mirrors/zizmor
1
0
Fork 0
mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

test: refactor integration tests (#576)

Browse source
This commit is contained in:
William Woodruff 2025-02-27 00:14:29 -05:00 committed by GitHub
parent 79e72e012e
commit b7b1889a03
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
152 changed files with 1272 additions and 366 deletions
Download patch file Download diff file Expand all files Collapse all files

3
docs/development.md
View file

@ -141,6 +141,9 @@ or, as a shortcut:
```bash
cargo insta test --review
# or, with online tests
GH_TOKEN=$(gh auth token) cargo insta test --review --features online-tests
```
See [insta's documentation] for more details.

12
tests/common.rs
View file

@ -1,12 +0,0 @@
use std::env::current_dir;
pub fn workflow_under_test(name: &str) -> String {
let current_dir = current_dir().expect("Cannot figure out current directory");
let file_path = current_dir.join("tests").join("test-data").join(name);
file_path
.to_str()
.expect("Cannot create string reference for file path")
.to_string()
}

4
tests/acceptance.rs → tests/integration/acceptance.rs
View file

@ -1,10 +1,8 @@
use crate::common::workflow_under_test;
use assert_cmd::Command;
use common::workflow_under_test;
use serde_json::Value;
use serde_json_path::JsonPath;
mod common;
// Acceptance tests for zizmor, on top of Json output
// For now we don't cover tests that depends on GitHub API under the hood

112
tests/integration/common.rs Normal file
View file

@ -0,0 +1,112 @@
use anyhow::{Context as _, Result};
use std::env::current_dir;
use assert_cmd::Command;
pub fn workflow_under_test(name: &str) -> String {
let current_dir = current_dir().expect("Cannot figure out current directory");
let file_path = current_dir
.join("tests")
.join("integration")
.join("test-data")
.join(name);
if !file_path.exists() {
panic!("Cannot find workflow under test: {}", file_path.display());
}
file_path
.to_str()
.expect("Cannot create string reference for file path")
.to_string()
}
pub enum OutputMode {
Stdout,
Stderr,
Both,
}
pub struct Zizmor {
cmd: Command,
offline: bool,
inputs: Vec<String>,
output: OutputMode,
}
impl Zizmor {
/// Create a new zizmor runner.
pub fn new() -> Self {
let cmd = Command::cargo_bin("zizmor").unwrap();
Self {
cmd,
offline: true,
inputs: vec![],
output: OutputMode::Stdout,
}
}
pub fn args<'a>(mut self, args: impl IntoIterator<Item = &'a str>) -> Self {
self.cmd.args(args);
self
}
// pub fn setenv(mut self, key: &str, value: &str) -> Self {
// self.cmd.env(key, value);
// self
// }
pub fn unsetenv(mut self, key: &str) -> Self {
self.cmd.env_remove(key);
self
}
pub fn input(mut self, input: impl Into<String>) -> Self {
self.inputs.push(input.into());
self
}
pub fn offline(mut self, flag: bool) -> Self {
self.offline = flag;
self
}
pub fn output(mut self, output: OutputMode) -> Self {
self.output = output;
self
}
pub fn run(mut self) -> Result<String> {
if self.offline {
self.cmd.arg("--offline");
} else {
// If we're running in online mode, we pre-assert the
// presence of GH_TOKEN to make configuration failures more obvious.
std::env::var("GH_TOKEN").context("online tests require GH_TOKEN to be set")?;
}
for input in &self.inputs {
self.cmd.arg(input);
}
let output = self.cmd.output()?;
let mut raw = String::from_utf8(match self.output {
OutputMode::Stdout => output.stdout,
OutputMode::Stderr => output.stderr,
OutputMode::Both => [output.stderr, output.stdout].concat(),
})?;
for input in &self.inputs {
raw = raw.replace(input, "@@INPUT@@");
}
Ok(raw)
}
}
pub fn zizmor() -> Zizmor {
Zizmor::new()
}

20
tests/integration/e2e.rs Normal file
View file

@ -0,0 +1,20 @@
//! End-to-end snapshot integration tests.
use anyhow::Result;
use crate::common::{zizmor, OutputMode};
#[cfg_attr(not(feature = "gh-token-tests"), ignore)]
#[test]
fn gha_hazmat() -> Result<()> {
// Stability test against with online retrieval but no online audits.
// Ensures that we consistently collect the same files in the default
// configuration.
insta::assert_snapshot!(zizmor()
.offline(false)
.output(OutputMode::Both)
.args(["--no-online-audits"])
.input("woodruffw/gha-hazmat@42064a9533f401a493c3599e56f144918f8eacfd")
.run()?);
Ok(())
}

4
tests/integration/main.rs Normal file
View file

@ -0,0 +1,4 @@
mod acceptance;
mod common;
mod e2e;
mod snapshot;

