mirrors/zizmor
1
0
Fork 0
mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

New audit: concurrency-limits (#1227)

Browse source 
Co-authored-by: William Woodruff <william@yossarian.net>
This commit is contained in:
Joe Wallwork 2025-10-17 01:24:19 +01:00 committed by GitHub
parent ac4cab3238
commit 5b5ad5d924
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
171 changed files with 782 additions and 265 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Cargo.lock generated
View file

@ -840,7 +840,7 @@ dependencies = [
[[package]]
name = "github-actions-models"
version = "0.36.0"
version = "0.37.0"
dependencies = [
"indexmap",
"serde",

2
Cargo.toml
View file

@ -20,7 +20,7 @@ rust-version = "1.88.0"
[workspace.dependencies]
anyhow = "1.0.100"
github-actions-expressions = { path = "crates/github-actions-expressions", version = "0.0.10" }
github-actions-models = { path = "crates/github-actions-models", version = "0.36.0" }
github-actions-models = { path = "crates/github-actions-models", version = "0.37.0" }
itertools = "0.14.0"
pest = "2.8.3"
pest_derive = "2.8.3"

2
crates/github-actions-models/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "github-actions-models"
version = "0.36.0"
version = "0.37.0"
description = "Unofficial, high-quality data models for GitHub Actions workflows, actions, and related components"
repository = "https://github.com/zizmorcore/zizmor/tree/main/crates/github-actions-models"
keywords = ["github", "ci"]

9
crates/github-actions-models/src/workflow/mod.rs
View file

@ -79,7 +79,7 @@ pub struct RunDefaults {
}
#[derive(Deserialize, Debug)]
#[serde(rename_all = "kebab-case", untagged)]
#[serde(rename_all_fields = "kebab-case", untagged)]
pub enum Concurrency {
Bare(String),
Rich {
@ -109,7 +109,10 @@ impl Job {
#[cfg(test)]
mod tests {
use crate::workflow::event::{OptionalBody, WorkflowCall, WorkflowDispatch};
use crate::{
common::expr::BoE,
workflow::event::{OptionalBody, WorkflowCall, WorkflowDispatch},
};
use super::{Concurrency, Trigger};
@ -125,7 +128,7 @@ mod tests {
concurrency,
Concurrency::Rich {
group: _,
cancel_in_progress: _
cancel_in_progress: BoE::Literal(true)
}
));
}

89
crates/zizmor/src/audit/concurrency_limits.rs Normal file
View file

@ -0,0 +1,89 @@
use super::{Audit, AuditLoadError, audit_meta};
use crate::{
config::Config,
finding::{Confidence, Finding, Persona, Severity},
models::workflow::Workflow,
state::AuditState,
};
use anyhow::Result;
use github_actions_models::{common::expr::BoE, workflow::Concurrency};
pub(crate) struct ConcurrencyLimits;
audit_meta!(
ConcurrencyLimits,
"concurrency-limits",
"insufficient job-level concurrency limits"
);
impl Audit for ConcurrencyLimits {
fn new(_state: &AuditState) -> Result<Self, AuditLoadError> {
Ok(Self)
}
fn audit_workflow<'doc>(
&self,
workflow: &'doc Workflow,
_config: &Config,
) -> Result<Vec<Finding<'doc>>> {
let mut findings = vec![];
match &workflow.concurrency {
Some(Concurrency::Rich {
group: _,
cancel_in_progress,
}) => {
if let BoE::Literal(cancel) = &cancel_in_progress
&& !cancel
{
findings.push(
Self::finding()
.confidence(Confidence::High)
.severity(Severity::Low)
.persona(Persona::Pedantic)
.add_location(
workflow
.location()
.primary()
.with_keys(["concurrency".into()])
.annotated("cancel-in-progress set to false"),
)
.build(workflow)?,
);
};
}
Some(Concurrency::Bare(_)) => {
findings.push(
Self::finding()
.confidence(Confidence::High)
.severity(Severity::Low)
.persona(Persona::Pedantic)
.add_location(
workflow
.location()
.primary()
.with_keys(["concurrency".into()])
.annotated("concurrency is missing cancel-in-progress"),
)
.build(workflow)?,
);
}
None => {
findings.push(
Self::finding()
.confidence(Confidence::High)
.severity(Severity::Low)
.persona(Persona::Pedantic)
.add_location(
workflow
.location()
.primary()
.annotated("missing concurrency setting"),
)
.build(workflow)?,
);
}
}
Ok(findings)
}
}

1
crates/zizmor/src/audit/mod.rs
View file

@ -21,6 +21,7 @@ pub(crate) mod anonymous_definition;
pub(crate) mod artipacked;
pub(crate) mod bot_conditions;
pub(crate) mod cache_poisoning;
pub(crate) mod concurrency_limits;
pub(crate) mod dangerous_triggers;
pub(crate) mod dependabot_cooldown;
pub(crate) mod dependabot_execution;

2
crates/zizmor/src/audit/stale_action_refs.rs
View file

@ -1,4 +1,4 @@
//! Detects actions pinned by commit hash, which doesn't point to a Git tag.
//! Detects actions pinned by commit hash, which don't point to a Git tag.
use anyhow::{Result, anyhow};
use github_actions_models::common::{RepositoryUses, Uses};

1
crates/zizmor/src/registry.rs
View file

@ -80,6 +80,7 @@ impl AuditRegistry {
register_audit!(audit::ref_version_mismatch::RefVersionMismatch);
register_audit!(audit::dependabot_execution::DependabotExecution);
register_audit!(audit::dependabot_cooldown::DependabotCooldown);
register_audit!(audit::concurrency_limits::ConcurrencyLimits);
Ok(registry)
}

30
crates/zizmor/tests/integration/acceptance.rs
View file

@ -308,3 +308,33 @@ fn audit_unpinned_images() -> anyhow::Result<()> {
Ok(())
}
#[test]
fn concurrency_limits_cancel_true() -> anyhow::Result<()> {
let auditable = input_under_test("concurrency-limits/cancel-true.yml");
let cli_args = [&auditable];
let execution = zizmor().args(cli_args).output()?;
assert_eq!(execution.status.code(), Some(0));
let findings = String::from_utf8(execution.stdout)?;
assert_eq!(&findings, "[]");
Ok(())
}
#[test]
fn concurrency_limits_cancel_expr() -> anyhow::Result<()> {
let auditable = input_under_test("concurrency-limits/cancel-expr.yml");
let cli_args = [&auditable];
let execution = zizmor().args(cli_args).output()?;
assert_eq!(execution.status.code(), Some(0));
let findings = String::from_utf8(execution.stdout)?;
assert_eq!(&findings, "[]");
Ok(())
}

18
crates/zizmor/tests/integration/e2e/snapshots/integration__e2e__json_v1__json_v1.snap
View file

