mirrors/zizmor
1
0
Fork 0
mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

docs: Rename "unsecure" to insecure (#270)

Browse source
This commit is contained in:
Viktor Szépe 2024-12-10 20:54:02 +01:00 committed by GitHub
parent 0f88aac3e1
commit 198fd0d182
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 7 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

8
docs/audits.md
View file

@ -629,7 +629,7 @@ A before/after example is shown below.
Detects opt-in for executing insecure workflow commands.
Workflow commands (like `::set-env` and `::add-path`)
[were deprecated by Github] in 2020 due to their inherent weaknesses
[were deprecated by GitHub] in 2020 due to their inherent weaknesses
(e.g., allowing any command with the ability to emit to `stdout`
to inject environment variables and therefore obtain code execution).
@ -643,7 +643,7 @@ Other resources:
### Remediation
In general, users should use for [Github Actions environment files]
In general, users should use for [GitHub Actions environment files]
(like `GITHUB_PATH` and `GITHUB_OUTPUT`) instead of using workflow commands.
=== "Before"
@ -703,8 +703,8 @@ If you need to pass state between steps, consider using `GITHUB_OUTPUT` instead.
[Trusted Publishing - RubyGems Guides]: https://guides.rubygems.org/trusted-publishing/
[Trusted publishing: a new benchmark for packaging security]: https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/
[Trusted Publishers for All Package Repositories]: https://repos.openssf.org/trusted-publishers-for-all-package-repositories.html
[were deprecated by Github]: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
[Github Actions environment files]: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#environment-files
[were deprecated by GitHub]: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
[GitHub Actions environment files]: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#environment-files
[Semgrep audit]: https://semgrep.dev/r?q=yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands
[GitHub Actions exploitation: environment manipulation]: https://www.synacktiv.com/en/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation
[GHSL-2024-177: Environment Variable injection in an Actions workflow of Litestar]: https://securitylab.github.com/advisories/GHSL-2024-177_Litestar/

2
docs/development.md
View file

@ -180,7 +180,7 @@ Some things that can be useful to discuss beforehand:
- Which criticality should we assign for this new finding?
- Which confidence should we assign for this new finding?
- Should this new audit be pedantic at all?
- Does this new audit require using the Github API, or is it entirely offline?
- Does this new audit require using the GitHub API, or is it entirely offline?
When developing a new `zizmor` audit, there are a couple of implementation details to be aware of:

4
tests/acceptance.rs
View file

@ -6,7 +6,7 @@ use serde_json_path::JsonPath;
mod common;
// Acceptance tests for zizmor, on top of Json output
// For now we don't cover tests that depends on Github API under the hood
// For now we don't cover tests that depends on GitHub API under the hood
fn zizmor() -> Command {
let mut cmd = Command::cargo_bin("zizmor").expect("Cannot create executable command");
@ -210,7 +210,7 @@ fn audit_unpinned_uses() -> anyhow::Result<()> {
}
#[test]
fn audit_unsecure_commands_allowed() -> anyhow::Result<()> {
fn audit_insecure_commands_allowed() -> anyhow::Result<()> {
let auditable = workflow_under_test("insecure-commands.yml");
let cli_args = [&auditable];