225
tests/snapshot.rs → tests/integration/snapshot.rs
View file

@ -1,100 +1,7 @@
use anyhow::{Context, Result};
use assert_cmd::Command;
use common::workflow_under_test;
//! Snapshot integration tests.
mod common;
#[allow(dead_code)]
enum OutputMode {
Stdout,
Stderr,
Both,
}
struct Zizmor {
cmd: Command,
offline: bool,
workflow: Option<String>,
output: OutputMode,
}
impl Zizmor {
/// Create a new zizmor runner.
fn new() -> Self {
let cmd = Command::cargo_bin("zizmor").unwrap();
Self {
cmd,
offline: true,
workflow: None,
output: OutputMode::Stdout,
}
}
fn args<'a>(mut self, args: impl IntoIterator<Item = &'a str>) -> Self {
self.cmd.args(args);
self
}
#[allow(dead_code)]
fn setenv(mut self, key: &str, value: &str) -> Self {
self.cmd.env(key, value);
self
}
fn unsetenv(mut self, key: &str) -> Self {
self.cmd.env_remove(key);
self
}
fn workflow(mut self, workflow: impl Into<String>) -> Self {
self.workflow = Some(workflow.into());
self
}
fn offline(mut self, flag: bool) -> Self {
self.offline = flag;
self
}
#[allow(dead_code)]
fn output(mut self, output: OutputMode) -> Self {
self.output = output;
self
}
fn run(mut self) -> Result<String> {
if self.offline {
self.cmd.arg("--offline");
} else {
// If we're running in online mode, we pre-assert the
// presence of GH_TOKEN to make configuration failures more obvious.
std::env::var("GH_TOKEN").context("online tests require GH_TOKEN to be set")?;
}
if let Some(workflow) = &self.workflow {
self.cmd.arg(workflow);
}
let output = self.cmd.output()?;
let mut raw = String::from_utf8(match self.output {
OutputMode::Stdout => output.stdout,
OutputMode::Stderr => output.stderr,
OutputMode::Both => [output.stdout, output.stderr].concat(),
})?;
if let Some(workflow) = &self.workflow {
raw = raw.replace(workflow, "@@INPUT@@");
}
Ok(raw)
}
}
fn zizmor() -> Zizmor {
Zizmor::new()
}
use crate::common::{workflow_under_test, zizmor, OutputMode};
use anyhow::Result;
#[test]
fn test_cant_retrieve() -> Result<()> {
@ -113,7 +20,7 @@ fn test_invalid_inputs() -> Result<()> {
insta::assert_snapshot!(zizmor()
.output(OutputMode::Stderr)
.offline(true)
.workflow(workflow_under_test("invalid/invalid-workflow.yml"))
.input(workflow_under_test("invalid/invalid-workflow.yml"))
.run()?);
Ok(())
@ -122,21 +29,21 @@ fn test_invalid_inputs() -> Result<()> {
#[test]
fn artipacked() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("artipacked.yml"))
.input(workflow_under_test("artipacked.yml"))
.args(["--persona=pedantic"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("artipacked.yml"))
.input(workflow_under_test("artipacked.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("artipacked.yml"))
.input(workflow_under_test("artipacked.yml"))
.args(["--persona=auditor"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("artipacked/issue-447-repro.yml"))
.input(workflow_under_test("artipacked/issue-447-repro.yml"))
.args(["--persona=auditor"])
.run()?);
@ -146,44 +53,44 @@ fn artipacked() -> Result<()> {
#[test]
fn self_hosted() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("self-hosted.yml"))
.input(workflow_under_test("self-hosted.yml"))
.args(["--persona=auditor"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("self-hosted.yml"))
.input(workflow_under_test("self-hosted.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"self-hosted/self-hosted-runner-label.yml"
))
.args(["--persona=auditor"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"self-hosted/self-hosted-runner-group.yml"
))
.args(["--persona=auditor"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"self-hosted/self-hosted-matrix-dimension.yml"
))
.args(["--persona=auditor"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"self-hosted/self-hosted-matrix-inclusion.yml"
))
.args(["--persona=auditor"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"self-hosted/self-hosted-matrix-exclusion.yml"
))
.args(["--persona=auditor"])
@ -191,7 +98,7 @@ fn self_hosted() -> Result<()> {
// Fixed regressions
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("self-hosted/issue-283-repro.yml"))
.input(workflow_under_test("self-hosted/issue-283-repro.yml"))
.args(["--persona=auditor"])
.run()?);
@ -201,21 +108,21 @@ fn self_hosted() -> Result<()> {
#[test]
fn unpinned_uses() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("unpinned-uses.yml"))
.input(workflow_under_test("unpinned-uses.yml"))
.args(["--pedantic"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("unpinned-uses.yml"))
.input(workflow_under_test("unpinned-uses.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("unpinned-uses/action.yml"))
.input(workflow_under_test("unpinned-uses/action.yml"))
.args(["--pedantic"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("unpinned-uses/issue-433-repro.yml"))
.input(workflow_under_test("unpinned-uses/issue-433-repro.yml"))
.args(["--pedantic"])
.run()?);
@ -225,16 +132,16 @@ fn unpinned_uses() -> Result<()> {
#[test]
fn insecure_commands() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("insecure-commands.yml"))
.input(workflow_under_test("insecure-commands.yml"))
.args(["--persona=auditor"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("insecure-commands.yml"))
.input(workflow_under_test("insecure-commands.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("insecure-commands/action.yml"))
.input(workflow_under_test("insecure-commands/action.yml"))
.args(["--persona=auditor"])
.run()?);
@ -244,45 +151,45 @@ fn insecure_commands() -> Result<()> {
#[test]
fn template_injection() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"template-injection/template-injection-static-matrix.yml"
))
.args(["--persona=auditor"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"template-injection/template-injection-dynamic-matrix.yml"
))
.args(["--persona=auditor"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("template-injection/issue-22-repro.yml"))
.input(workflow_under_test("template-injection/issue-22-repro.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("template-injection/pr-317-repro.yml"))
.input(workflow_under_test("template-injection/pr-317-repro.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("template-injection/static-env.yml"))
.input(workflow_under_test("template-injection/static-env.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"template-injection/issue-339-repro.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"template-injection/issue-418-repro.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"template-injection/pr-425-backstop/action.yml"
))
.run()?);
@ -293,79 +200,79 @@ fn template_injection() -> Result<()> {
#[test]
fn cache_poisoning() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"cache-poisoning/caching-disabled-by-default.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"cache-poisoning/caching-enabled-by-default.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"cache-poisoning/caching-opt-in-boolean-toggle.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"cache-poisoning/caching-opt-in-expression.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"cache-poisoning/caching-opt-in-multi-value-toggle.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("cache-poisoning/caching-opt-out.yml"))
.input(workflow_under_test("cache-poisoning/caching-opt-out.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"cache-poisoning/no-cache-aware-steps.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"cache-poisoning/workflow-tag-trigger.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"cache-poisoning/caching-opt-in-boolish-toggle.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("cache-poisoning/publisher-step.yml"))
.input(workflow_under_test("cache-poisoning/publisher-step.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("cache-poisoning/issue-343-repro.yml"))
.input(workflow_under_test("cache-poisoning/issue-343-repro.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"cache-poisoning/caching-not-configurable.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"cache-poisoning/workflow-release-branch-trigger.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("cache-poisoning/issue-378-repro.yml"))
.input(workflow_under_test("cache-poisoning/issue-378-repro.yml"))
.run()?);
Ok(())
@ -374,75 +281,75 @@ fn cache_poisoning() -> Result<()> {
#[test]
fn excessive_permissions() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/issue-336-repro.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/issue-336-repro.yml"
))
.args(["--pedantic"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/workflow-default-perms.yml"
))
.args(["--pedantic"])
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/workflow-read-all.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/workflow-write-all.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/workflow-empty-perms.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/jobs-broaden-permissions.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/workflow-write-explicit.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/workflow-default-perms-all-jobs-explicit.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/issue-472-repro.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/reusable-workflow-call.yml"
))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test(
.input(workflow_under_test(
"excessive-permissions/reusable-workflow-other-triggers.yml"
))
.run()?);
@ -453,15 +360,15 @@ fn excessive_permissions() -> Result<()> {
#[test]
fn github_env() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("github-env/action.yml"))
.input(workflow_under_test("github-env/action.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("github-env/github-path.yml"))
.input(workflow_under_test("github-env/github-path.yml"))
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("github-env/issue-397-repro.yml"))
.input(workflow_under_test("github-env/issue-397-repro.yml"))
.run()?);
Ok(())
@ -470,7 +377,7 @@ fn github_env() -> Result<()> {
#[test]
fn secrets_inherit() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("secrets-inherit.yml"))
.input(workflow_under_test("secrets-inherit.yml"))
.run()?);
Ok(())
@ -479,7 +386,7 @@ fn secrets_inherit() -> Result<()> {
#[test]
fn bot_conditions() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("bot-conditions.yml"))
.input(workflow_under_test("bot-conditions.yml"))
.run()?);
Ok(())
@ -488,7 +395,7 @@ fn bot_conditions() -> Result<()> {
#[test]
fn overprovisioned_secrets() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("overprovisioned-secrets.yml"))
.input(workflow_under_test("overprovisioned-secrets.yml"))
.run()?);
Ok(())
@ -498,12 +405,12 @@ fn overprovisioned_secrets() -> Result<()> {
#[test]
fn ref_confusion() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("ref-confusion.yml"))
.input(workflow_under_test("ref-confusion.yml"))
.offline(false)
.run()?);
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("ref-confusion/issue-518-repro.yml"))
.input(workflow_under_test("ref-confusion/issue-518-repro.yml"))
.offline(false)
.run()?);
@ -513,7 +420,7 @@ fn ref_confusion() -> Result<()> {
#[test]
fn unredacted_secrets() -> Result<()> {
insta::assert_snapshot!(zizmor()
.workflow(workflow_under_test("unredacted-secrets.yml"))
.input(workflow_under_test("unredacted-secrets.yml"))
.run()?);
Ok(())

870
tests/integration/snapshots/integration__e2e__gha_hazmat.snap Normal file
View file