@ -1,7 +1,7 @@
---
source: crates/zizmor/tests/integration/e2e/json_v1.rs
assertion_line: 17
expression: output
snapshot_kind: text
---
[
{
@ -275,16 +275,16 @@ snapshot_kind: text
"concrete": {
"location": {
"start_point": {
"row": 16,
"row": 20,
"column": 8
},
"end_point": {
"row": 16,
"row": 20,
"column": 29
},
"offset_span": {
"start": 279,
"end": 300
"start": 406,
"end": 427
}
},
"feature": "uses: docker://ubuntu",
@ -338,16 +338,16 @@ snapshot_kind: text
"concrete": {
"location": {
"start_point": {
"row": 22,
"row": 26,
"column": 8
},
"end_point": {
"row": 22,
"row": 26,
"column": 58
},
"offset_span": {
"start": 404,
"end": 454
"start": 531,
"end": 581
}
},
"feature": "uses: docker://ghcr.io/pypa/gh-action-pypi-publish",

72
crates/zizmor/tests/integration/snapshot.rs
View file

@ -1035,3 +1035,75 @@ fn dependabot_cooldown() -> Result<()> {
Ok(())
}
#[test]
fn concurrency_limits() -> Result<()> {
insta::assert_snapshot!(
zizmor()
.input(input_under_test(
"concurrency-limits/missing.yml"
))
.args(["--persona=pedantic"])
.run()?,
@r"
help[concurrency-limits]: insufficient job-level concurrency limits
--> @@INPUT@@:1:1
|
1 | / name: Workflow without concurrency
2 | | on: push
3 | | permissions: {}
... |
10 | | - name: 1-ok
11 | | run: echo ok
| |___________________^ missing concurrency setting
|
= note: audit confidence High
1 finding: 0 informational, 1 low, 0 medium, 0 high
"
);
insta::assert_snapshot!(
zizmor()
.input(input_under_test(
"concurrency-limits/cancel-false.yml"
))
.args(["--persona=pedantic"])
.run()?,
@r"
help[concurrency-limits]: insufficient job-level concurrency limits
--> @@INPUT@@:5:1
|
5 | / concurrency:
6 | | group: ${{ github.workflow }}-${{ github.event.pull_request_number || github.ref }}
7 | | cancel-in-progress: false
| |___________________________^ cancel-in-progress set to false
|
= note: audit confidence High
1 finding: 0 informational, 1 low, 0 medium, 0 high
"
);
insta::assert_snapshot!(
zizmor()
.input(input_under_test(
"concurrency-limits/no-cancel.yml"
))
.args(["--persona=pedantic"])
.run()?,
@r"
help[concurrency-limits]: insufficient job-level concurrency limits
--> @@INPUT@@:5:1
|
5 | concurrency: group
| ^^^^^^^^^^^^^^^^^^ concurrency is missing cancel-in-progress
|
= note: audit confidence High
1 finding: 0 informational, 1 low, 0 medium, 0 high
"
);
Ok(())
}

2
crates/zizmor/tests/integration/snapshots/integration__config__disablement.snap
View file

@ -4,4 +4,4 @@ expression: "zizmor().input(input_under_test(\"config-scenarios/disablement\")).
---
🌈 zizmor v@@VERSION@@
DEBUG audit{input=Workflow(file://@@INPUT@@/.github/workflows/hackme.yml)}: zizmor::audit: skipping: template-injection is disabled in config for group Group("@@INPUT@@")
No findings to report. Good job!
No findings to report. Good job! (1 suppressed)

2
crates/zizmor/tests/integration/snapshots/integration__config__discovers_config_in_dotgithub.snap
View file

@ -6,4 +6,4 @@ expression: "zizmor().input(input_under_test(\"config-scenarios/config-in-dotgit
DEBUG zizmor::config: discovering config for local input `@@INPUT@@`
DEBUG zizmor::config: attempting config discovery in `@@INPUT@@`
DEBUG zizmor::config: found config candidate at `@@INPUT@@/.github/zizmor.yml`
No findings to report. Good job! (1 ignored, 1 suppressed)
No findings to report. Good job! (1 ignored, 2 suppressed)

2
crates/zizmor/tests/integration/snapshots/integration__config__discovers_config_in_dotgithub_from_file_input.snap
View file

@ -6,4 +6,4 @@ expression: "zizmor().input(input_under_test(\"config-scenarios/config-in-dotgit
DEBUG zizmor::config: discovering config for local input `@@INPUT@@`
DEBUG zizmor::config: attempting config discovery in `@@TEST_PREFIX@@/config-scenarios/config-in-dotgithub/.github/workflows`
DEBUG zizmor::config: found config candidate at `@@TEST_PREFIX@@/config-scenarios/config-in-dotgithub/.github/zizmor.yml`
No findings to report. Good job! (1 ignored, 1 suppressed)
No findings to report. Good job! (1 ignored, 2 suppressed)

2
crates/zizmor/tests/integration/snapshots/integration__config__discovers_config_in_root.snap
View file

@ -6,4 +6,4 @@ expression: "zizmor().input(input_under_test(\"config-scenarios/config-in-root\"
DEBUG zizmor::config: discovering config for local input `@@INPUT@@`
DEBUG zizmor::config: attempting config discovery in `@@INPUT@@`
DEBUG zizmor::config: found config candidate at `@@INPUT@@/zizmor.yml`
No findings to report. Good job! (1 ignored, 1 suppressed)
No findings to report. Good job! (1 ignored, 2 suppressed)

2
crates/zizmor/tests/integration/snapshots/integration__config__discovers_config_in_root_from_child_dir.snap
View file

@ -6,4 +6,4 @@ expression: "zizmor().input(input_under_test(\"config-scenarios/config-in-root/.
DEBUG zizmor::config: discovering config for local input `@@INPUT@@`
DEBUG zizmor::config: attempting config discovery in `@@INPUT@@`
DEBUG zizmor::config: found config candidate at `@@TEST_PREFIX@@/config-scenarios/config-in-root/zizmor.yml`
No findings to report. Good job! (1 ignored, 1 suppressed)
No findings to report. Good job! (1 ignored, 2 suppressed)

2
crates/zizmor/tests/integration/snapshots/integration__config__discovers_config_in_root_from_file_input.snap
View file

@ -6,4 +6,4 @@ expression: "zizmor().input(input_under_test(\"config-scenarios/config-in-root/.
DEBUG zizmor::config: discovering config for local input `@@INPUT@@`
DEBUG zizmor::config: attempting config discovery in `@@TEST_PREFIX@@/config-scenarios/config-in-root/.github/workflows`
DEBUG zizmor::config: found config candidate at `@@TEST_PREFIX@@/config-scenarios/config-in-root/zizmor.yml`
No findings to report. Good job! (1 ignored, 1 suppressed)
No findings to report. Good job! (1 ignored, 2 suppressed)

