wed May 21 04:29:53 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.8.0:
* Announcements
- zizmor's website has changed! The new website is hosted at
docs.zizmor.sh. The old website will redirect to the new one
for a while, but users should update any old links in
preparation for the v1.8.0 release, which will likely remove
the redirects entirely (#769)
- zizmor is now hosted under the @zizmorcore GitHub
organization as zizmorcore/zizmor. The old repository at
woodruffw/zizmor will redirect to the new one, but users
should update any old links to limit confusion
* New Features
- zizmor now supports the ZIZMOR_CONFIG environment variable as
an alternative to --config (#789)
* Bug Fixes
- zizmor now correctly handles index-style contexts in the
template-injection audit (#800, #806)
* Dependencies
- chore(deps): `cargo autoinherit` (#826)
- chore(deps): bump zizmorcore/zizmor-action in the
github-actions group (#822)
- chore(deps): bump owo-colors from 4.2.0 to 4.2.1 in the cargo
group (#812)
- chore(deps): run `cargo autoinherit` (#805)
- chore(deps): bump the cargo group with 5 updates (#786)
-------------------------------------------------------------------
Fri May 09 05:25:08 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- add shell completion subpackages
- Update to version 1.7.0:
This release comes with four new audits: obfuscation,
stale-action-refs, unsound-contains, and unpinned-images. It also
includes several improvements to existing audits and zizmor's
output formats and error reporting behavior.
Additionally, this release comes with bugfixes for the SARIF
output format as well as input collection in some edge cases when
collecting from remote repositories.
* New Features
- New audit: The obfuscation audit detects obfuscatory patterns
in GitHub Actions usages. These patterns are not themselves
dangerous, but may indicate an attempt to obscure malicious
behavior (#683)
- New audit: The stale-action-refs pedantic audit detects
pinned action references which don't point to a Git tag
(#713)
- New audit: The unsound-contains audit detects uses of the
contains() function that can be bypassed (#577)
- New audit: The unpinned-images audit detects uses of Docker
images that are unpinned or pinned to :latest (#733)
- zizmor now reports much clearer error messages when auditing
fails due to an invalid workflow or action definition (#719)
- zizmor now has a --strict-collection flag that turns skipped
workflow or action definition warnings into errors. Passing
this flag changes zizmor's behavior back to the default in
v1.6.0 and earlier, which was to terminate the audit if any
collected input could not be parsed (#734)
- The forbidden-uses audit can now be configured with patterns
that match exact uses: clauses, including refs. For example,
exactly actions/checkout@v4 can now be explicitly allowed or
forbidden, rather than every ref that matches
actions/checkout (#750)
- zizmor now has a --completions=<shell> flag that generates
shell completion scripts (#765)
* Bug Fixes
- The SARIF output format now uses zizmor/{id} for rule IDs
instead of bare IDs, reducing the chance of conflict or
confusion with other tools (#710)
- The SARIF output format now includes a rule name for each
rule descriptor, which should improve rendering behavior in
SARIF viewers like the VS Code SARIF Viewer extension (#710)
- Fixed a bug where zizmor would fail to collection actions
defined within subdirectories of .github/workflows when
collecting from a remote source (#731)
* Upcoming Changes
Starting with v1.8.0, zizmor will migrate from @woodruffw on
GitHub to @zizmorcore. This should not cause any breakage as
GitHub will handle redirects, but users who explicitly
reference @woodruffw/zizmor should consider updating their
references to @zizmorcore/zizmor once the migration occurs.
See #758 for details.
* Dependencies
- chore(deps): bump the github-actions group with 3 updates
(#747)
- chore(deps): cargo update (#722)
- chore(deps): bump insta from 1.42.2 to 1.43.0 in the cargo
group (#702)
- chore(deps): bump the cargo group with 2 updates (#686)
- chore(deps): bump astral-sh/setup-uv in the github-actions
group (#685)
-------------------------------------------------------------------
Sun Apr 20 06:34:57 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.6.0:
* New Features
- New audit: The forbidden-uses audit is a configurable audit
that allows allow- or denylisting of entire orgs, repos, or
specific action patterns. This audit must be configured; by
default it has no effect (#664)
- zizmor now supports --format=github as an output format. This
format produces check annotations via GitHub workflow
commands, e.g. ::warning and ::error. See the Output formats
documentation for more information on annotations, including
key limitations (#634)
- The unpinned-uses audit has been completely rewritten, with
two key changes:
- The audit now has configurable policies that give users
more control over the audit's behavior. In particular,
users can now define policies that mirror their actual
threat model, such as trusting their own GitHub
organizations while leaving others untrusted.
- The audit's default policy is more precise and
conservative: official GitHub actions (e.g. those under
actions/* and similar) are allowed to be pinned by branch
or tag, but all other actions are required to be pinned by
SHA. This is a change from the previous policy, which was
to only flag completely unpinned actions by default.
