mirrors/zizmor
1
0
Fork 0
mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

feat: add --show-audit-urls=... for controlling URL rendering (#1391)

Browse source
This commit is contained in:
William Woodruff 2025-11-29 20:05:00 -05:00 committed by GitHub
parent f203b457f6
commit 3b1951b71e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 140 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/snippets/help.txt
View file

@ -28,6 +28,8 @@ Options:
Don't show progress bars, even if the terminal supports them
--format <FORMAT>
The output format to emit. By default, cargo-style diagnostics will be emitted [default: plain] [possible values: plain, json, json-v1, sarif, github]
--show-audit-urls <SHOW_AUDIT_URLS>
Whether to render audit URLs in the output, separately from any URLs embedded in OSC 8 links [env: ZIZMOR_SHOW_AUDIT_URLS=] [default: auto] [possible values: auto, always, never]
--color <MODE>
Control the use of color in output [possible values: auto, always, never]
-c, --config <CONFIG>

41
docs/usage.md
View file

@ -206,16 +206,15 @@ By default, `zizmor` produces `cargo`-style diagnostic output.
```console
error[template-injection]: code injection via template expansion
--> ./tests/integration/test-data/template-injection/pr-425-backstop/action.yml:28:7
--> ./tests/integration/test-data/template-injection/pr-425-backstop/action.yml:31:56
|
28 | - name: case4
| ^^^^^^^^^^^ this step
29 | uses: azure/powershell
29 | uses: azure/powershell@whatever
| ------------------------------- action accepts arbitrary code
30 | with:
31 | inlineScript: Get-AzVM -ResourceGroupName "${{ inputs.expandme }}"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ inputs.expandme may expand into attacker-controllable code
| ------------ via this input ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: audit confidence → High
```
This output will be colorized by default when sent to a supporting terminal and
@ -224,6 +223,36 @@ disable output colorization by setting `NO_COLOR=1` in their environment.
This format can also be explicitly selected with `--format=plain`.
#### Audit documentation links
By default, `zizmor` includes links to relevant documentation pages
for each finding in its plain output format. These links are provided via
[OSC 8](https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda)
hyperlinks, which are supported by many modern terminal emulators.
For example, in the output above, `template-injection` within
`error[template-injection]: ...` is a clickable link that takes you to
the [template-injection](./audits#template-injection) audit documentation.
In addition to these OSC 8 links, `zizmor` also includes the full URL
as part of each finding _if_ it detects a non-terminal output _or_
a CI environment (e.g. GitHub Actions).
To make this behavior explicir, users can supply the `--show-audit-urls`
option:
```bash
# always show audit documentation URLs, even if output is to a terminal
zizmor --show-audit-urls=always ...
# never show audit documentation URLs
zizmor --show-audit-urls=never ...
```
!!! note
`--show-audit-urls=...` is available in `v1.19.0` and later.
#### Color customization
When invoked from a terminal, `zizmor` will attempt to enrich its output