2
crates/zizmor/tests/integration/snapshots/integration__config__ignores_config_in_dotgithub.snap
View file

@ -17,4 +17,4 @@ error[template-injection]: code injection via template expansion
|
= note: audit confidence → High
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high
3 findings (2 suppressed): 0 informational, 0 low, 0 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__config__ignores_config_in_dotgithub_from_file_input.snap
View file

@ -17,4 +17,4 @@ error[template-injection]: code injection via template expansion
|
= note: audit confidence → High
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high
3 findings (2 suppressed): 0 informational, 0 low, 0 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__config__ignores_config_in_root.snap
View file

@ -17,4 +17,4 @@ error[template-injection]: code injection via template expansion
|
= note: audit confidence → High
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high
3 findings (2 suppressed): 0 informational, 0 low, 0 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__config__ignores_config_in_root_from_child_dir.snap
View file

@ -17,4 +17,4 @@ error[template-injection]: code injection via template expansion
|
= note: audit confidence → High
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high
3 findings (2 suppressed): 0 informational, 0 low, 0 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__config__ignores_config_in_root_from_file_input.snap
View file

@ -17,4 +17,4 @@ error[template-injection]: code injection via template expansion
|
= note: audit confidence → High
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high
3 findings (2 suppressed): 0 informational, 0 low, 0 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__e2e__gha_hazmat.snap
View file

@ -1000,4 +1000,4 @@ error[dangerous-triggers]: use of fundamentally insecure workflow trigger
|
= note: audit confidence → Medium
162 findings (76 suppressed): 7 informational, 0 low, 29 medium, 50 high
183 findings (97 suppressed): 7 informational, 0 low, 29 medium, 50 high

2
crates/zizmor/tests/integration/snapshots/integration__e2e__issue_1065.snap
View file

@ -33,4 +33,4 @@ error[unpinned-uses]: unpinned action reference
|
= note: audit confidence → High
4 findings (2 suppressed): 0 informational, 0 low, 1 medium, 1 high
5 findings (3 suppressed): 0 informational, 0 low, 1 medium, 1 high

4
crates/zizmor/tests/integration/snapshots/integration__e2e__issue_569.snap
View file

@ -1,6 +1,6 @@
---
source: crates/zizmor/tests/integration/e2e.rs
expression: "zizmor().offline(false).output(OutputMode::Both).args([\"--no-online-audits\",\n\"--collect=workflows-only\"]).input(\"python/cpython@f963239ff1f986742d4c6bab2ab7b73f5a4047f6\").run()?"
expression: "zizmor().offline(false).output(OutputMode::Both).args([\"--no-online-audits\",\n\"--collect=workflows\"]).input(\"python/cpython@f963239ff1f986742d4c6bab2ab7b73f5a4047f6\").run()?"
---
🌈 zizmor v@@VERSION@@
INFO zizmor::registry: skipping impostor-commit: offline audits only requested
@ -173,4 +173,4 @@ error[unpinned-uses]: unpinned action reference
|
= note: audit confidence → High
85 findings (1 ignored, 66 suppressed): 0 informational, 1 low, 0 medium, 17 high
97 findings (1 ignored, 78 suppressed): 0 informational, 1 low, 0 medium, 17 high

2
crates/zizmor/tests/integration/snapshots/integration__e2e__issue_726.snap
View file

@ -15,4 +15,4 @@ expression: "zizmor().offline(false).output(OutputMode::Both).args([\"--no-onlin
INFO audit: zizmor: 🌈 completed .github/workflows/hello.yml
INFO audit: zizmor: 🌈 completed arbitrary/subdir/.github/workflows/hello.yml
INFO audit: zizmor: 🌈 completed arbitrary/subdir/custom-action/action.yml
No findings to report. Good job! (2 suppressed)
No findings to report. Good job! (4 suppressed)

3
crates/zizmor/tests/integration/snapshots/integration__e2e__menagerie-2.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/e2e.rs
assertion_line: 71
expression: "zizmor().output(OutputMode::Both).args([\"--collect=all\"]).input(input_under_test(\"e2e-menagerie\")).run()?"
---
🌈 zizmor v@@VERSION@@
@ -21,4 +22,4 @@ error[dangerous-triggers]: use of fundamentally insecure workflow trigger
|
= note: audit confidence → Medium
1 finding: 0 informational, 0 low, 0 medium, 1 high
4 findings (3 suppressed): 0 informational, 0 low, 0 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__e2e__menagerie.snap
View file

@ -12,4 +12,4 @@ expression: "zizmor().output(OutputMode::Both).input(input_under_test(\"e2e-mena
INFO audit: zizmor: 🌈 completed @@INPUT@@/.github/workflows/another-dummy.yml
INFO audit: zizmor: 🌈 completed @@INPUT@@/.github/workflows/dummy.yml
INFO audit: zizmor: 🌈 completed @@INPUT@@/dummy-action-1/action.yaml
No findings to report. Good job!
No findings to report. Good job! (2 suppressed)

15
crates/zizmor/tests/integration/snapshots/integration__snapshot__anonymous_definition.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 55
expression: "zizmor().input(input_under_test(\"anonymous-definition.yml\")).args([\"--persona=pedantic\"]).run()?"
---
help[anonymous-definition]: workflow or action definition without a name
@ -10,19 +11,19 @@ help[anonymous-definition]: workflow or action definition without a name
7 | |
8 | | permissions: {}
... |
19 | | steps:
20 | | - run: "echo this job will trigger"
23 | | steps:
24 | | - run: "echo this job will trigger"
| |__________________________________________^ this workflow
|
= note: audit confidence → High
info[anonymous-definition]: workflow or action definition without a name
--> @@INPUT@@:17:3
--> @@INPUT@@:21:3
|
17 | / will-trigger:
18 | | runs-on: ubuntu-latest
19 | | steps:
20 | | - run: "echo this job will trigger"
21 | / will-trigger:
22 | | runs-on: ubuntu-latest
23 | | steps:
24 | | - run: "echo this job will trigger"
| |__________________________________________^ this job
|
= note: audit confidence → High

5
crates/zizmor/tests/integration/snapshots/integration__snapshot__artipacked-2.snap
View file

@ -1,11 +1,12 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 74
expression: "zizmor().input(input_under_test(\"artipacked.yml\")).run()?"
---
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> @@INPUT@@:18:9
--> @@INPUT@@:22:9
|
18 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
22 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false
|
= note: audit confidence → Low

13
crates/zizmor/tests/integration/snapshots/integration__snapshot__artipacked-3.snap
View file