* Improvements
- The SARIF output format now marks each rule as a "security"
rule, which helps GitHub's presentation of the results (#631)
- The template-injection audit is now performs dataflow
analysis to determine whether contexts actually expand in an
unsafe manner, making it significantly more accurate (#640)
- The cache-poisoning audit is now aware of jdx/mise-action
(#645)
- The cache-poisoning audit is now significantly more accurate
when analyzing workflows that use docker/setup-buildx-action
(#644)
- --format=json is now an alias for --format=json-v1, enabling
future JSON formats. The policy for the --format=json alias
is documented under Output formats - JSON (#657)
- Configuration file loading is now stricter, and produces a
more useful error message when the configuration file is
invalid (#663)
* Bug Fixes
- The template-injection audit no longer considers
github.event.pull_request.head.sha dangerous (#636)
- Fixed a bug where zizmor would fail to parse workflows with
workflow_call triggers that specified inputs without the
required field being present (#646)
- Fixed a bug where zizmor would fail to parse workflows with
pull_request or pull_request_target triggers that specified
types as a scalar value (#653)
- Fixed a crash where zizmor would fail to generate correct
concrete location spans for YAML inputs with comments inside
block sequences (#660)
- The template-injection audit no longer considers github.job
dangerous (#661)
- The template-injection audit no longer considers
github.event.pull_request.head.repo.fork dangerous (#675)
-------------------------------------------------------------------
Sun Mar 23 18:20:03 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.5.2:
* Bug Fixes
- Fixed a bug where zizmor would over-eagerly parse invalid and
commented-out expressions, resulting in spurious warnings
(#570)
- Fixed a bug where zizmor would fail to honor # zizmor:
ignore[rule] comments in unintuitive cases (#612)
- Fixed a regression in zizmor's SARIF output format that
caused suboptimal presentation of findings on GitHub (#621)
-------------------------------------------------------------------
Wed Mar 12 15:29:54 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.5.1:
* chore: prep for v1.5.1 release (#601)
* bugfix: don't require `.git/` to respect `.gitignore` files
(#598)
* docs: fix typo in release notes (#595)
-------------------------------------------------------------------
Tue Mar 11 06:10:49 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.5.0:
* chore: prep for release v1.5.0 (#594)
* chore(deps): bump the cargo group with 3 updates (#592)
* chore(deps): bump the github-actions group with 2 updates
(#593)
* docs: fix typo (#591)
* docs: fixup release notes (#590)
* feat(cli): fine-grained color control (#586)
* cli: re-add `--no-progress` flag (#589)
* chore(deps): bump ring from 0.17.8 to 0.17.13 (#588)
* docs: bump trophies (#587)
* cargo: bump edition (#585)
* docs: bump trophies (#584)
* ci: pypi: bump maturin-action to v1.47.2 (#583)
* chore(deps): bump the cargo group with 5 updates (#580)
* chore(deps): bump the github-actions group with 7 updates
(#581)
* feat: respect .gitignore files when collecting inputs (#575)
* test: refactor integration tests (#576)
* feat: detect overprovisioned `secrets[...]` (#573)
* bugfix: don't remove prefixes from local paths (#572)
-------------------------------------------------------------------
Tue Feb 25 18:37:57 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.4.1:
* Bug Fixes
- Findings produced by (unredacted-secrets) now use the correct
ID and link to the correct URL in the audit documentation
(#566)
-------------------------------------------------------------------
Tue Feb 25 18:24:40 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.4.0:
* New Features
- zizmor now has official Docker images! You can find them on
the GitHub Container Registry under ghcr.io/woodruffw/zizmor
(#532)
- New audit: unredacted-secrets detects secret accesses that
are not redacted in logs (#549)
* Improvements
- SARIF outputs are now slightly more aligned with GitHub Code
Scanning expectations (#528)
- # zizmor: ignore[rule] comments can now have trailing
explanations, e.g. # zizmor: ignore[rule] because reasons
(#531)
- The bot-conditions audit now detects github.triggering_actor
as another spoofable actor check (#559)
* Bug Fixes
- Fixed a bug where zizmor would fail to parse workflows with
workflow_dispatch triggers that contained non-string inputs
(#563)
* Upcoming Changes
- The next minor release of zizmor will be built with Rust
2024. This should have no effect on most users, but may
require users who build zizmor from source to update their
Rust toolchain.
