mirrors/zizmor
1
0
Fork 0
mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

docs: move changelog to website (#374)

Browse source
This commit is contained in:
William Woodruff 2025-01-02 01:43:28 -08:00 committed by GitHub
parent 4f6d939257
commit 71a546a624
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 471 additions and 117 deletions
Download patch file Download diff file Expand all files Collapse all files

29
.github/release.yml vendored
View file

@ -1,29 +0,0 @@
changelog:
exclude:
labels:
- tests
- chore
- no-changelog
authors:
- dependabot
categories:
- title: New Features 🌈
labels:
- enhancement
- new-audit
- cli
- title: Bug Fixes 🐛
labels:
- bugfix
- false-negative
- false-positive
- title: Performance Improvements 🚄
labels:
- performance
- title: Documentation Improvements 📖
labels:
- documentation

85
docs/limitations.md
View file

@ -1,85 +0,0 @@
# Limitations
`zizmor` can help you write more secure GitHub workflow and action definitions,
as well as help you find exploitable bugs in existing definitions.
However, like all tools, `zizmor` is **not a panacea**, and has
fundamental limitations that must be kept in mind. This page
documents some of those limitations.
## `zizmor` is a _static_ analysis tool
`zizmor` is a _static_ analysis tool. It never executes any code, nor does it
have access to any runtime state.
In contrast, GitHub Actions workflow and action definitions are highly
dynamic, and can be influenced by inputs that can only be inspected at
runtime.
For example, here is a workflow where a job's matrix is generated
at runtime by a previous job, making the matrix impossible to
analyze statically:
```yaml
build-matrix:
name: Build the matrix
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- id: set-matrix
run: |
echo "matrix=$(python generate_matrix.py)" >> "${GITHUB_OUTPUT}"
run:
name: ${{ matrix.name }}
needs:
- build-matrix
runs-on: ubuntu-latest
strategy:
matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
steps:
- run: |
echo "hello ${{ matrix.something }}"
```
In the above, the expansion of `${{ matrix.something }}` is entirely controlled
by the output of `generate_matrix.py`, which is only known at runtime.
In such cases, `zizmor` will err on the side of verbosity. For example,
the [template-injection](./audits.md#template-injection) audit will flag
`${{ matrix.something }}` as a potential code injection risk, since it
can't infer anything about what `matrix.something` might expand to.
## `zizmor` audits workflow and action _definitions_ only
`zizmor` audits workflow and action _definitions_ only. That means the
contents of `foo.yml` (for your workflow definitions) or `action.yml` (for your
composite action definitions).
In practice, this means that `zizmor` does **not** analyze other files
referenced by workflow and action definitions. For example:
```yaml
example:
runs-on: ubuntu-latest
steps:
- name: step-1
run: |
echo foo=$(bar) >> $GITHUB_ENV
- name: step-2
run: |
# some-script.sh contains the same code as step-1
./some-script.sh
```
`zizmor` can analyze `step-1` above, because the code it executes
is present within the workflow definition itself. It *cannot* analyze
`step-2` beyond the presence of a script execution, since it doesn't
audit shell scripts or any other kind of files.
More generally, `zizmor` cannot analyze files indirectly referenced within
workflow/action definitions, as they may not actually exist until runtime.
For example, `some-script.sh` above may have been generated or downloaded
outside of any repository-tracked state.