@ -1,23 +1,24 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 76
expression: "zizmor().input(input_under_test(\"artipacked.yml\")).args([\"--persona=auditor\"]).run()?"
---
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> @@INPUT@@:18:9
--> @@INPUT@@:22:9
|
18 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
22 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> @@INPUT@@:24:9
--> @@INPUT@@:28:9
|
24 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
28 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
| _________^
25 | | with:
26 | | persist-credentials: true
29 | | with:
30 | | persist-credentials: true
| |____________________________________^ does not set persist-credentials: false
|
= note: audit confidence → Low

12
crates/zizmor/tests/integration/snapshots/integration__snapshot__artipacked-4.snap
View file

@ -3,14 +3,14 @@ source: crates/zizmor/tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"artipacked/issue-447-repro.yml\")).args([\"--persona=auditor\"]).run()?"
---
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> @@INPUT@@:20:9
--> @@INPUT@@:24:9
|
20 | - name: true-positive
24 | - name: true-positive
| _________^
21 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
22 | | with:
23 | | # finding in auditor mode only
24 | | persist-credentials: "true"
25 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
26 | | with:
27 | | # finding in auditor mode only
28 | | persist-credentials: "true"
| |______________________________________^ does not set persist-credentials: false
|
= note: audit confidence → Low

5
crates/zizmor/tests/integration/snapshots/integration__snapshot__artipacked.snap
View file

@ -1,11 +1,12 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 67
expression: "zizmor().input(input_under_test(\"artipacked.yml\")).args([\"--persona=pedantic\"]).run()?"
---
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> @@INPUT@@:18:9
--> @@INPUT@@:22:9
|
18 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
22 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false
|
= note: audit confidence → Low

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__bot_conditions.snap
View file

@ -142,4 +142,4 @@ error[bot-conditions]: spoofable bot actor check
= note: audit confidence → High
= note: this finding has an auto-fix
12 findings (11 fixable): 0 informational, 0 low, 0 medium, 12 high
13 findings (1 suppressed, 11 fixable): 0 informational, 0 low, 0 medium, 12 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-10.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 532
expression: "zizmor().input(input_under_test(\"cache-poisoning/publisher-step.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -14,4 +15,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
= note: audit confidence → Low
= note: this finding has an auto-fix
1 findings (1 fixable): 0 informational, 0 low, 0 medium, 1 high
2 findings (1 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-11.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 538
expression: "zizmor().input(input_under_test(\"cache-poisoning/issue-343-repro.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -53,4 +54,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
= note: audit confidence → Low
= note: this finding has an auto-fix
4 findings (1 suppressed, 3 fixable): 0 informational, 0 low, 0 medium, 3 high
5 findings (2 suppressed, 3 fixable): 0 informational, 0 low, 0 medium, 3 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-12.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 544
expression: "zizmor().input(input_under_test(\"cache-poisoning/caching-not-configurable.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -16,4 +17,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
|
= note: audit confidence → Low
3 findings (1 ignored, 1 suppressed): 0 informational, 0 low, 0 medium, 1 high
4 findings (1 ignored, 2 suppressed): 0 informational, 0 low, 0 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-13.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 552
expression: "zizmor().input(input_under_test(\"cache-poisoning/workflow-release-branch-trigger.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -17,4 +18,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
= note: audit confidence → Low
= note: this finding has an auto-fix
3 findings (1 ignored, 1 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high
4 findings (1 ignored, 2 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high

5
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-14.snap
View file

@ -1,5 +1,6 @@
---
source: tests/integration/snapshot.rs
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 560
expression: "zizmor().input(input_under_test(\"cache-poisoning/issue-378-repro.yml\")).run()?"
---
No findings to report. Good job!
No findings to report. Good job! (1 suppressed)

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-15.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 566
expression: "zizmor().input(input_under_test(\"cache-poisoning/issue-642-repro.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -15,4 +16,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
|
= note: audit confidence → Low
1 finding: 0 informational, 0 low, 0 medium, 1 high
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-16.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 572
expression: "zizmor().input(input_under_test(\"cache-poisoning/issue-1081-repro.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -27,4 +28,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
= note: audit confidence → Low
= note: this finding has an auto-fix
2 findings (2 fixable): 0 informational, 0 low, 0 medium, 2 high
3 findings (1 suppressed, 2 fixable): 0 informational, 0 low, 0 medium, 2 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-17.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 578
expression: "zizmor().input(input_under_test(\"cache-poisoning/issue-1152-repro.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -36,4 +37,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
|
= note: audit confidence → Low
3 findings: 0 informational, 0 low, 0 medium, 3 high
4 findings (1 suppressed): 0 informational, 0 low, 0 medium, 3 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-2.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 474
expression: "zizmor().input(input_under_test(\"cache-poisoning/caching-enabled-by-default.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -14,4 +15,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
= note: audit confidence → Low
= note: this finding has an auto-fix
3 findings (1 ignored, 1 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high
4 findings (1 ignored, 2 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-3.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 482
expression: "zizmor().input(input_under_test(\"cache-poisoning/caching-opt-in-boolean-toggle.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -16,4 +17,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
= note: audit confidence → Low
= note: this finding has an auto-fix
2 findings (1 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high
3 findings (2 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-4.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 490
expression: "zizmor().input(input_under_test(\"cache-poisoning/caching-opt-in-expression.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -16,4 +17,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
= note: audit confidence → Low
= note: this finding has an auto-fix
2 findings (1 ignored, 1 fixable): 0 informational, 0 low, 0 medium, 1 high
3 findings (1 ignored, 1 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-5.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 498
expression: "zizmor().input(input_under_test(\"cache-poisoning/caching-opt-in-multi-value-toggle.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -16,4 +17,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
|
= note: audit confidence → Low
1 finding: 0 informational, 0 low, 0 medium, 1 high
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high

4
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-6.snap
View file

@ -1,6 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 506
expression: "zizmor().input(input_under_test(\"cache-poisoning/caching-opt-out.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job! (1 ignored, 1 suppressed)
No findings to report. Good job! (1 ignored, 2 suppressed)

4
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap
View file

@ -1,6 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 512
expression: "zizmor().input(input_under_test(\"cache-poisoning/no-cache-aware-steps.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job! (1 ignored, 1 suppressed)
No findings to report. Good job! (1 ignored, 2 suppressed)

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-8.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 518
expression: "zizmor().input(input_under_test(\"cache-poisoning/workflow-tag-trigger.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -17,4 +18,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
= note: audit confidence → Low
= note: this finding has an auto-fix
3 findings (1 ignored, 1 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high
4 findings (1 ignored, 2 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-9.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 524
expression: "zizmor().input(input_under_test(\"cache-poisoning/caching-opt-in-boolish-toggle.yml\")).run()?"
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
@ -17,4 +18,4 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
= note: audit confidence → Low
= note: this finding has an auto-fix
1 findings (1 fixable): 0 informational, 0 low, 0 medium, 1 high
2 findings (1 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning.snap
View file