@ -0,0 +1,870 @@
---
source: tests/integration/e2e.rs
expression: "zizmor().offline(false).output(OutputMode::Both).args([\"--no-online-audits\"]).input(\"woodruffw/gha-hazmat@42064a9533f401a493c3599e56f144918f8eacfd\").run()?"
snapshot_kind: text
---
INFO collect_inputs: zizmor: collected 20 inputs from woodruffw/gha-hazmat
INFO zizmor: skipping impostor-commit: offline audits only requested
INFO zizmor: skipping ref-confusion: offline audits only requested
INFO zizmor: skipping known-vulnerable-actions: offline audits only requested
INFO audit: zizmor: 🌈 completed .github/workflows/artipacked.yml
INFO audit: zizmor: 🌈 completed .github/workflows/bot-conditions.yml
INFO audit: zizmor: 🌈 completed .github/workflows/cache-poisoning.yml
INFO audit: zizmor: 🌈 completed .github/workflows/excessive-permissions.yml
INFO audit: zizmor: 🌈 completed .github/workflows/github-env.yml
INFO audit: zizmor: 🌈 completed .github/workflows/hardcoded-credentials.yml
INFO audit: zizmor: 🌈 completed .github/workflows/impostor-commit.yml
INFO audit: zizmor: 🌈 completed .github/workflows/insecure-commands.yml
INFO audit: zizmor: 🌈 completed .github/workflows/known-vulnerable-actions.yml
INFO audit: zizmor: 🌈 completed .github/workflows/overprovisioned-secrets.yml
INFO audit: zizmor: 🌈 completed .github/workflows/pull-request-target.yml
INFO audit: zizmor: 🌈 completed .github/workflows/pypi-manual-credential.yml
INFO audit: zizmor: 🌈 completed .github/workflows/ref-confusion.yml
INFO audit: zizmor: 🌈 completed .github/workflows/secrets-inherit.yml
INFO audit: zizmor: 🌈 completed .github/workflows/self-hosted.yml
WARN audit:audit{input=Workflow(https://github.com/woodruffw/gha-hazmat/blob/42064a9533f401a493c3599e56f144918f8eacfd/.github/workflows/template-injection.yml)}: zizmor::audit::overprovisioned_secrets: couldn't parse expression: ...
WARN audit:audit{input=Workflow(https://github.com/woodruffw/gha-hazmat/blob/42064a9533f401a493c3599e56f144918f8eacfd/.github/workflows/template-injection.yml)}: zizmor::audit::unredacted_secrets: couldn't parse expression: ...
INFO audit: zizmor: 🌈 completed .github/workflows/template-injection.yml
INFO audit: zizmor: 🌈 completed .github/workflows/unpinned.yml
INFO audit: zizmor: 🌈 completed .github/workflows/unredacted-secrets.yml
INFO audit: zizmor: 🌈 completed .github/workflows/workflow-run.yml
INFO audit: zizmor: 🌈 completed ref-confusion/action.yml
error[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/artipacked.yml:34:9
|
34 | - name: Checkout
| _________^
35 | | uses: actions/checkout@v4
36 | |
37 | | # NOT OK: upload-artifact archives entire repo, including persisted creds
| |_______________________________________________________________________________^ does not set persist-credentials: false
38 | - name: Upload artifact
| _________^
39 | | uses: actions/upload-artifact@v4
... |
46 | | # minimized from firebase-js-sdk:
47 | | # https://github.com/firebase/firebase-js-sdk/blob/4f157b486833/.github/workflows/test-all.yml
| |________________________________________________________________________________________________^ may leak the credentials persisted above
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/artipacked.yml:52:9
|
52 | - uses: actions/checkout@v3
| _________-
53 | |
54 | | # NOT OK: archives the entire repo, including persisted creds
| |___________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
error[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/artipacked.yml:77:9
|
77 | - name: Checkout
| _________^
78 | | uses: actions/checkout@v4
79 | |
80 | | # NOT OK: archives and uploads entire workspace
| |_____________________________________________________^ does not set persist-credentials: false
81 | - uses: actions/upload-artifact@v4
| _________^
82 | | if: failure()
83 | | with:
84 | | name: workspace
85 | | path: ${{ github.workspace }}
| |________________________________________^ may leak the credentials persisted above
|
= note: audit confidence → High
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/artipacked.yml:1:1
|
1 | / # artipacked.yml
2 | | #
... |
84 | | name: workspace
85 | | path: ${{ github.workspace }}
| |________________________________________- default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/artipacked.yml:30:3
|
30 | / vulnerable-1:
31 | | runs-on: ubuntu-latest
... |
46 | | # minimized from firebase-js-sdk:
47 | | # https://github.com/firebase/firebase-js-sdk/blob/4f157b486833/.github/workflows/test-all.yml
| | -
| |________________________________________________________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/artipacked.yml:48:3
|
48 | / vulnerable-2:
49 | | runs-on: ubuntu-latest
... |
71 | | # minimized from quay/clair:
72 | | # https://github.com/quay/clair/blob/1d338051f374/.github/workflows/tests.yml
| | -
| |_______________________________________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/artipacked.yml:73:3
|
73 | / vulnerable-3:
74 | | runs-on: ubuntu-latest
... |
84 | | name: workspace
85 | | path: ${{ github.workspace }}
| | -
| |________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/bot-conditions.yml:11:1
|
11 | on: pull_request_target
| ^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely
|
= note: audit confidence → Medium
error[bot-conditions]: spoofable bot actor check
--> .github/workflows/bot-conditions.yml:18:5
|
18 | if: github.actor == 'dependabot[bot]'
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
|
= note: audit confidence → High
error[bot-conditions]: spoofable bot actor check
--> .github/workflows/bot-conditions.yml:22:9
|
22 | if: ${{ github.actor == 'dependabot[bot]' }}
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
|
= note: audit confidence → High
error[bot-conditions]: spoofable bot actor check
--> .github/workflows/bot-conditions.yml:26:9
|
26 | if: ${{ github.actor == 'dependabot[bot]' && github.repository == 'example/example' }}
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
|
= note: audit confidence → Medium
error[bot-conditions]: spoofable bot actor check
--> .github/workflows/bot-conditions.yml:30:9
|
30 | if: github.actor == 'renovate[bot]'
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
|
= note: audit confidence → High
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/cache-poisoning.yml:1:1
|
1 | / # cache-poisoning.yml
2 | | #
... |
57 | | - name: Publish on crates.io
58 | | run: cargo publish --token ${{ secrets.CRATESIO_PUBLISH_TOKEN }}
| |_________________________________________________________________________- default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/cache-poisoning.yml:25:3
|
25 | / vulnerable-1:
26 | | runs-on: ubuntu-latest
... |
41 | | - name: Publish to Maven Central
42 | | run: ./gradlew publishToMavenCentral --no-configuration-cache
| | -
| |_____________________________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/cache-poisoning.yml:44:3
|
44 | / vulnerable-2:
45 | | runs-on: ubuntu-latest
... |
57 | | - name: Publish on crates.io
58 | | run: cargo publish --token ${{ secrets.CRATESIO_PUBLISH_TOKEN }}
| | -
| |_________________________________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/cache-poisoning.yml:22:1
|
22 | on: release
| ^^^^^^^^^^^ generally used when publishing artifacts generated at runtime
23 |
...
35 | uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b
36 | / with:
37 | | distribution: "zulu"
38 | | cache: "gradle"
39 | | java-version: "17"
| |____________________________^ opt-in for caching here
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/cache-poisoning.yml:22:1
|
22 | on: release
| ^^^^^^^^^^^ generally used when publishing artifacts generated at runtime
23 |
...
54 | - name: Setup CI caching
55 | uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
error[excessive-permissions]: overly broad permissions
--> .github/workflows/excessive-permissions.yml:19:3
|
19 | id-token: write
| ^^^^^^^^^^^^^^^ id-token: write is overly broad at the workflow level
|
= note: audit confidence → High
error[excessive-permissions]: overly broad permissions
--> .github/workflows/excessive-permissions.yml:21:3
|
21 | contents: write
| ^^^^^^^^^^^^^^^ contents: write is overly broad at the workflow level
|
= note: audit confidence → High
error[excessive-permissions]: overly broad permissions
--> .github/workflows/excessive-permissions.yml:29:3
|
29 | / perms-2:
30 | | runs-on: ubuntu-latest
31 | | # NOT OK: extremely broad job-level permissions
32 | | permissions: write-all
| | ^^^^^^^^^^^^^^^^^^^^^^ uses write-all permissions
33 | | steps:
34 | | - run: "echo hello"
| |_________________________^ this job
|
= note: audit confidence → High
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/github-env.yml:24:3
|
24 | / vulnerable:
25 | | runs-on: ubuntu-latest
... |
33 | | env:
34 | | TITLE: ${{ github.event.pull_request.title }}
| | -
| |________________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/github-env.yml:19:1
|
19 | / on:
20 | | # NOT OK: pull_request_target enables this attack
21 | | pull_request_target:
| |______________________^ pull_request_target is almost always used insecurely
|
= note: audit confidence → Medium
error[github-env]: dangerous use of environment file
--> .github/workflows/github-env.yml:30:9
|
30 | - run: |
| _________^
31 | | message=$(echo "$TITLE" | grep -oP '[{\[][^}\]]+[}\]]' | sed 's/{\|}\|\[\|\]//g')
32 | | echo "message=$message" >> $GITHUB_ENV
| |________________________________________________^ write to GITHUB_ENV may allow code execution
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/hardcoded-credentials.yml:23:3
|
23 | / test:
24 | | runs-on: ubuntu-latest
... |
44 | | steps:
45 | | - run: echo 'vulnerable!'
| | -
| |________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[hardcoded-container-credentials]: hardcoded credential in GitHub Actions container configurations
--> .github/workflows/hardcoded-credentials.yml:27:7
|
27 | / credentials:
28 | | username: user
29 | | # NOT OK: hardcoded credential
30 | | password: hackme
| |________________________^ container registry password is hard-coded
|
= note: audit confidence → High
error[hardcoded-container-credentials]: hardcoded credential in GitHub Actions container configurations
--> .github/workflows/hardcoded-credentials.yml:34:9
|
34 | / credentials:
35 | | username: user
36 | | # NOT OK: hardcoded credential
37 | | password: hackme
| |__________________________^ service service-1: container registry password is hard-coded
|
= note: audit confidence → High
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/impostor-commit.yml:22:2
|
22 | / commit:
23 | | runs-on: ubuntu-latest
... |
30 | | run: |
31 | | echo 'hello world!'
| | -
| |_____________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/insecure-commands.yml:10:3
|
10 | / some-dangerous-job:
11 | | runs-on: ubuntu-latest
... |
18 | | # NOT OK
19 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: yes
| | -
| |_______________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[insecure-commands]: execution of insecure workflow commands is enabled
--> .github/workflows/insecure-commands.yml:5:1
|
5 | / env:
6 | | # NOT OK
7 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: yes
| |______________________________________^ insecure commands enabled here
|
= note: audit confidence → High
error[insecure-commands]: execution of insecure workflow commands is enabled
--> .github/workflows/insecure-commands.yml:12:5
|
12 | / env:
13 | | # NOT OK
14 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: yes
| |__________________________________________^ insecure commands enabled here
|
= note: audit confidence → High
error[insecure-commands]: execution of insecure workflow commands is enabled
--> .github/workflows/insecure-commands.yml:17:9
|
17 | / env:
18 | | # NOT OK
19 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: yes
| |_______________________________________________^ insecure commands enabled here
|
= note: audit confidence → High
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/known-vulnerable-actions.yml:14:3
|
14 | / vulnerable:
15 | | runs-on: ubuntu-latest
... |
27 | | # NOT OK: GHSA-6q4m-7476-932w
28 | | - uses: rlespinasse/github-slug-action@4.0.1
| | -
| |___________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[overprovisioned-secrets]: excessively provisioned secrets
--> .github/workflows/overprovisioned-secrets.yml:21:18
|
21 | stuff: ${{ format('{0}', toJSON(secrets)) }}
| ------------------------------------- injects the entire secrets context into the runner
|
= note: audit confidence → High
warning[overprovisioned-secrets]: excessively provisioned secrets
--> .github/workflows/overprovisioned-secrets.yml:31:25
|
31 | secrets_json: ${{ toJSON(secrets) }}
| ---------------------- injects the entire secrets context into the runner
|
= note: audit confidence → High
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/pull-request-target.yml:25:3
|
25 | / vulnerable:
26 | | runs-on: ubuntu-latest
... |
39 | | npm install
40 | | npm build
| | -
| |____________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/pull-request-target.yml:20:1
|
20 | / on:
21 | | # NOT OK: pull_request_target should almost never be used
22 | | pull_request_target:
| |______________________^ pull_request_target is almost always used insecurely
|
= note: audit confidence → Medium
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> .github/workflows/pypi-manual-credential.yml:27:9
|
27 | uses: pypa/gh-action-pypi-publish@release/v1
| -------------------------------------------- info: this step
28 | with:
29 | password: ${{ secrets.PYPI_TOKEN }}
| ----------------------------------- info: uses a manually-configured credential instead of Trusted Publishing
|
= note: audit confidence → High
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> .github/workflows/pypi-manual-credential.yml:58:9
|
58 | uses: pypa/gh-action-pypi-publish@release/v1
| -------------------------------------------- info: this step
59 | with:
60 | repository-url: https://upload.pypi.org/legacy/
61 | password: ${{ secrets.PYPI_TOKEN }}
| ----------------------------------- info: uses a manually-configured credential instead of Trusted Publishing
|
= note: audit confidence → High
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> .github/workflows/pypi-manual-credential.yml:66:9
|
66 | uses: pypa/gh-action-pypi-publish@release/v1
| -------------------------------------------- info: this step
67 | with:
68 | repository-url: https://test.pypi.org/legacy/
69 | password: ${{ secrets.TEST_PYPI_TOKEN }}
| ---------------------------------------- info: uses a manually-configured credential instead of Trusted Publishing
|
= note: audit confidence → High
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> .github/workflows/pypi-manual-credential.yml:73:9
|
73 | uses: pypa/gh-action-pypi-publish@release/v1
| -------------------------------------------- info: this step
74 | with:
75 | repository_url: https://upload.pypi.org/legacy/
76 | password: ${{ secrets.PYPI_TOKEN }}
| ----------------------------------- info: uses a manually-configured credential instead of Trusted Publishing
|
= note: audit confidence → High
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> .github/workflows/pypi-manual-credential.yml:81:9
|
81 | uses: pypa/gh-action-pypi-publish@release/v1
| -------------------------------------------- info: this step
82 | with:
83 | repository_url: https://test.pypi.org/legacy/
84 | password: ${{ secrets.TEST_PYPI_TOKEN }}
| ---------------------------------------- info: uses a manually-configured credential instead of Trusted Publishing
|
= note: audit confidence → High
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/ref-confusion.yml:20:3
|
20 | / commit:
21 | | runs-on: ubuntu-latest
22 | | steps:
23 | | # NOT OK: `confusable` is both a tag and a branch
24 | | - uses: woodruffw/gha-hazmat/ref-confusion@confusable
| | -
| |____________________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/secrets-inherit.yml:1:1
|
1 | / # secrets-inherit.yml
2 | | #
... |
32 | | # OK: no secrets forwarded
33 | | secrets: {}
