mirrors/zizmor
1
0
Fork 0
mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

chore: remove descriptions from fixes (#985)

Browse source
This commit is contained in:
William Woodruff 2025-06-27 18:33:19 -06:00 committed by GitHub
parent 42862eb02e
commit b98dcb1691
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 17 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

40
crates/zizmor/src/audit/artipacked.rs
View file

@ -144,29 +144,23 @@ impl Artipacked {
/// Create a Fix for setting persist-credentials: false
fn create_persist_credentials_fix<'doc>(step: &impl StepCommon<'doc>) -> Fix<'doc> {
Fix {
title: "Set persist-credentials: false".to_string(),
description: "To prevent credential persistence, set 'persist-credentials: false' in this checkout step. \
When 'persist-credentials' is true (the default), the GITHUB_TOKEN persists in the local git config \
after checkout, which may be inadvertently leaked through subsequent actions like artifact uploads. \
Setting 'persist-credentials: false' ensures that credentials don't persist beyond the checkout step itself.".to_string(),
title: "set persist-credentials: false".to_string(),
key: step.location().key,
disposition: Default::default(),
patches: vec![
Patch {
route: step.route(),
operation: Op::MergeInto {
key: "with".to_string(),
value: {
let mut with_map = serde_yaml::Mapping::new();
with_map.insert(
serde_yaml::Value::String("persist-credentials".to_string()),
serde_yaml::Value::Bool(false),
);
serde_yaml::Value::Mapping(with_map)
},
patches: vec![Patch {
route: step.route(),
operation: Op::MergeInto {
key: "with".to_string(),
value: {
let mut with_map = serde_yaml::Mapping::new();
with_map.insert(
serde_yaml::Value::String("persist-credentials".to_string()),
serde_yaml::Value::Bool(false),
);
serde_yaml::Value::Mapping(with_map)
},
}
],
},
}],
}
}
}
@ -239,7 +233,7 @@ mod tests {
assert!(!finding.fixes.is_empty(), "Expected fixes but got none");
let fix = &finding.fixes[0];
assert_eq!(fix.title, "Set persist-credentials: false");
assert_eq!(fix.title, "set persist-credentials: false");
fix.apply(document).unwrap()
}
@ -248,14 +242,14 @@ mod tests {
fn test_fix_title_and_description() {
// Test that the fix has the expected title and description format
// Since Step::new is private, we test this indirectly through the audit logic
let title = "Set persist-credentials: false";
let title = "set persist-credentials: false";
let description_keywords = [
"persist-credentials",
"GITHUB_TOKEN",
"credential persistence",
];
assert_eq!(title, "Set persist-credentials: false");
assert_eq!(title, "set persist-credentials: false");
for keyword in description_keywords {
// This is a basic smoke test - in practice, integration tests would verify the fix works
assert!(!keyword.is_empty());

1
crates/zizmor/src/audit/bot_conditions.rs
View file

@ -382,7 +382,6 @@ impl BotConditions {
Some(Fix {
title: "replace spoofable actor context".into(),
description: "todo".into(),
key: &workflow.key,
disposition: FixDisposition::Safe,
patches: vec![Patch {

1
crates/zizmor/src/audit/template_injection.rs
View file

@ -311,7 +311,6 @@ impl TemplateInjection {
Some(Fix {
title: "replace expression with environment variable".into(),
description: "todo".into(),
key: step.location().key,
disposition: Default::default(),
patches,

3
crates/zizmor/src/finding.rs
View file

@ -123,9 +123,6 @@ pub(crate) struct Fix<'doc> {
/// A short title describing the fix.
#[allow(dead_code)]
pub(crate) title: String,
/// A detailed description of the fix.
#[allow(dead_code)]
pub(crate) description: String,
/// The key back into the input registry that this fix applies to.
pub(crate) key: &'doc InputKey,
/// The fix's disposition.