382
docs/release-notes.md Normal file
View file

@ -0,0 +1,382 @@
---
description: Abbreviated change notes about each zizmor release.
---
# Release Notes
This page contains _abbreviated_, user-focused release notes for each version
of `zizmor`.
## v1.0.0 (UNRELEASED)
!!! warning
The notes below are for an **unreleased version**.
This is the first stable release of `zizmor`!
Starting with this release, `zizmor` will use [Semantic Versioning] for
its versioning scheme. In short, this means that breaking changes will only
happen with a new major version.
[Semantic Versioning]: https://semver.org/
This stable release comes with a large number of new features as well
as stability commitments for existing features; read more below!
### Added
* Composite actions (i.e. `action.yml` where the action is *not* a Docker
or JavaScript action) are now supported, and are audited by default
when running `zizmor` on a directory or remote repository (#331)
!!! tip
Composite action discovery and auditing can be disabled by passing
`--collect=workflows-only`. Conversely, workflow discovery and auditing
can be disabled by passing `--collect=actions-only`.
See #350 for the status of each audit's support for analyzing
composite actions.
* The GitHub host to connect to can now be configured with `--gh-hostname`
or `GH_HOST` in the environment (#371)
This can be used to connect to a GitHub Enterprise (GHE) instance
instead of the default `github.com` instance.
### Improved
* The [cache-poisoning] audit is now aware of common publishing actions
and uses then to determine whether to produce a finding (#338, #341)
* The [cache-poisoning] audit is now aware of configuration-free caching
actions, such as @Mozilla-Actions/sccache-action (#345)
* The [cache-poisoning] audit is now aware of even more caching actions
(#346)
* The [cache-poisoning] audit is now aware of common publishing triggers
(such as pushing to a release branch) and uses them to determine whether
to produce a finding (#352)
* The [github-env] audit is now significantly more precise on `bash` and `pwsh`
inputs (#354)
### Fixed
* The [excessive-permissions] audit is now less noisy on single-job workflows (#337)
* Expressions like `function().foo.bar` are now parsed correctly (#340)
* The [cache-poisoning] defaults for `setup-go` were fixed (#343)
* `uses:` matching is now case-insensitive where appropriate (#353)
* Quoted YAML keys (like `'on': foo`) are now parsed correctly (#368)
### Removed
## v0.10.0
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.9.2...v0.10.0
### New Features 🌈
* feat: handle powershell in github-env audit by @woodruffw in #227
* feat: template-injection: filter static envs by @woodruffw in #318
* feat: add 'primary' locations by @woodruffw in #328
* feat: initial cache-poisoning audit by @ubiratansoares in #294
* feat: Fix Sarif schema and add rules to Sarif files by @fcasal in #330
### Bug Fixes 🐛
* fix: template-injection: more safe contexts by @woodruffw in #309
* fix: expands_to_static_values considers expressions inside strings by @woodruffw in #317
* fix: sarif: add result and kind by @woodruffw in #68
* fix: sarif: use ResultKind for kind by @woodruffw in #326
### Performance Improvements 🚄
* refactor: use http-cache for caching, optimize network calls by @woodruffw in #304
### Documentation Improvements 📖
* docs: support commits in trophy case by @woodruffw in #303
* docs: Fix typo in development.md by @JustusFluegel in #305
### New Contributors
* @jsoref made their first contribution in #299
* @JustusFluegel made their first contribution in #305
* @fcasal made their first contribution in #330
## v0.9.2
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.9.1...v0.9.2
### Bug Fixes 🐛
* fix: template-injection: consider runner.tool_cache safe by @woodruffw in #297
### Documentation Improvements 📖
* docs: more trophies by @woodruffw in #296
## v0.9.1
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.9.0...v0.9.1
### Bug Fixes 🐛
* fix: dont crash when an expression does not expand a matrix by @ubiratansoares in #284
## v0.9.0
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.8.0...v0.9.0
### New Features 🌈
* refactor: experiment with tracing by @woodruffw in #232
* feat: remove --no-progress by @woodruffw in #248
### Bug Fixes 🐛
* fix: handle non-static env: in job steps by @woodruffw in #246
* fix: template-injection: ignore another safe context by @woodruffw in #254
* fix: download both .yml and .yaml from repos by @woodruffw in #265
* fix: bump annotate-snippets to fix crash by @woodruffw in #264
* fix: move artipacked pendantic finding to auditor by @woodruffw in #272
* fix: template-injection: ignore runner.temp by @woodruffw in #277
### Performance Improvements 🚄
* feat: evaluates a matrix expansion only once by @ubiratansoares in #274
### Documentation Improvements 📖
* docs: document installing with PyPI by @woodruffw in #242
* docs: add a trophy case by @woodruffw in #243
* docs: update pre-commit docs to point to new repo by @woodruffw in #247
* docs: switch GHA example to uvx by @woodruffw in #255
* docs: add template-injection tips by @woodruffw in #259
* docs: audits: add another env hacking reference by @woodruffw in #266
* docs: Rename "unsecure" to insecure by @szepeviktor in #270
* docs: more trophies by @woodruffw in #276
* docs: make the trophy case prettier by @woodruffw in #279
## New Contributors
* @szepeviktor made their first contribution in #270
## v0.8.0
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.7.0...v0.8.0
### New Features 🌈
* feat: remote auditing by @woodruffw in #230
### Bug Fixes 🐛
* fix: template-injection: ignore issue/PR numbers by @woodruffw in #238
### Documentation Improvements 📖
* docs: restore search plugin by @lazka in #239
## New Contributors
* @lazka made their first contribution in #239
## v0.7.0
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.6.0...v0.7.0
### New Features 🌈
* Split unpinned-uses into two separate checks by @funnelfiasco in #205
* feat: even more precision for bash steps in github-env by @ubiratansoares in #208
* feat: add Step::default_shell by @woodruffw in #213
* feat: handle `shell: sh` in github-env by @woodruffw in #216
* feat: primitive Windows batch handling in github-env by @woodruffw in #217
* feat: unpinned-uses: make unhashed check pedantic for now by @woodruffw in #219
* feat: add personas by @woodruffw in #226
### Bug Fixes 🐛
* fix: bump github-actions-models by @woodruffw in #211
### Documentation Improvements 📖
* docs: tweak installation layout by @woodruffw in #223