| |________________- default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/secrets-inherit.yml:15:3
|
15 | / call-workflow-vulnerable-1:
16 | | uses: octo-org/example-repo/.github/workflows/called-workflow.yml@main
17 | | # NOT OK: unconditionally inherits
18 | | secrets: inherit
| | -
| |____________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/secrets-inherit.yml:20:3
|
20 | / call-workflow-not-vulnerable-2:
21 | | uses: octo-org/example-repo/.github/workflows/called-workflow.yml@main
22 | | # OK: explicitly forwards intended secrets
23 | | secrets:
24 | | special-secret: ${{ secrets.special-secret }}
| | -
| |___________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/secrets-inherit.yml:26:3
|
26 | / call-workflow-not-vulnerable-3:
27 | | uses: octo-org/example-repo/.github/workflows/called-workflow.yml@main
28 | | # OK: no secrets forwarded
| | -
| |______________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/secrets-inherit.yml:30:3
|
30 | / call-workflow-not-vulnerable-4:
31 | | uses: octo-org/example-repo/.github/workflows/called-workflow.yml@main
32 | | # OK: no secrets forwarded
33 | | secrets: {}
| | -
| |________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> .github/workflows/secrets-inherit.yml:16:5
|
16 | uses: octo-org/example-repo/.github/workflows/called-workflow.yml@main
| ---------------------------------------------------------------------- this reusable workflow
17 | # NOT OK: unconditionally inherits
18 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/self-hosted.yml:22:3
|
22 | / vulnerable:
23 | | # NOT OK: self-hosted runners are difficult to secure in public repos
... |
27 | | - run: |
28 | | echo "hello from a self-hosted runner"
| | -
| |_________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/template-injection.yml:1:1
|
1 | / # template-injection.yml
2 | | #
... |
127 | | run: |
128 | | ${{ some.context == 'success' }}
| |___________________________________________- default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/template-injection.yml:36:3
|
36 | / vulnerable-1:
37 | | runs-on: ubuntu-latest
... |
94 | | run: |
95 | | echo "doing a thing: ${{ github.workspace }}"
| | -
| |_______________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/template-injection.yml:97:3
|
97 | / vulnerable-2:
98 | | runs-on: ubuntu-latest
... |
106 | | run: |
107 | | echo "doing a thing: ${{ matrix.unknown-key }}"
| | -
| |_________________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/template-injection.yml:110:3
|
110 | / vulnerable-3:
111 | | runs-on: ubuntu-latest
... |
118 | | script: |
119 | | return "doing a thing: ${{ github.event.issue.title }}"
| | -
| |___________________________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/template-injection.yml:121:3
|
121 | / not-vulnerable-4:
122 | | runs-on: ubuntu-latest
... |
127 | | run: |
128 | | ${{ some.context == 'success' }}
| | -
| |___________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[template-injection]: code injection via template expansion
--> .github/workflows/template-injection.yml:45:9
|
45 | - name: vulnerable-1
| ^^^^^^^^^^^^^^^^^^ this step
46 | # NOT OK: attacker controlled issue title
47 | / run: |
48 | | echo "issue created: ${{ github.event.issue.title }}"
| |_______________________________________________________________^ github.event.issue.title may expand into attacker-controllable code
|
= note: audit confidence → High
error[template-injection]: code injection via template expansion
--> .github/workflows/template-injection.yml:50:9
|
50 | - name: vulnerable-2
| ^^^^^^^^^^^^^^^^^^ this step
51 | # NOT OK: attacker controlled workflow_dispatch input
52 | / run: |
53 | | echo "doing a thing: ${{ inputs.hackme }}"
| |____________________________________________________^ inputs.hackme may expand into attacker-controllable code
|
= note: audit confidence → Low
error[template-injection]: code injection via template expansion
--> .github/workflows/template-injection.yml:60:9
|
60 | - name: vulnerable-4
| ^^^^^^^^^^^^^^^^^^ this step
61 | # NOT OK: `workflow_call` inputs may or may not be trusted
62 | / run: |
63 | | echo "doing a thing: ${{ inputs.hackme-call }}"
| |_________________________________________________________^ inputs.hackme-call may expand into attacker-controllable code
|
= note: audit confidence → Low
warning[template-injection]: code injection via template expansion
--> .github/workflows/template-injection.yml:82:9
|
82 | - name: vulnerable-8
| ------------------ this step
83 | # NOT OK: matrix.dynamic is dynamic
84 | / run: |
85 | | echo "doing a thing: ${{ matrix.dynamic }}"
| |_____________________________________________________- matrix.dynamic may expand into attacker-controllable code
|
= note: audit confidence → Medium
warning[template-injection]: code injection via template expansion
--> .github/workflows/template-injection.yml:104:9
|
104 | - name: vulnerable-11
| ------------------- this step
105 | # NOT OK: entire matrix is dynamic
106 | / run: |
107 | | echo "doing a thing: ${{ matrix.unknown-key }}"
| |_________________________________________________________- matrix.unknown-key may expand into attacker-controllable code
|
= note: audit confidence → Medium
error[template-injection]: code injection via template expansion
--> .github/workflows/template-injection.yml:114:9
|
114 | - name: vulnerable-12
| ^^^^^^^^^^^^^^^^^^^ this step
115 | uses: actions/github-script@v7
116 | with:
117 | # NOT OK: attacker-controlled issue title
118 | / script: |
119 | | return "doing a thing: ${{ github.event.issue.title }}"
| |___________________________________________________________________^ github.event.issue.title may expand into attacker-controllable code
|
= note: audit confidence → High
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/unpinned.yml:16:3
|
16 | / unpinned-0:
17 | | runs-on: ubuntu-latest
... |
37 | | args: hello!
38 | |
| |_-- this job
| |
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[unpinned-uses]: unpinned action reference
--> .github/workflows/unpinned.yml:20:9
|
20 | - uses: actions/checkout
| ---------------------- action is not pinned to a tag, branch, or hash ref
|
= note: audit confidence → High
warning[unpinned-uses]: unpinned action reference
--> .github/workflows/unpinned.yml:25:9
|
25 | - uses: github/codeql-action/upload-sarif
| --------------------------------------- action is not pinned to a tag, branch, or hash ref
|
= note: audit confidence → High
warning[unpinned-uses]: unpinned action reference
--> .github/workflows/unpinned.yml:28:9
|
28 | - uses: docker://ubuntu
| --------------------- action is not pinned to a tag, branch, or hash ref
|
= note: audit confidence → High
warning[unpinned-uses]: unpinned action reference
--> .github/workflows/unpinned.yml:34:9
|
34 | - uses: docker://ghcr.io/pypa/gh-action-pypi-publish
| -------------------------------------------------- action is not pinned to a tag, branch, or hash ref
|
= note: audit confidence → High
warning[unredacted-secrets]: leaked secret values
--> .github/workflows/unredacted-secrets.yml:20:18
|
20 | stuff: ${{ fromJSON(secrets.password) }}
| --------------------------------- bypasses secret redaction
|
= note: audit confidence → High
warning[unredacted-secrets]: leaked secret values
--> .github/workflows/unredacted-secrets.yml:23:23
|
23 | otherstuff: ${{ fromJson(secrets.otherstuff).field }}
| ----------------------------------------- bypasses secret redaction
|
= note: audit confidence → High
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/workflow-run.yml:23:3
|
23 | / vulnerable:
24 | | runs-on: ubuntu-latest
... |
29 | | env:
30 | | GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
| | -
| |________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/workflow-run.yml:17:1
|
17 | / on:
18 | | # NOT OK: allows trivial third-party access to the upstream's context
19 | | workflow_run:
20 | | workflows: ["CI"]
| |_____________________^ workflow_run is almost always used insecurely
|
= note: audit confidence → Medium
105 findings (36 suppressed): 0 unknown, 5 informational, 0 low, 39 medium, 25 high