@ -2,4 +2,4 @@
source: tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"cache-poisoning/caching-disabled-by-default.yml\")).run()?"
---
No findings to report. Good job!
No findings to report. Good job! (1 suppressed)

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-10.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 663
expression: "zizmor().input(input_under_test(\"excessive-permissions/issue-472-repro.yml\")).run()?"
---
warning[excessive-permissions]: overly broad permissions
@ -18,4 +19,4 @@ warning[excessive-permissions]: overly broad permissions
|
= note: audit confidence → Medium
3 findings (2 suppressed): 0 informational, 0 low, 1 medium, 0 high
4 findings (3 suppressed): 0 informational, 0 low, 1 medium, 0 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-11.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 671
expression: "zizmor().input(input_under_test(\"excessive-permissions/reusable-workflow-call.yml\")).run()?"
---
warning[excessive-permissions]: overly broad permissions
@ -16,4 +17,4 @@ warning[excessive-permissions]: overly broad permissions
|
= note: audit confidence → Medium
2 findings (1 suppressed): 0 informational, 0 low, 1 medium, 0 high
3 findings (2 suppressed): 0 informational, 0 low, 1 medium, 0 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-12.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 679
expression: "zizmor().input(input_under_test(\"excessive-permissions/reusable-workflow-other-triggers.yml\")).run()?"
---
warning[excessive-permissions]: overly broad permissions
@ -48,4 +49,4 @@ warning[excessive-permissions]: overly broad permissions
|
= note: audit confidence → Medium
3 findings: 0 informational, 0 low, 3 medium, 0 high
4 findings (1 suppressed): 0 informational, 0 low, 3 medium, 0 high

1
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-2.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 597
expression: "zizmor().input(input_under_test(\"excessive-permissions/issue-336-repro.yml\")).args([\"--pedantic\"]).run()?"
---
error[excessive-permissions]: overly broad permissions

21
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-3.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 606
expression: "zizmor().input(input_under_test(\"excessive-permissions/workflow-default-perms.yml\")).args([\"--pedantic\"]).run()?"
---
warning[excessive-permissions]: overly broad permissions
@ -9,22 +10,22 @@ warning[excessive-permissions]: overly broad permissions
6 | |
7 | | name: workflow-default-perms
... |
15 | | with:
16 | | persist-credentials: false
19 | | with:
20 | | persist-credentials: false
| |_____________________________________^ default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> @@INPUT@@:10:3
--> @@INPUT@@:14:3
|
10 | / single:
11 | | name: single
12 | | runs-on: ubuntu-latest
13 | | steps:
14 | | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
15 | | with:
16 | | persist-credentials: false
14 | / single:
15 | | name: single
16 | | runs-on: ubuntu-latest
17 | | steps:
18 | | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
19 | | with:
20 | | persist-credentials: false
| | ^
| | |
| |_____________________________________this job

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-4.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 615
expression: "zizmor().input(input_under_test(\"excessive-permissions/workflow-read-all.yml\")).run()?"
---
warning[excessive-permissions]: overly broad permissions
@ -10,4 +11,4 @@ warning[excessive-permissions]: overly broad permissions
|
= note: audit confidence → High
1 finding: 0 informational, 0 low, 1 medium, 0 high
2 findings (1 suppressed): 0 informational, 0 low, 1 medium, 0 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-5.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 623
expression: "zizmor().input(input_under_test(\"excessive-permissions/workflow-write-all.yml\")).run()?"
---
error[excessive-permissions]: overly broad permissions
@ -10,4 +11,4 @@ error[excessive-permissions]: overly broad permissions
|
= note: audit confidence → High
1 finding: 0 informational, 0 low, 0 medium, 1 high
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high

5
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap
View file

@ -1,5 +1,6 @@
---
source: tests/integration/snapshot.rs
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 631
expression: "zizmor().input(input_under_test(\"excessive-permissions/workflow-empty-perms.yml\")).run()?"
---
No findings to report. Good job!
No findings to report. Good job! (1 suppressed)

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-7.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 639
expression: "zizmor().input(input_under_test(\"excessive-permissions/jobs-broaden-permissions.yml\")).run()?"
---
warning[excessive-permissions]: overly broad permissions
@ -32,4 +33,4 @@ error[excessive-permissions]: overly broad permissions
|
= note: audit confidence → High
2 findings: 0 informational, 0 low, 1 medium, 1 high
3 findings (1 suppressed): 0 informational, 0 low, 1 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-8.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 647
expression: "zizmor().input(input_under_test(\"excessive-permissions/workflow-write-explicit.yml\")).run()?"
---
error[excessive-permissions]: overly broad permissions
@ -26,4 +27,4 @@ warning[excessive-permissions]: overly broad permissions
|
= note: audit confidence → High
5 findings (2 suppressed): 0 informational, 0 low, 1 medium, 2 high
6 findings (3 suppressed): 0 informational, 0 low, 1 medium, 2 high

5
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap
View file

@ -1,5 +1,6 @@
---
source: tests/integration/snapshot.rs
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 655
expression: "zizmor().input(input_under_test(\"excessive-permissions/workflow-default-perms-all-jobs-explicit.yml\")).run()?"
---
No findings to report. Good job! (3 suppressed)
No findings to report. Good job! (4 suppressed)

1
crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 589
expression: "zizmor().input(input_under_test(\"excessive-permissions/issue-336-repro.yml\")).run()?"
---
No findings to report. Good job! (1 suppressed)