## v0.6.0
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.5.0...v0.6.0
This is one of `zizmor`'s bigger recent releases! Key enhancements include:
* A new `github-env` audit that detects dangerous `GITHUB_ENV` writes,
courtesy of @ubiratansoares
* The `--min-severity` and `--min-confidence` flags for filtering results,
courtest (in part) of @Ninja3047
* Support for `# zizmor: ignore[rule]` comments, courtesy of @ubiratansoares
### New Features 🌈
* feat: adds support to inlined ignores by @ubiratansoares in #187
* feat: add `--min-severity` by @woodruffw in #193
* feat: add `--min-confidence` by @Ninja3047 in #196
* feat: adds new github-env audit by @ubiratansoares in #192
* feat: improve precision for github-env by @woodruffw in #199
* feat: generalized ignore comments by @woodruffw in #200
### Documentation Improvements 📖
* docs: document ignore comments by @woodruffw in #190
* docs: usage: add note about support for ignore comments by @woodruffw in #191
* docs: add page descriptions by @woodruffw in #194
* docs: add more useful 3p references by @woodruffw in #198
## New Contributors
* @Ninja3047 made their first contribution in #196
## v0.5,0
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.4.0...v0.5.0
### New Features 🌈
* feat: improve workflow registry error by @woodruffw in #172
* feat: unsecure-commands-allowed audit by @ubiratansoares in #176
### Documentation Improvements 📖
* docs: rewrite audit docs by @woodruffw in #167
* docs: enable social card generation by @miketheman in #175
* docs: more badges by @woodruffw in #180
* docs: adds recommentations on how to add or change audits by @ubiratansoares in #182
## New Contributors
* @chenrui333 made their first contribution in #90
## v0.4.0
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.3.2...v0.4.0
### New Features 🌈
* Fix singular and plural for 'findings' by @hugovk in #162
* feat: unpinned-uses audit by @woodruffw in #161
### Bug Fixes 🐛
* Fix typos including `github.repostoryUrl` -> `github.repositoryUrl` by @hugovk in #164
## v0.3,2
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.3.1...v0.3.2
### What's Changed
* fix(cli): remove '0 ignored' from another place by @woodruffw in #157
* perf: speed up impostor-commit's fast path by @woodruffw in #158
* fix(cli): fixup error printing by @woodruffw in #159
## v0.3.1
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.3.0...v0.3.1
### What's Changed
* feat(cli): don't render "0 ignored" by @woodruffw in #148
* feat: --no-exit-codes + sarif tweaks by @woodruffw in #154
### New Contributors
* @baggiponte made their first contribution in #150
## v0.3.0
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.2.1...v0.3.0
### What's Changed
* feat: exit code support by @woodruffw in #133
* fix: github.event.merge_group.base_sha is a safe context by @woodruffw in #137
* fix: exclude information about the repo and owner by @funnelfiasco in #136
* feat: add `--no-config` by @woodruffw in #142
## v0.2.1
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.2.0...v0.2.1
### What's Changed
* refactor: clean up expr APIs slightly by @woodruffw in #126
* feat: Exclude safe values from template injection rule by @funnelfiasco in #128
* fix: bump github-actions-models by @woodruffw in #131
* feat: analyze expressions for safety by @woodruffw in #127
## v0.2.0
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.1.6...v0.2.0
### What's Changed
* chore: add description to `--help` by @woodruffw in #111
* fix: bump github-actions-models by @woodruffw in #112
* feat: improves plain output with audit confidence by @ubiratansoares in #119
* fix: bump github-actions-models by @woodruffw in #120
* docs: improve usage page and options for sarif and code scanning by @tobiastornros in #121
* feat: configuration file support by @woodruffw in #116
### New Contributors
* @dependabot made their first contribution in #118
* @tobiastornros made their first contribution in #121
## v0.1.6
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.1.5...v0.1.6
### What's Changed
* feat: accept multiple arguments as inputs by @miketheman in #104
## v0.1.5
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.1.4...v0.1.5
### What's Changed
* Exclude `github.run_*` from template injection check by @funnelfiasco in #92
* fix(ci): move read permissions to job scope by @miketheman in #95
* fix: links in README.md by @dmwyatt in #96
* test: adds acceptance tests on top of json-formatted output by @ubiratansoares in #97
* docs: add an example GHA workflow by @woodruffw in #98
* docs: update readme by @miketheman in #100
* docs: show example for usage in private repos by @miketheman in #99
### New Contributors
* @funnelfiasco made their first contribution in #92
* @dmwyatt made their first contribution in #96
* @ubiratansoares made their first contribution in #97
## v0.1.4
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.1.3...v0.1.4
### What's Changed
* perf: Enable Link-Time Optimization (LTO) by @zamazan4ik in #81
* feat: begin prepping zizmor's website by @woodruffw in #78
* fix: Always use the plain formatter even when the output is not a terminal by @asmeurer in #83
* feat: show version by @miketheman in #84
* fix: finding url link to audits doc by @amenasria in #87
### New Contributors
* @zamazan4ik made their first contribution in #81
* @asmeurer made their first contribution in #83
* @amenasria made their first contribution in #87
## v0.1.3
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.1.2...v0.1.3
### What's Changed
* fix: use relative workflow paths in SARIF output by @woodruffw in #77
## v0.1.2
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.1.1...v0.1.2
### What's Changed
* feat: github.ref_name is always an injection risk by @woodruffw in #67
* Create workflow that runs zizmor latest by @colindean in #71
* Link to GitHub workflow examples by @ncoghlan in #70
* docs: add homebrew install by @miketheman in #74
* fix: bump github-actions-models by @woodruffw in #75
### New Contributors
* @colindean made their first contribution in #71
* @ncoghlan made their first contribution in #70
## v0.1.1
**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.1.0...v0.1.1
### What's Changed
* Fix typo: security -> securely by @hugovk in #61
* fix: bump github-action-models by @woodruffw in #65
### New Contributors
* @hugovk made their first contribution in #61
<!-- useful shortlinks -->
[excessive-permissions]: ./audits.md#excessive-permissions
[cache-poisoning]: ./audits.md#cache-poisoning
[github-env]: ./audits.md#github-env