4
tests/snapshots/snapshot__artipacked-2.snap → tests/integration/snapshots/integration__snapshot__artipacked-2.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"artipacked.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"artipacked.yml\")).run()?"
snapshot_kind: text
---
warning[artipacked]: credential persistence through GitHub Actions artifacts

4
tests/snapshots/snapshot__artipacked-3.snap → tests/integration/snapshots/integration__snapshot__artipacked-3.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"artipacked.yml\")).args([\"--persona=auditor\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"artipacked.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
warning[artipacked]: credential persistence through GitHub Actions artifacts

5
tests/snapshots/snapshot__artipacked-4.snap → tests/integration/snapshots/integration__snapshot__artipacked-4.snap
View file

@ -1,6 +1,7 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"artipacked/issue-447-repro.yml\")).args([\"--persona=auditor\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"artipacked/issue-447-repro.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> @@INPUT@@:19:9

4
tests/snapshots/snapshot__artipacked.snap → tests/integration/snapshots/integration__snapshot__artipacked.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"artipacked.yml\")).args([\"--persona=pedantic\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"artipacked.yml\")).args([\"--persona=pedantic\"]).run()?"
snapshot_kind: text
---
warning[artipacked]: credential persistence through GitHub Actions artifacts

4
tests/snapshots/snapshot__bot_conditions.snap → tests/integration/snapshots/integration__snapshot__bot_conditions.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"bot-conditions.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"bot-conditions.yml\")).run()?"
snapshot_kind: text
---
error[dangerous-triggers]: use of fundamentally insecure workflow trigger

4
tests/snapshots/snapshot__cache_poisoning-10.snap → tests/integration/snapshots/integration__snapshot__cache_poisoning-10.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/publisher-step.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/publisher-step.yml\")).run()?"
snapshot_kind: text
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack

4
tests/snapshots/snapshot__cache_poisoning-11.snap → tests/integration/snapshots/integration__snapshot__cache_poisoning-11.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/issue-343-repro.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/issue-343-repro.yml\")).run()?"
snapshot_kind: text
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack

4
tests/snapshots/snapshot__cache_poisoning-12.snap → tests/integration/snapshots/integration__snapshot__cache_poisoning-12.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-not-configurable.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-not-configurable.yml\")).run()?"
snapshot_kind: text
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack

4
tests/snapshots/snapshot__cache_poisoning-13.snap → tests/integration/snapshots/integration__snapshot__cache_poisoning-13.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/workflow-release-branch-trigger.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/workflow-release-branch-trigger.yml\")).run()?"
snapshot_kind: text
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack

6
tests/integration/snapshots/integration__snapshot__cache_poisoning-14.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/issue-378-repro.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job!

4
tests/snapshots/snapshot__cache_poisoning-2.snap → tests/integration/snapshots/integration__snapshot__cache_poisoning-2.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-enabled-by-default.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-enabled-by-default.yml\")).run()?"
snapshot_kind: text
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack

4
tests/snapshots/snapshot__cache_poisoning-3.snap → tests/integration/snapshots/integration__snapshot__cache_poisoning-3.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-opt-in-boolean-toggle.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-opt-in-boolean-toggle.yml\")).run()?"
snapshot_kind: text
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack

4
tests/snapshots/snapshot__cache_poisoning-4.snap → tests/integration/snapshots/integration__snapshot__cache_poisoning-4.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-opt-in-expression.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-opt-in-expression.yml\")).run()?"
snapshot_kind: text
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack

4
tests/snapshots/snapshot__cache_poisoning-5.snap → tests/integration/snapshots/integration__snapshot__cache_poisoning-5.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-opt-in-multi-value-toggle.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-opt-in-multi-value-toggle.yml\")).run()?"
snapshot_kind: text
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack

6
tests/integration/snapshots/integration__snapshot__cache_poisoning-6.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-opt-out.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job!

6
tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/no-cache-aware-steps.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job!

4
tests/snapshots/snapshot__cache_poisoning-8.snap → tests/integration/snapshots/integration__snapshot__cache_poisoning-8.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/workflow-tag-trigger.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/workflow-tag-trigger.yml\")).run()?"
snapshot_kind: text
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack

4
tests/snapshots/snapshot__cache_poisoning-9.snap → tests/integration/snapshots/integration__snapshot__cache_poisoning-9.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-opt-in-boolish-toggle.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-opt-in-boolish-toggle.yml\")).run()?"
snapshot_kind: text
---
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack

6
tests/integration/snapshots/integration__snapshot__cache_poisoning.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-disabled-by-default.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job!

7
tests/integration/snapshots/integration__snapshot__cant_retrieve.snap Normal file
View file

@ -0,0 +1,7 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().output(OutputMode::Stderr).offline(true).unsetenv(\"GH_TOKEN\").args([\"pypa/sampleproject\"]).run()?"
snapshot_kind: text
---
error: can't retrieve repository: pypa/sampleproject
= note: try removing --offline or passing --gh-token <TOKEN>

4
tests/snapshots/snapshot__excessive_permissions-10.snap → tests/integration/snapshots/integration__snapshot__excessive_permissions-10.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/issue-472-repro.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/issue-472-repro.yml\")).run()?"
snapshot_kind: text
---
warning[excessive-permissions]: overly broad permissions

4
tests/snapshots/snapshot__excessive_permissions-11.snap → tests/integration/snapshots/integration__snapshot__excessive_permissions-11.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/reusable-workflow-call.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/reusable-workflow-call.yml\")).run()?"
snapshot_kind: text
---
warning[excessive-permissions]: overly broad permissions

4
tests/snapshots/snapshot__excessive_permissions-12.snap → tests/integration/snapshots/integration__snapshot__excessive_permissions-12.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/reusable-workflow-other-triggers.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/reusable-workflow-other-triggers.yml\")).run()?"
snapshot_kind: text
---
warning[excessive-permissions]: overly broad permissions

4
tests/snapshots/snapshot__excessive_permissions-2.snap → tests/integration/snapshots/integration__snapshot__excessive_permissions-2.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/issue-336-repro.yml\")).args([\"--pedantic\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/issue-336-repro.yml\")).args([\"--pedantic\"]).run()?"
snapshot_kind: text
---
error[excessive-permissions]: overly broad permissions

4
tests/snapshots/snapshot__excessive_permissions-3.snap → tests/integration/snapshots/integration__snapshot__excessive_permissions-3.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/workflow-default-perms.yml\")).args([\"--pedantic\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-default-perms.yml\")).args([\"--pedantic\"]).run()?"
snapshot_kind: text
---
warning[excessive-permissions]: overly broad permissions

4
tests/snapshots/snapshot__excessive_permissions-4.snap → tests/integration/snapshots/integration__snapshot__excessive_permissions-4.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/workflow-read-all.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-read-all.yml\")).run()?"
snapshot_kind: text
---
warning[excessive-permissions]: overly broad permissions

4
tests/snapshots/snapshot__excessive_permissions-5.snap → tests/integration/snapshots/integration__snapshot__excessive_permissions-5.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/workflow-write-all.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-write-all.yml\")).run()?"
snapshot_kind: text
---
error[excessive-permissions]: overly broad permissions

6
tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-empty-perms.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job!

