Skip to content

Scan GitHub Actions workflows with zizmor#526

Open
hocinehacherouf wants to merge 5 commits into
michelin:mainfrom
hocinehacherouf:feat/zizmor-actions-scan
Open

Scan GitHub Actions workflows with zizmor#526
hocinehacherouf wants to merge 5 commits into
michelin:mainfrom
hocinehacherouf:feat/zizmor-actions-scan

Conversation

@hocinehacherouf

@hocinehacherouf hocinehacherouf commented May 13, 2026

Copy link
Copy Markdown
Member

Closes #525

What

Adds a zizmor workflow that statically audits our GitHub Actions for
supply-chain and misconfiguration issues (unpinned actions, overbroad token
scopes, template-injection sinks, credential persistence) and uploads SARIF to
the Security tab, mirroring how Trivy scans source code.

To land the scan green, this PR also remediates every finding zizmor reports
across the existing workflows.

Changes

New

  • .github/workflows/zizmor.yml: runs zizmorcore/zizmor-action on PRs
    touching .github/workflows/**, on push to main, weekly, and via
    workflow_dispatch. SARIF goes to the Security tab.

Hardening of existing workflows

  • Pinned every action to a full commit SHA (unpinned-uses)
  • Added least-privilege permissions: blocks to every job (excessive-permissions)
  • Moved workflow_dispatch inputs into env: vars in run: steps to prevent
    shell injection (template-injection in hotfix.yml and tag.yml)
  • Set persist-credentials: false on read-only checkouts (artipacked)
  • Removed Maven caching from release.yml, since a publish pipeline shouldn't
    restore a potentially poisoned cache (cache-poisoning)
  • Added a 7-day Dependabot cooldown for the maven and github-actions
    ecosystems (dependabot-cooldown)

Accepted findings (documented inline via # zizmor: ignore[...])

  • artipacked on the hotfix.yml and tag.yml checkouts: persisted
    credentials are required to push the branch, tag, and commit.
  • superfluous-actions on ncipollo/release-action: kept for its
    allowUpdates support, which gh release can't replicate in one command.

Notes

  • The zizmor CLI version follows the action pin (v0.5.7 ships zizmor
    1.26.1); Dependabot will bump it going forward.
  • Local zizmor 1.26.1 over the repo reports No findings (3 ignored,
    29 suppressed).

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Comment thread .github/workflows/zizmor.yml Fixed
Comment thread .github/workflows/zizmor.yml Fixed
hocinehacherouf and others added 2 commits July 1, 2026 08:54
Resolve all findings reported by the zizmor scan:

- Pin every action to a full commit SHA (unpinned-uses)
- Move workflow_dispatch inputs into env vars in run steps to
  prevent template injection (hotfix.yml, tag.yml)
- Add least-privilege job-level permissions blocks
- Set persist-credentials: false on read-only checkouts
  (build, release, security)
- Remove Maven caching from release.yml to avoid cache poisoning
  in the publish pipeline

Document the three accepted exceptions with justified ignore
comments: artipacked on the hotfix/tag checkouts (persisted
credentials required to push) and superfluous-actions on
ncipollo/release-action (allowUpdates has no single-command
gh release equivalent).
Comment thread .github/workflows/release.yml Fixed
- release.yml: move the superfluous-actions ignore onto the uses line
  so zizmor honors it in SARIF output (the action's zizmor 1.24.1 only
  matches an ignore on the exact finding line, unlike newer versions)
- dependabot.yml: add a 7-day cooldown to the maven and github-actions
  ecosystems (dependabot-cooldown)
@hocinehacherouf
hocinehacherouf marked this pull request as ready for review July 1, 2026 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Scan GitHub Actions workflows with zizmor

2 participants