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses-2.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 798
expression: "zizmor().config(input_under_test(&format!(\"forbidden-uses/configs/{config}.yml\"))).input(input_under_test(\"forbidden-uses/forbidden-uses-menagerie.yml\")).run()?"
---
error[forbidden-uses]: forbidden action used
@ -26,4 +27,4 @@ error[forbidden-uses]: forbidden action used
|
= note: audit confidence → High
3 findings: 0 informational, 0 low, 0 medium, 3 high
4 findings (1 suppressed): 0 informational, 0 low, 0 medium, 3 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses-3.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 798
expression: "zizmor().config(input_under_test(&format!(\"forbidden-uses/configs/{config}.yml\"))).input(input_under_test(\"forbidden-uses/forbidden-uses-menagerie.yml\")).run()?"
---
error[forbidden-uses]: forbidden action used
@ -10,4 +11,4 @@ error[forbidden-uses]: forbidden action used
|
= note: audit confidence → High
1 finding: 0 informational, 0 low, 0 medium, 1 high
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses-4.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 798
expression: "zizmor().config(input_under_test(&format!(\"forbidden-uses/configs/{config}.yml\"))).input(input_under_test(\"forbidden-uses/forbidden-uses-menagerie.yml\")).run()?"
---
error[forbidden-uses]: forbidden action used
@ -18,4 +19,4 @@ error[forbidden-uses]: forbidden action used
|
= note: audit confidence → High
2 findings: 0 informational, 0 low, 0 medium, 2 high
3 findings (1 suppressed): 0 informational, 0 low, 0 medium, 2 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses-5.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 798
expression: "zizmor().config(input_under_test(&format!(\"forbidden-uses/configs/{config}.yml\"))).input(input_under_test(\"forbidden-uses/forbidden-uses-menagerie.yml\")).run()?"
---
error[forbidden-uses]: forbidden action used
@ -18,4 +19,4 @@ error[forbidden-uses]: forbidden action used
|
= note: audit confidence → High
2 findings: 0 informational, 0 low, 0 medium, 2 high
3 findings (1 suppressed): 0 informational, 0 low, 0 medium, 2 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses-6.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 798
expression: "zizmor().config(input_under_test(&format!(\"forbidden-uses/configs/{config}.yml\"))).input(input_under_test(\"forbidden-uses/forbidden-uses-menagerie.yml\")).run()?"
---
error[forbidden-uses]: forbidden action used
@ -10,4 +11,4 @@ error[forbidden-uses]: forbidden action used
|
= note: audit confidence → High
1 finding: 0 informational, 0 low, 0 medium, 1 high
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses.snap
View file

@ -2,4 +2,4 @@
source: tests/integration/snapshot.rs
expression: "zizmor().config(input_under_test(&format!(\"forbidden-uses/configs/{config}.yml\"))).input(input_under_test(\"forbidden-uses/forbidden-uses-menagerie.yml\")).run()?"
---
No findings to report. Good job!
No findings to report. Good job! (1 suppressed)

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__github_env-2.snap
View file

@ -12,4 +12,4 @@ error[github-env]: dangerous use of environment file
|
= note: audit confidence → Low
2 findings (1 ignored): 0 informational, 0 low, 0 medium, 1 high
3 findings (1 ignored, 1 suppressed): 0 informational, 0 low, 0 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__github_env-3.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 704
expression: "zizmor().input(input_under_test(\"github-env/issue-397-repro.yml\")).run()?"
---
error[github-env]: dangerous use of environment file
@ -12,4 +13,4 @@ error[github-env]: dangerous use of environment file
|
= note: audit confidence → Low
2 findings (1 ignored): 0 informational, 0 low, 0 medium, 1 high
3 findings (1 ignored, 1 suppressed): 0 informational, 0 low, 0 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__github_output.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 42
expression: "zizmor().offline(true).input(input_under_test(\"several-vulnerabilities.yml\")).args([\"--persona=auditor\",\n\"--format=github\"]).run()?"
---
::error file=@@INPUT@@,line=5,title=excessive-permissions::several-vulnerabilities.yml:5: overly broad permissions: uses write-all permissions
@ -7,3 +8,4 @@ expression: "zizmor().offline(true).input(input_under_test(\"several-vulnerabili
::error file=@@INPUT@@,line=2,title=dangerous-triggers::several-vulnerabilities.yml:2: use of fundamentally insecure workflow trigger: pull_request_target is almost always used insecurely
::warning file=@@INPUT@@,line=16,title=template-injection::several-vulnerabilities.yml:16: code injection via template expansion: may expand into attacker-controllable code
::error file=@@INPUT@@,line=16,title=template-injection::several-vulnerabilities.yml:16: code injection via template expansion: may expand into attacker-controllable code
::warning file=@@INPUT@@,line=1,title=concurrency-limits::several-vulnerabilities.yml:1: insufficient job-level concurrency limits: missing concurrency setting

7
crates/zizmor/tests/integration/snapshots/integration__snapshot__insecure_commands-2.snap
View file

@ -1,12 +1,13 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 330
expression: "zizmor().input(input_under_test(\"insecure-commands.yml\")).run()?"
---
error[insecure-commands]: execution of insecure workflow commands is enabled
--> @@INPUT@@:11:5
--> @@INPUT@@:15:5
|
11 | / env:
12 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: true
15 | / env:
16 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: true
| |___________________________________________^ insecure commands enabled here
|
= note: audit confidence → High

10
crates/zizmor/tests/integration/snapshots/integration__snapshot__insecure_commands-4.snap
View file

@ -3,19 +3,19 @@ source: crates/zizmor/tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"insecure-commands/issue-839-repro.yml\")).args([\"--persona=auditor\"]).run()?"
---
error[insecure-commands]: execution of insecure workflow commands is enabled
--> @@INPUT@@:11:5
--> @@INPUT@@:15:5
|
11 | / env:
12 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: "true"
15 | / env:
16 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: "true"
| |_____________________________________________^ insecure commands enabled here
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[insecure-commands]: execution of insecure workflow commands is enabled
--> @@INPUT@@:26:9
--> @@INPUT@@:30:9
|
26 | env: ${{ matrix.env }}
30 | env: ${{ matrix.env }}
| ^^^^^^^^^^^^^^^^^^^^^^ non-static environment may contain ACTIONS_ALLOW_UNSECURE_COMMANDS
|
= note: audit confidence → Low

11
crates/zizmor/tests/integration/snapshots/integration__snapshot__insecure_commands.snap
View file

@ -1,21 +1,22 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 323
expression: "zizmor().input(input_under_test(\"insecure-commands.yml\")).args([\"--persona=auditor\"]).run()?"
---
error[insecure-commands]: execution of insecure workflow commands is enabled
--> @@INPUT@@:11:5
--> @@INPUT@@:15:5
|
11 | / env:
12 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: true
15 | / env:
16 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: true
| |___________________________________________^ insecure commands enabled here
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[insecure-commands]: execution of insecure workflow commands is enabled
--> @@INPUT@@:26:9
--> @@INPUT@@:30:9
|
26 | env: ${{ matrix.env }}
30 | env: ${{ matrix.env }}
| ^^^^^^^^^^^^^^^^^^^^^^ non-static environment may contain ACTIONS_ALLOW_UNSECURE_COMMANDS
|
= note: audit confidence → Low

5
crates/zizmor/tests/integration/snapshots/integration__snapshot__obfuscation-2.snap
View file

@ -1,11 +1,12 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 817
expression: "zizmor().input(input_under_test(\"obfuscation/computed-indices.yml\")).args([\"--persona=pedantic\"]).run()?"
---
help[obfuscation]: obfuscated usage of GitHub Actions features
--> @@INPUT@@:14:23
--> @@INPUT@@:18:23
|
14 | - if: ${{ inputs[inputs.foo] }}
18 | - if: ${{ inputs[inputs.foo] }}
| ^^^^^^^^^^^^ index expression is computed
|
= note: audit confidence → High

1
crates/zizmor/tests/integration/snapshots/integration__snapshot__obfuscation-3.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 824
expression: "zizmor().input(input_under_test(\"obfuscation/issue-1177-repro.yml\")).args([\"--persona=pedantic\"]).run()?"
---
No findings to report. Good job!