4
tests/snapshots/snapshot__excessive_permissions-7.snap → tests/integration/snapshots/integration__snapshot__excessive_permissions-7.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/jobs-broaden-permissions.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/jobs-broaden-permissions.yml\")).run()?"
snapshot_kind: text
---
warning[excessive-permissions]: overly broad permissions

4
tests/snapshots/snapshot__excessive_permissions-8.snap → tests/integration/snapshots/integration__snapshot__excessive_permissions-8.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/workflow-write-explicit.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-write-explicit.yml\")).run()?"
snapshot_kind: text
---
error[excessive-permissions]: overly broad permissions

6
tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-default-perms-all-jobs-explicit.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job! (1 suppressed)

6
tests/integration/snapshots/integration__snapshot__excessive_permissions.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"excessive-permissions/issue-336-repro.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job! (1 suppressed)

4
tests/snapshots/snapshot__github_env-2.snap → tests/integration/snapshots/integration__snapshot__github_env-2.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"github-env/github-path.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"github-env/github-path.yml\")).run()?"
snapshot_kind: text
---
error[github-env]: dangerous use of environment file

4
tests/snapshots/snapshot__github_env-3.snap → tests/integration/snapshots/integration__snapshot__github_env-3.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"github-env/issue-397-repro.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"github-env/issue-397-repro.yml\")).run()?"
snapshot_kind: text
---
error[github-env]: dangerous use of environment file

4
tests/snapshots/snapshot__github_env.snap → tests/integration/snapshots/integration__snapshot__github_env.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"github-env/action.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"github-env/action.yml\")).run()?"
snapshot_kind: text
---
error[github-env]: dangerous use of environment file

4
tests/snapshots/snapshot__insecure_commands-2.snap → tests/integration/snapshots/integration__snapshot__insecure_commands-2.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"insecure-commands.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"insecure-commands.yml\")).run()?"
snapshot_kind: text
---
error[insecure-commands]: execution of insecure workflow commands is enabled

4
tests/snapshots/snapshot__insecure_commands-3.snap → tests/integration/snapshots/integration__snapshot__insecure_commands-3.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"insecure-commands/action.yml\")).args([\"--persona=auditor\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"insecure-commands/action.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
error[insecure-commands]: execution of insecure workflow commands is enabled

4
tests/snapshots/snapshot__insecure_commands.snap → tests/integration/snapshots/integration__snapshot__insecure_commands.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"insecure-commands.yml\")).args([\"--persona=auditor\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"insecure-commands.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
error[insecure-commands]: execution of insecure workflow commands is enabled

4
tests/snapshots/snapshot__invalid_inputs.snap → tests/integration/snapshots/integration__snapshot__invalid_inputs.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().output(OutputMode::Stderr).offline(true).workflow(workflow_under_test(\"invalid/invalid-workflow.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().output(OutputMode::Stderr).offline(true).input(workflow_under_test(\"invalid/invalid-workflow.yml\")).run()?"
snapshot_kind: text
---
failed to register input: @@INPUT@@

4
tests/snapshots/snapshot__overprovisioned_secrets.snap → tests/integration/snapshots/integration__snapshot__overprovisioned_secrets.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"overprovisioned-secrets.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"overprovisioned-secrets.yml\")).run()?"
snapshot_kind: text
---
warning[overprovisioned-secrets]: excessively provisioned secrets

6
tests/integration/snapshots/integration__snapshot__ref_confusion-2.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"ref-confusion/issue-518-repro.yml\")).offline(false).run()?"
snapshot_kind: text
---
No findings to report. Good job! (1 suppressed)

5
tests/snapshots/snapshot__ref_confusion.snap → tests/integration/snapshots/integration__snapshot__ref_confusion.snap
View file

@ -1,6 +1,7 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"ref-confusion.yml\")).offline(false).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"ref-confusion.yml\")).offline(false).run()?"
snapshot_kind: text
---
warning[ref-confusion]: git ref for action with ambiguous ref type
--> @@INPUT@@:11:9

4
tests/snapshots/snapshot__secrets_inherit.snap → tests/integration/snapshots/integration__snapshot__secrets_inherit.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"secrets-inherit.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"secrets-inherit.yml\")).run()?"
snapshot_kind: text
---
warning[secrets-inherit]: secrets unconditionally inherited by called workflow

6
tests/integration/snapshots/integration__snapshot__self_hosted-2.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"self-hosted.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job! (1 suppressed)

4
tests/snapshots/snapshot__self_hosted-3.snap → tests/integration/snapshots/integration__snapshot__self_hosted-3.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"self-hosted/self-hosted-runner-label.yml\")).args([\"--persona=auditor\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"self-hosted/self-hosted-runner-label.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
note[self-hosted-runner]: runs on a self-hosted runner

4
tests/snapshots/snapshot__self_hosted-4.snap → tests/integration/snapshots/integration__snapshot__self_hosted-4.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"self-hosted/self-hosted-runner-group.yml\")).args([\"--persona=auditor\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"self-hosted/self-hosted-runner-group.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
note[self-hosted-runner]: runs on a self-hosted runner

4
tests/snapshots/snapshot__self_hosted-5.snap → tests/integration/snapshots/integration__snapshot__self_hosted-5.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"self-hosted/self-hosted-matrix-dimension.yml\")).args([\"--persona=auditor\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"self-hosted/self-hosted-matrix-dimension.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
note[self-hosted-runner]: runs on a self-hosted runner

4
tests/snapshots/snapshot__self_hosted-6.snap → tests/integration/snapshots/integration__snapshot__self_hosted-6.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"self-hosted/self-hosted-matrix-inclusion.yml\")).args([\"--persona=auditor\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"self-hosted/self-hosted-matrix-inclusion.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
note[self-hosted-runner]: runs on a self-hosted runner

6
tests/integration/snapshots/integration__snapshot__self_hosted-7.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"self-hosted/self-hosted-matrix-exclusion.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
No findings to report. Good job!

6
tests/integration/snapshots/integration__snapshot__self_hosted-8.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"self-hosted/issue-283-repro.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
No findings to report. Good job!

4
tests/snapshots/snapshot__self_hosted.snap → tests/integration/snapshots/integration__snapshot__self_hosted.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"self-hosted.yml\")).args([\"--persona=auditor\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"self-hosted.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
note[self-hosted-runner]: runs on a self-hosted runner

4
tests/snapshots/snapshot__template_injection-2.snap → tests/integration/snapshots/integration__snapshot__template_injection-2.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"template-injection/template-injection-dynamic-matrix.yml\")).args([\"--persona=auditor\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"template-injection/template-injection-dynamic-matrix.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
warning[template-injection]: code injection via template expansion

6
tests/integration/snapshots/integration__snapshot__template_injection-3.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"template-injection/issue-22-repro.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job! (4 suppressed)

4
tests/snapshots/snapshot__template_injection-4.snap → tests/integration/snapshots/integration__snapshot__template_injection-4.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"template-injection/pr-317-repro.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"template-injection/pr-317-repro.yml\")).run()?"
snapshot_kind: text
---
warning[template-injection]: code injection via template expansion