-------------------------------------------------------------------
Mon Feb 10 07:39:35 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.3.1:
* chore: prep for 1.3.1 release (#523)
* bugfix: bump github-actions-models to 0.25.0 (#522)
* docs: bump trophies (#521)
* docs: bump trophies (#520)
* bugfix: fix has_tag lookup (#519)
* docs: bump trophies (#515)
* docs: bump trophies (#512)
* bugfix: expr: make index rule non-atomic (#511)
* chore(deps): bump the github-actions group with 2 updates
(#509)
* chore(deps): bump the cargo group with 2 updates (#508)
* docs: bump trophies (#507)
* docs: update dev-docs (#505)
* README: more details (#504)
* docs: bump trophies (#503)
* bugfix: bump github-actions-models to 0.24.0 (#502)
-------------------------------------------------------------------
Wed Jan 29 06:28:45 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.3.0:
* chore: prep for 1.3.0 release (#500)
* docs: bump trophies (#499)
* deps: bump indicatif from 0.17.9 to 0.17.11 (#498)
* Downgrade tracing-indicatif (#496)
* docs: bump trophies (#495)
* ci: attempt to fix arm build (#494)
* chore(deps): bump the github-actions group with 3 updates
(#493)
* chore(deps): bump the cargo group with 2 updates (#492)
* refactor: improve context handling (#491)
* feat(cli): add naches mode (#490)
* release-notes: record #485 (#489)
* feat: "raw" audit support + `overprovisioned-secrets` (#485)
* cli: reduce warning to info when skipping audits (#488)
* deps: bump github-actions-models (#487)
* docs: bump trophies (#486)
* docs: bump trophies (#484)
* Fix syntax in docs for bot-condition (#483)
* feat: improve parse error slightly (#482)
* docs: bump trophies (#481)
* chore(deps): bump the cargo group with 3 updates (#480)
* Add slash to avoid redirect (#478)
* bugfix: collect actions from subdirectories of
.github/workflows (#477)
-------------------------------------------------------------------
Mon Jan 20 06:16:20 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.2.2:
* chore: prep for 1.2.2 release (#476)
* feat: improve error message when repo fetch fails (#475)
* bugfix: special-case workflow_call in excessive-permissions
(#473)
-------------------------------------------------------------------
Mon Jan 20 06:05:10 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.2.1:
* chore: prep 1.2.1 (#470)
* bugfix: generalize path prefix handling (#469)
* chore(deps): bump astral-sh/setup-uv from 5.1.0 to 5.2.1 in the
github-actions group (#467)
* docs: try to fix the site (#466)
* chore: remove site-requirements.txt (#465)
-------------------------------------------------------------------
Mon Jan 20 06:00:28 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.2.0:
* chore: prep 1.2.0 (#464)
* bugfix: bump github-actions-models (#463)
* bugfix: parse multi-line expressions correctly (#461)
* feat: bot-conditions (#460)
* ci: pypi: try enabling aarch64 on an ARM runner (#457)
* docs: typo (#456)
* docs: add sponsors to README and site (#454)
* bugfix: sarif: use absolute physical locations only (#453)
* chore(docs): bump trophies (#451)
* chore(docs): bump trophies (#450)
* refactor: reduce invalid states in job APIs (#449)
* fix: artipacked: check for stringy bools (#448)
* docs: bump trophies (#446)
* bugfix: mark another context as safe during injections (#445)
* docs: bump trophies (#444)
* docs: bump trophies (#443)
* docs: bump trophies (#442)
* refactor: make excessive-permissions more correct (#441)
* docs: bump trophies (#440)
* fix: don't flag local workflows in unpinned-uses (#439)
-------------------------------------------------------------------
Tue Jan 14 05:42:08 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.1.1:
* chore: prep 1.1.1 (#438)
* chore(deps): bump the cargo group with 4 updates (#434)
* chore(deps): bump the github-actions group with 2 updates
(#436)
* fix: bump github-actions-models (#437)
* docs: bump trophies (#430)
-------------------------------------------------------------------
Mon Jan 13 06:58:02 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.1.0:
This release comes with one new audit (secrets-inherit), plus a
slew of bugfixes and internal refactors that unblock future
improvements!
* Added
- New audit: secrets-inherit detects use of secrets: inherit
with reusable workflow calls (#408)
* Improved
- The template-injection audit now detects injections in calls
to azure/cli and azure/powershell (#421)
* Fixed
- The template-injection audit no longer consider
github.server_url dangerous (#412)
- The template-injection audit no longer crashes when
evaluating the static-ness of an environment for a uses: step
(#420)
-------------------------------------------------------------------
Wed Jan 08 12:10:48 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.0.1:
This is a small quality and bugfix release. Thank you to
everybody who helped by reporting and shaking out bugs from our
first stable release!
* Improved
- The github-env audit now detects dangerous writes to
GITHUB_PATH, is more precise, and can produce multiple
findings per run block (#391)
* Fixed
- workflow_call.secrets keys with missing values are now parsed
correctly (#388)
- The cache-poisoning audit no longer incorrectly treats
docker/build-push-action as a publishing workflow is push:
false is explicitly set (#389)
- The template-injection audit no longer considers
github.action_path to be a potentially dangerous expansion
(#402)
- The github-env audit no longer skips run: steps with
non-trivial shell: stanzas (#403)
-------------------------------------------------------------------
Fri Jan 3 15:07:00 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- new package zizmore: a static analysis tool for GitHub Actions