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__obfuscation.snap
View file

@ -189,4 +189,4 @@ help[obfuscation]: obfuscated usage of GitHub Actions features
= note: audit confidence → High
= note: this finding has an auto-fix
37 findings (1 ignored, 16 suppressed, 19 fixable): 0 informational, 20 low, 0 medium, 0 high
38 findings (1 ignored, 17 suppressed, 19 fixable): 0 informational, 20 low, 0 medium, 0 high

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__overprovisioned_secrets.snap
View file

@ -18,4 +18,4 @@ warning[overprovisioned-secrets]: excessively provisioned secrets
|
= note: audit confidence → High
3 findings (1 ignored): 0 informational, 0 low, 2 medium, 0 high
4 findings (1 ignored, 1 suppressed): 0 informational, 0 low, 2 medium, 0 high

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__ref_confusion-2.snap
View file

@ -10,4 +10,4 @@ error[unpinned-uses]: unpinned action reference
|
= note: audit confidence → High
1 finding: 0 informational, 0 low, 0 medium, 1 high
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__ref_confusion.snap
View file

@ -18,4 +18,4 @@ error[unpinned-uses]: unpinned action reference
|
= note: audit confidence → High
3 findings (1 suppressed): 0 informational, 0 low, 1 medium, 1 high
4 findings (2 suppressed): 0 informational, 0 low, 1 medium, 1 high

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__ref_version_mismatch.snap
View file

@ -13,4 +13,4 @@ warning[ref-version-mismatch]: detects commit SHAs that don't match their versio
= note: audit confidence → High
= note: this finding has an auto-fix
2 findings (1 suppressed, 1 fixable): 0 informational, 0 low, 1 medium, 0 high
3 findings (2 suppressed, 1 fixable): 0 informational, 0 low, 1 medium, 0 high

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__secrets_inherit.snap
View file

@ -13,4 +13,4 @@ warning[secrets-inherit]: secrets unconditionally inherited by called workflow
|
= note: audit confidence → High
1 finding: 0 informational, 0 low, 1 medium, 0 high
2 findings (1 suppressed): 0 informational, 0 low, 1 medium, 0 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-2.snap
View file

@ -1,5 +1,6 @@
---
source: tests/integration/snapshot.rs
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 109
expression: "zizmor().input(input_under_test(\"self-hosted.yml\")).run()?"
---
No findings to report. Good job! (1 suppressed)

4
crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-3.snap
View file

@ -3,9 +3,9 @@ source: crates/zizmor/tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"self-hosted/self-hosted-runner-label.yml\")).args([\"--persona=auditor\"]).run()?"
---
warning[self-hosted-runner]: runs on a self-hosted runner
--> @@INPUT@@:11:5
--> @@INPUT@@:15:5
|
11 | runs-on: [self-hosted, linux, arm64]
15 | runs-on: [self-hosted, linux, arm64]
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ self-hosted runner used here
|
= note: audit confidence → High

6
crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-4.snap
View file

@ -3,10 +3,10 @@ source: crates/zizmor/tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"self-hosted/self-hosted-runner-group.yml\")).args([\"--persona=auditor\"]).run()?"
---
warning[self-hosted-runner]: runs on a self-hosted runner
--> @@INPUT@@:11:5
--> @@INPUT@@:15:5
|
11 | / runs-on:
12 | | group: ubuntu-runners
15 | / runs-on:
16 | | group: ubuntu-runners
| |___________________________^ runner group implies self-hosted runner
|
= note: audit confidence → Low

12
crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-5.snap
View file

@ -3,14 +3,14 @@ source: crates/zizmor/tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"self-hosted/self-hosted-matrix-dimension.yml\")).args([\"--persona=auditor\"]).run()?"
---
warning[self-hosted-runner]: runs on a self-hosted runner
--> @@INPUT@@:11:5
--> @@INPUT@@:15:5
|
11 | runs-on: ${{ matrix.os }}
15 | runs-on: ${{ matrix.os }}
| ^^^^^^^^^^^^^^^^^^^^^^^^^ expression may expand into a self-hosted runner
12 |
13 | / strategy:
14 | | matrix:
15 | | os: [self-hosted, ubuntu-latest]
16 |
17 | / strategy:
18 | | matrix:
19 | | os: [self-hosted, ubuntu-latest]
| |________________________________________- matrix declares self-hosted runner
|
= note: audit confidence → High

16
crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-6.snap
View file

@ -3,16 +3,16 @@ source: crates/zizmor/tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"self-hosted/self-hosted-matrix-inclusion.yml\")).args([\"--persona=auditor\"]).run()?"
---
warning[self-hosted-runner]: runs on a self-hosted runner
--> @@INPUT@@:11:5
--> @@INPUT@@:15:5
|
11 | runs-on: ${{ matrix.os }}
15 | runs-on: ${{ matrix.os }}
| ^^^^^^^^^^^^^^^^^^^^^^^^^ expression may expand into a self-hosted runner
12 |
13 | / strategy:
14 | | matrix:
15 | | os: [macOS-latest, ubuntu-latest]
16 | | include:
17 | | - os: self-hosted
16 |
17 | / strategy:
18 | | matrix:
19 | | os: [macOS-latest, ubuntu-latest]
20 | | include:
21 | | - os: self-hosted
| |___________________________- matrix declares self-hosted runner
|
= note: audit confidence → High

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-7.snap
View file

@ -1,5 +1,5 @@
---
source: tests/integration/snapshot.rs
source: crates/zizmor/tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"self-hosted/self-hosted-matrix-exclusion.yml\")).args([\"--persona=auditor\"]).run()?"
---
No findings to report. Good job!

2
crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-8.snap
View file

@ -1,5 +1,5 @@
---
source: tests/integration/snapshot.rs
source: crates/zizmor/tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"self-hosted/issue-283-repro.yml\")).args([\"--persona=auditor\"]).run()?"
---
No findings to report. Good job!