4
tests/snapshots/snapshot__template_injection-5.snap → tests/integration/snapshots/integration__snapshot__template_injection-5.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"template-injection/static-env.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"template-injection/static-env.yml\")).run()?"
snapshot_kind: text
---
help[template-injection]: code injection via template expansion

4
tests/snapshots/snapshot__template_injection-6.snap → tests/integration/snapshots/integration__snapshot__template_injection-6.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"template-injection/issue-339-repro.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"template-injection/issue-339-repro.yml\")).run()?"
snapshot_kind: text
---
info[template-injection]: code injection via template expansion

6
tests/integration/snapshots/integration__snapshot__template_injection-7.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"template-injection/issue-418-repro.yml\")).run()?"
snapshot_kind: text
---
No findings to report. Good job! (1 suppressed)

4
tests/snapshots/snapshot__template_injection-8.snap → tests/integration/snapshots/integration__snapshot__template_injection-8.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"template-injection/pr-425-backstop/action.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"template-injection/pr-425-backstop/action.yml\")).run()?"
snapshot_kind: text
---
error[template-injection]: code injection via template expansion

6
tests/integration/snapshots/integration__snapshot__template_injection.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"template-injection/template-injection-static-matrix.yml\")).args([\"--persona=auditor\"]).run()?"
snapshot_kind: text
---
No findings to report. Good job!

4
tests/snapshots/snapshot__unpinned_uses-2.snap → tests/integration/snapshots/integration__snapshot__unpinned_uses-2.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"unpinned-uses.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"unpinned-uses.yml\")).run()?"
snapshot_kind: text
---
warning[unpinned-uses]: unpinned action reference

4
tests/snapshots/snapshot__unpinned_uses-3.snap → tests/integration/snapshots/integration__snapshot__unpinned_uses-3.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"unpinned-uses/action.yml\")).args([\"--pedantic\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"unpinned-uses/action.yml\")).args([\"--pedantic\"]).run()?"
snapshot_kind: text
---
help[unpinned-uses]: unpinned action reference

6
tests/integration/snapshots/integration__snapshot__unpinned_uses-4.snap Normal file
View file

@ -0,0 +1,6 @@
---
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"unpinned-uses/issue-433-repro.yml\")).args([\"--pedantic\"]).run()?"
snapshot_kind: text
---
No findings to report. Good job!

4
tests/snapshots/snapshot__unpinned_uses.snap → tests/integration/snapshots/integration__snapshot__unpinned_uses.snap
View file

@ -1,6 +1,6 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"unpinned-uses.yml\")).args([\"--pedantic\"]).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"unpinned-uses.yml\")).args([\"--pedantic\"]).run()?"
snapshot_kind: text
---
warning[unpinned-uses]: unpinned action reference

5
tests/snapshots/snapshot__unredacted_secrets.snap → tests/integration/snapshots/integration__snapshot__unredacted_secrets.snap
View file

@ -1,6 +1,7 @@
---
source: tests/snapshot.rs
expression: "zizmor().workflow(workflow_under_test(\"unredacted-secrets.yml\")).run()?"
source: tests/integration/snapshot.rs
expression: "zizmor().input(workflow_under_test(\"unredacted-secrets.yml\")).run()?"
snapshot_kind: text
---
warning[unredacted-secrets]: leaked secret values
--> @@INPUT@@:14:18

0
tests/test-data/artipacked.yml → tests/integration/test-data/artipacked.yml
View file

0
tests/test-data/artipacked/issue-447-repro.yml → tests/integration/test-data/artipacked/issue-447-repro.yml
View file

0
tests/test-data/bot-conditions.yml → tests/integration/test-data/bot-conditions.yml
View file

0
tests/test-data/cache-poisoning.yml → tests/integration/test-data/cache-poisoning.yml
View file

0
tests/test-data/cache-poisoning/caching-disabled-by-default.yml → tests/integration/test-data/cache-poisoning/caching-disabled-by-default.yml
View file

0
tests/test-data/cache-poisoning/caching-enabled-by-default.yml → tests/integration/test-data/cache-poisoning/caching-enabled-by-default.yml
View file

0
tests/test-data/cache-poisoning/caching-not-configurable.yml → tests/integration/test-data/cache-poisoning/caching-not-configurable.yml
View file

0
tests/test-data/cache-poisoning/caching-opt-in-boolean-toggle.yml → tests/integration/test-data/cache-poisoning/caching-opt-in-boolean-toggle.yml
View file

0
tests/test-data/cache-poisoning/caching-opt-in-boolish-toggle.yml → tests/integration/test-data/cache-poisoning/caching-opt-in-boolish-toggle.yml
View file

0
tests/test-data/cache-poisoning/caching-opt-in-expression.yml → tests/integration/test-data/cache-poisoning/caching-opt-in-expression.yml
View file

0
tests/test-data/cache-poisoning/caching-opt-in-multi-value-toggle.yml → tests/integration/test-data/cache-poisoning/caching-opt-in-multi-value-toggle.yml
View file

0
tests/test-data/cache-poisoning/caching-opt-out.yml → tests/integration/test-data/cache-poisoning/caching-opt-out.yml
View file

0
tests/test-data/cache-poisoning/issue-343-repro.yml → tests/integration/test-data/cache-poisoning/issue-343-repro.yml
View file

0
tests/test-data/cache-poisoning/issue-378-repro.yml → tests/integration/test-data/cache-poisoning/issue-378-repro.yml
View file

0
tests/test-data/cache-poisoning/no-cache-aware-steps.yml → tests/integration/test-data/cache-poisoning/no-cache-aware-steps.yml
View file

0
tests/test-data/cache-poisoning/publisher-step.yml → tests/integration/test-data/cache-poisoning/publisher-step.yml
View file

0
tests/test-data/cache-poisoning/workflow-release-branch-trigger.yml → tests/integration/test-data/cache-poisoning/workflow-release-branch-trigger.yml
View file

0
tests/test-data/cache-poisoning/workflow-tag-trigger.yml → tests/integration/test-data/cache-poisoning/workflow-tag-trigger.yml
View file

0
tests/test-data/excessive-permissions.yml → tests/integration/test-data/excessive-permissions.yml
View file

0
tests/test-data/excessive-permissions/issue-336-repro.yml → tests/integration/test-data/excessive-permissions/issue-336-repro.yml
View file

0
tests/test-data/excessive-permissions/issue-472-repro.yml → tests/integration/test-data/excessive-permissions/issue-472-repro.yml
View file

0
tests/test-data/excessive-permissions/jobs-broaden-permissions.yml → tests/integration/test-data/excessive-permissions/jobs-broaden-permissions.yml
View file

0
tests/test-data/excessive-permissions/reusable-workflow-call.yml → tests/integration/test-data/excessive-permissions/reusable-workflow-call.yml
View file

0
tests/test-data/excessive-permissions/reusable-workflow-other-triggers.yml → tests/integration/test-data/excessive-permissions/reusable-workflow-other-triggers.yml
View file

0
tests/test-data/excessive-permissions/workflow-default-perms-all-jobs-explicit.yml → tests/integration/test-data/excessive-permissions/workflow-default-perms-all-jobs-explicit.yml
View file

0
tests/test-data/excessive-permissions/workflow-default-perms.yml → tests/integration/test-data/excessive-permissions/workflow-default-perms.yml
View file

0
tests/test-data/excessive-permissions/workflow-empty-perms.yml → tests/integration/test-data/excessive-permissions/workflow-empty-perms.yml
View file

0
tests/test-data/excessive-permissions/workflow-read-all.yml → tests/integration/test-data/excessive-permissions/workflow-read-all.yml
View file

Some files were not shown because too many files have changed in this diff Show more