workflows: add zizmor GitHub Actions security scan#10797
Open
tmleman wants to merge 1 commit into
Open
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow to run zizmor security static analysis against this repo’s GitHub Actions workflows, complementing the existing CodeQL workflow scanning.
Changes:
- Introduces
.github/workflows/zizmor.ymlto run zizmor on pushes tomainand PRs targetingmain. - Uploads results as SARIF to GitHub code scanning with minimized permissions and concurrency cancellation.
| branches: | ||
| - 'main' | ||
|
|
||
| permissions: {} |
Add zizmor.yml GitHub Actions workflow that runs zizmor static analysis
against all SOF workflow files on every push to main and on every pull
request targeting main.
zizmor audits GitHub Actions workflows for security misconfigurations:
unpinned action references, credential persistence, template injection,
excessive permissions, pull_request_target misuse, poisoned pipeline
attacks, and other supply-chain risks.
While SOF already runs CodeQL analysis on workflows, zizmor covers a
complementary and broader set of GitHub Actions-specific attack patterns
that CodeQL does not detect. The two tools find different classes of
issues and running both gives better coverage than either alone.
A one-off manual scan (zizmor v1.25.2) of the existing SOF workflows
found no exploitable vulnerabilities. The primary findings were 31 cases
of actions referenced by mutable version tags instead of SHA hashes, and
22 checkouts missing `persist-credentials: false`. This workflow will
prevent new regressions of this kind from being merged.
The workflow follows the same conventions as the existing codeql.yml:
- top-level `permissions: {}` with only required grants at job level
- `actions/checkout` and `zizmorcore/zizmor-action` pinned to SHAs
- `persist-credentials: false` on the checkout step
- concurrency group that cancels superseded runs
Findings are uploaded as SARIF to the GitHub Security tab via GitHub
Advanced Security (SOF is a public repository). The run does not fail on
findings; use a GitHub Ruleset to make it a blocking merge gate.
Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add zizmor.yml GitHub Actions workflow that runs zizmor static analysis against all SOF workflow files on every push to main and on every pull request targeting main.
zizmor audits GitHub Actions workflows for security misconfigurations: unpinned action references, credential persistence, template injection, excessive permissions, pull_request_target misuse, poisoned pipeline attacks, and other supply-chain risks.
While SOF already runs CodeQL analysis on workflows, zizmor covers a complementary and broader set of GitHub Actions-specific attack patterns that CodeQL does not detect. The two tools find different classes of issues and running both gives better coverage than either alone.
A one-off manual scan (zizmor v1.25.2) of the existing SOF workflows found no exploitable vulnerabilities. The primary findings were 31 cases of actions referenced by mutable version tags instead of SHA hashes, and 22 checkouts missing
persist-credentials: false. This workflow will prevent new regressions of this kind from being merged.The workflow follows the same conventions as the existing codeql.yml:
permissions: {}with only required grants at job levelactions/checkoutandzizmorcore/zizmor-actionpinned to SHAspersist-credentials: falseon the checkout stepFindings are uploaded as SARIF to the GitHub Security tab via GitHub Advanced Security (SOF is a public repository). The run does not fail on findings; use a GitHub Ruleset to make it a blocking merge gate.