5
crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted.snap
View file

@ -1,11 +1,12 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 102
expression: "zizmor().input(input_under_test(\"self-hosted.yml\")).args([\"--persona=auditor\"]).run()?"
---
warning[self-hosted-runner]: runs on a self-hosted runner
--> @@INPUT@@:13:5
--> @@INPUT@@:17:5
|
13 | runs-on: [self-hosted, my-ubuntu-box]
17 | runs-on: [self-hosted, my-ubuntu-box]
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ self-hosted runner used here
|
= note: audit confidence → High

4
crates/zizmor/tests/integration/snapshots/integration__snapshot__stale_action_refs.snap
View file

@ -3,9 +3,9 @@ source: crates/zizmor/tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"stale-action-refs.yml\")).offline(false).args([\"--persona=pedantic\"]).run()?"
---
help[stale-action-refs]: commit hash does not point to a Git tag
--> @@INPUT@@:30:7
--> @@INPUT@@:34:7
|
30 | - uses: actions/checkout@009b9ae9e446ad8d9b8c809870b0fbcc5e03573e
34 | - uses: actions/checkout@009b9ae9e446ad8d9b8c809870b0fbcc5e03573e
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
|
= note: audit confidence → High

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-10.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 419
expression: "zizmor().input(input_under_test(\"template-injection/issue-749-repro.yml\")).run()?"
---
No findings to report. Good job! (1 suppressed)
No findings to report. Good job! (2 suppressed)

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-11.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 425
expression: "zizmor().input(input_under_test(\"template-injection/codeql-sinks.yml\")).run()?"
---
error[template-injection]: code injection via template expansion
@ -15,4 +16,4 @@ error[template-injection]: code injection via template expansion
|
= note: audit confidence → High
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high
3 findings (2 suppressed): 0 informational, 0 low, 0 medium, 1 high

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-12.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 431
expression: "zizmor().input(input_under_test(\"template-injection/pwsh-script.yml\")).run()?"
---
error[template-injection]: code injection via template expansion
@ -15,4 +16,4 @@ error[template-injection]: code injection via template expansion
|
= note: audit confidence → High
2 findings (1 suppressed): 0 informational, 0 low, 0 medium, 1 high
3 findings (2 suppressed): 0 informational, 0 low, 0 medium, 1 high

37
crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-14.snap
View file

@ -1,51 +1,52 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 445
expression: "zizmor().input(input_under_test(\"template-injection/multiline-expression.yml\")).args([\"--persona=pedantic\"]).run()?"
---
help[template-injection]: code injection via template expansion
--> @@INPUT@@:14:13
--> @@INPUT@@:18:13
|
12 | - run: |
16 | - run: |
| --- this run block
13 | echo ${{
14 | / some.ctx
15 | | && foo.bar
16 | | || baz.qux
17 | echo ${{
18 | / some.ctx
19 | | && foo.bar
20 | | || baz.qux
| |______________________^ may expand into attacker-controllable code
|
= note: audit confidence → High
info[template-injection]: code injection via template expansion
--> @@INPUT@@:15:16
--> @@INPUT@@:19:16
|
12 | - run: |
16 | - run: |
| --- this run block
...
15 | && foo.bar
19 | && foo.bar
| ^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → Low
info[template-injection]: code injection via template expansion
--> @@INPUT@@:16:16
--> @@INPUT@@:20:16
|
12 | - run: |
16 | - run: |
| --- this run block
...
16 | || baz.qux
20 | || baz.qux
| ^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → Low
help[template-injection]: code injection via template expansion
--> @@INPUT@@:22:15
--> @@INPUT@@:26:15
|
20 | run: |
24 | run: |
| --- this run block
21 | echo "TSAN_OPTIONS=log_path=${GITHUB_WORKSPACE}/tsan_log suppressions=${GITHUB_WORKSPACE}/Tools/tsan/suppressions${{
22 | / fromJSON(inputs.free-threading)
23 | | && '_free_threading'
24 | | || ''
25 | echo "TSAN_OPTIONS=log_path=${GITHUB_WORKSPACE}/tsan_log suppressions=${GITHUB_WORKSPACE}/Tools/tsan/suppressions${{
26 | / fromJSON(inputs.free-threading)
27 | | && '_free_threading'
28 | | || ''
| |___________________^ may expand into attacker-controllable code
|
= note: audit confidence → High

15
crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-15.snap
View file

@ -1,25 +1,26 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 454
expression: "zizmor().input(input_under_test(\"template-injection/issue-988-repro.yml\")).args([\"--persona=pedantic\"]).run()?"
---
help[template-injection]: code injection via template expansion
--> @@INPUT@@:16:29
--> @@INPUT@@:19:29
|
13 | run: |
16 | run: |
| --- this run block
...
16 | event_name="${{ github.event_name }}"
19 | event_name="${{ github.event_name }}"
| ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
help[template-injection]: code injection via template expansion
--> @@INPUT@@:27:57
--> @@INPUT@@:30:57
|
25 | run: |
28 | run: |
| --- this run block
26 | curl -X POST https://api.example.com -H "Content-type: application/json" \
27 | -d "{\"text\":\"ドドド: https://github.com/${{ github.repository }}\"}"
29 | curl -X POST https://api.example.com -H "Content-type: application/json" \
30 | -d "{\"text\":\"ドドド: https://github.com/${{ github.repository }}\"}"
| ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High

12
crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-2.snap
View file

@ -3,21 +3,21 @@ source: crates/zizmor/tests/integration/snapshot.rs
expression: "zizmor().input(input_under_test(\"template-injection/template-injection-dynamic-matrix.yml\")).args([\"--persona=auditor\"]).run()?"
---
help[template-injection]: code injection via template expansion
--> @@INPUT@@:22:36
--> @@INPUT@@:26:36
|
21 | run: |
25 | run: |
| --- this run block
22 | echo "doing a thing: ${{ matrix.dynamic }}"
26 | echo "doing a thing: ${{ matrix.dynamic }}"
| ^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
warning[template-injection]: code injection via template expansion
--> @@INPUT@@:22:36
--> @@INPUT@@:26:36
|
21 | run: |
25 | run: |
| --- this run block
22 | echo "doing a thing: ${{ matrix.dynamic }}"
26 | echo "doing a thing: ${{ matrix.dynamic }}"
| ^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → Medium

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-3.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 373
expression: "zizmor().input(input_under_test(\"template-injection/issue-22-repro.yml\")).run()?"
---
No findings to report. Good job! (5 suppressed)
No findings to report. Good job! (6 suppressed)

3
crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-4.snap
View file

@ -1,5 +1,6 @@
---
source: crates/zizmor/tests/integration/snapshot.rs
assertion_line: 379
expression: "zizmor().input(input_under_test(\"template-injection/pr-317-repro.yml\")).run()?"
---
warning[template-injection]: code injection via template expansion
@ -13,4 +14,4 @@ warning[template-injection]: code injection via template expansion
= note: audit confidence → Medium
= note: this finding has an auto-fix
2 findings (1 suppressed, 1 fixable): 0 informational, 0 low, 1 medium, 0 high
3 findings (2 suppressed, 1 fixable): 0 informational, 0 low, 1 medium, 0 high

Some files were not shown because too many files have changed in this diff Show more