90
docs/usage.md
View file

@ -1,8 +1,8 @@
---
description: Usage recipes for running zizmor locally and in CI/CD.
description: Usage tips and recipes for running zizmor locally and in CI/CD.
---
# Usage Recipes
# Usage
## Input collection
@ -477,3 +477,89 @@ specific files, you can use the `files` option:
See [`pre-commit`](https://pre-commit.com/) documentation for more information on how to configure
`pre-commit`.
## Limitations
`zizmor` can help you write more secure GitHub workflow and action definitions,
as well as help you find exploitable bugs in existing definitions.
However, like all tools, `zizmor` is **not a panacea**, and has
fundamental limitations that must be kept in mind. This page
documents some of those limitations.
### `zizmor` is a _static_ analysis tool
`zizmor` is a _static_ analysis tool. It never executes any code, nor does it
have access to any runtime state.
In contrast, GitHub Actions workflow and action definitions are highly
dynamic, and can be influenced by inputs that can only be inspected at
runtime.
For example, here is a workflow where a job's matrix is generated
at runtime by a previous job, making the matrix impossible to
analyze statically:
```yaml
build-matrix:
name: Build the matrix
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- id: set-matrix
run: |
echo "matrix=$(python generate_matrix.py)" >> "${GITHUB_OUTPUT}"
run:
name: ${{ matrix.name }}
needs:
- build-matrix
runs-on: ubuntu-latest
strategy:
matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
steps:
- run: |
echo "hello ${{ matrix.something }}"
```
In the above, the expansion of `${{ matrix.something }}` is entirely controlled
by the output of `generate_matrix.py`, which is only known at runtime.
In such cases, `zizmor` will err on the side of verbosity. For example,
the [template-injection](./audits.md#template-injection) audit will flag
`${{ matrix.something }}` as a potential code injection risk, since it
can't infer anything about what `matrix.something` might expand to.
### `zizmor` audits workflow and action _definitions_ only
`zizmor` audits workflow and action _definitions_ only. That means the
contents of `foo.yml` (for your workflow definitions) or `action.yml` (for your
composite action definitions).
In practice, this means that `zizmor` does **not** analyze other files
referenced by workflow and action definitions. For example:
```yaml
example:
runs-on: ubuntu-latest
steps:
- name: step-1
run: |
echo foo=$(bar) >> $GITHUB_ENV
- name: step-2
run: |
# some-script.sh contains the same code as step-1
./some-script.sh
```
`zizmor` can analyze `step-1` above, because the code it executes
is present within the workflow definition itself. It *cannot* analyze
`step-2` beyond the presence of a script execution, since it doesn't
audit shell scripts or any other kind of files.
More generally, `zizmor` cannot analyze files indirectly referenced within
workflow/action definitions, as they may not actually exist until runtime.
For example, `some-script.sh` above may have been generated or downloaded
outside of any repository-tracked state.

2
mkdocs.yml
View file

@ -13,9 +13,9 @@ nav:
- "installation.md"
- "quickstart.md"
- "usage.md"
- "release-notes.md"
- "configuration.md"
- "audits.md"
- "limitations.md"
- "development.md"
- "trophy-case.md"
- External links: