Develop a zizmor GitHub Action
#69
Comments
|
First draft of such a workflow (based on the ESLint one): name: "Scan workflows"
on:
pull_request:
branches:
- "**"
paths:
# Run for changes to *any* workflow file
- ".github/workflows/*.yml"
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install zizmor
run: cargo install zizmor
- name: Scan workflows
run:
zizmor --format=sarif . | tee workflow-scan.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
# Path to SARIF file relative to the root of the repository
sarif_file: workflow-scan.sarif |
|
Also see #71 |
|
Thanks for the issue @ncoghlan! Completely agreed -- ideally there'd be an action hosted within this repo itself so people could do: - uses: woodruffw/zizmor/action@tag
with: ......and get SARIF, etc. integration right out of the box 🙂 |
|
Related request: #89. |
woodruffw
changed the title
zizmor GitHub Action
|
Leaving this open since I still want to build a full-fledged action for zizmor, but the docs now include an example annotated workflow based on the one @ncoghlan and @colindean 
|
|
Please note that code scanning is only available for public repositories or for organizations with GitHub Enterprise Cloud. |
What does a user see when they cannot use code scanning but try to use the tools that upload the SARIF file to GH? |
and github/codeql-action/upload-sarif@v3 will fail. |
|
For us, we'd like to have an action that will simply fail PRs, etc if there are security issues. So maybe having two Actions or two "modes" makes sense: one to perform code scanning and one to gate changes. |
I believe you can configure this with GitHub's advanced security feature: you can set a required check for no alerts raised by all security tools, or by a specific tool like (With that being said, this is what the standalone action will do -- it'll optionally integrate with advanced security via SARIF, but by default it'll just spit out a render and fail if there are any errors.) |
@tobiastornros would you be interested in sending a PR adding that as a note to the docs? I'd greatly appreciate it! |
Done. See #121 |
It would be handy if https://github.com/woodruffw/zizmor?tab=readme-ov-file#use-in-github-actions linked to a GitHub action in this repo which ran zizmor over the repo whenever any of the files in the workflow folder changed.
In the meantime, I'll submit a PR with a direct link to the upload-sarif example at https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-that-runs-the-eslint-analysis-tool
The text was updated successfully, but these errors were encountered: