### Install zizmor with pacman Source: https://docs.zizmor.sh/installation Install zizmor using pacman, which is available in the AUR. ```bash pacman -S zizmor ``` -------------------------------- ### Install Cargo Insta for Snapshot Testing Source: https://docs.zizmor.sh/development Install the cargo-insta tool, which is recommended for managing snapshot tests. ```bash cargo install --locked cargo-insta ``` -------------------------------- ### Install zizmor with pip, pipx, or uv Source: https://docs.zizmor.sh/installation Install zizmor using Python package installers. Wheels are provided on a best-effort basis for common architectures. ```bash # with pip pip install zizmor # with pipx pipx install zizmor # with uv uv tool install zizmor # or, shortcut: uvx zizmor --help ``` -------------------------------- ### Install zizmor with Nix Source: https://docs.zizmor.sh/installation Install zizmor using Nix, either without flakes or with flakes. ```bash # without flakes nix-env -iA nixos.zizmor # with flakes nix profile install nixpkgs#zizmor ``` -------------------------------- ### Install pinact CLI Tool Source: https://docs.zizmor.sh/development Install the pinact tool using Homebrew to manage action usages in documentation. ```bash brew install pinact ``` -------------------------------- ### Install zizmor with Homebrew Source: https://docs.zizmor.sh/installation Use this command to install zizmor if you are using Homebrew. ```bash brew install zizmor ``` -------------------------------- ### Build zizmor Website Locally with Make Source: https://docs.zizmor.sh/development Build a local copy of the zizmor website in the 'site_html' directory. Requires a Python runtime and uv installed. ```bash make site ``` -------------------------------- ### Verify Zizmor Installation Source: https://docs.zizmor.sh/quickstart Run this command to ensure Zizmor is installed correctly. It displays the available options and usage information. ```bash zizmor -h ``` -------------------------------- ### Install zizmor with conda Source: https://docs.zizmor.sh/installation Install zizmor from the conda-forge channel using conda. ```bash conda install conda-forge::zizmor ``` -------------------------------- ### Install zizmor from source with cargo Source: https://docs.zizmor.sh/installation Install the latest unstable zizmor directly from GitHub using cargo. This is not recommended for most users. ```bash cargo install --locked --git https://github.com/zizmorcore/zizmor ``` -------------------------------- ### Remediate ad-hoc package installation with bundle install Source: https://docs.zizmor.sh/audits Replaces direct gem installation with `bundle install` to use a managed manifest and lockfile. ```yaml jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.0.0 - run: gem install rake ``` ```yaml jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.0.0 - run: bundle install ``` -------------------------------- ### Install zizmor with apk on Chimera Linux Source: https://docs.zizmor.sh/installation Install zizmor using apk on Chimera Linux. Ensure the 'user' repo is enabled first if necessary. ```bash # If you don't have the 'user' repo enabled yet, do that first apk add chimera-repo-user apk add zizmor ``` -------------------------------- ### Run Offline Benchmarks with Cargo and Make Source: https://docs.zizmor.sh/development Execute all offline benchmarks after building the project in release mode. Ensure Cargo is installed and configured. ```bash cargo build --release make bench ``` -------------------------------- ### Example JSON output from Zizmor Source: https://docs.zizmor.sh/usage This is an example of the detailed JSON output Zizmor produces, including finding details, severity, and location. ```json { "ident": "github-env", "desc": "dangerous use of environment file", "url": "https://docs.zizmor.sh/audits/#github-env", "determinations": { "confidence": "Low", "severity": "High", "persona": "Regular" }, "locations": [ { "symbolic": { "key": { "Local": { "prefix": ".", "given_path": "./tests/integration/test-data/github-env/action.yml" } }, "annotation": "write to GITHUB_ENV may allow code execution", "route": { "components": [ { "Key": "runs" }, { "Key": "steps" }, { "Index": 0 }, { "Key": "run" } ] }, "kind": "Primary" }, "concrete": { "location": { "start_point": { "row": 9, "column": 6 }, "end_point": { "row": 10, "column": 40 }, "offset_span": { "start": 202, "end": 249 } }, "feature": " run:\n echo \"foo=$(bar)\" >> $GITHUB_ENV", "comments": [] } } ], "ignored": false } ``` -------------------------------- ### Install zizmor with cargo Source: https://docs.zizmor.sh/installation Install zizmor from crates.io using cargo. Passing --locked is strongly recommended to ensure dependency versions are tested. ```bash cargo install --locked zizmor ``` -------------------------------- ### Enable zizmor LSP in Neovim Source: https://docs.zizmor.sh/integrations Configure Neovim to use zizmor as an LSP server. Ensure zizmor is installed separately. Refer to `:h lspconfig-all` for more LSP configuration details. ```lua vim.lsp.enable('zizmor') ``` -------------------------------- ### Remediation for overprovisioned secrets (Before) Source: https://docs.zizmor.sh/audits This example shows the 'before' state of a workflow where the entire secrets context is loaded, leading to overprovisioning. ```yaml jobs: deploy: runs-on: ubuntu-latest steps: - run: ./deploy.sh env: SECRETS: ${{ toJSON(secrets) }} ``` -------------------------------- ### Remediation for overprovisioned secrets (After) Source: https://docs.zizmor.sh/audits This example shows the 'after' state, where secrets are accessed individually, resolving the overprovisioning issue. ```yaml jobs: deploy: runs-on: ubuntu-latest steps: - run: ./deploy.sh env: SECRET_ONE: ${{ secrets.SECRET_ONE }} SECRET_TWO: ${{ secrets.SECRET_TWO }} ``` -------------------------------- ### Zizmor Configuration File Example Source: https://docs.zizmor.sh/usage Define ignore rules for specific findings in a `zizmor.yml` file. This allows for centralized management of ignored issues across multiple files or specific lines and columns. ```yaml rules: template-injection: ignore: - safe.yml - somewhat-safe.yml:123 - one-exact-spot.yml:123:456 ``` -------------------------------- ### Advanced Filtering with jq Source: https://docs.zizmor.sh/usage For advanced filtering, use `--format=json` and pipe the output to `jq`. This example selects results with 'High' confidence. ```bash zizmor --format=json-v1 ... | jq 'map(select(.determinations.confidence == "High"))' ``` -------------------------------- ### Remediate `pip-install` in GitHub Actions Source: https://docs.zizmor.sh/audits Before: Uses `pip-install` input on `actions/setup-python`, which can lead to auditing difficulties and dependency conflicts. After: Replaces `pip-install` with a virtual environment setup for better isolation and auditability. ```yaml jobs: build: runs-on: ubuntu-latest steps: - name: Setup Python uses: actions/setup-python@v6 with: pip-install: '.[dev]' ``` ```yaml jobs: build: runs-on: ubuntu-latest steps: - name: Setup Python uses: actions/setup-python@v6 - name: Install package run: | python -m venv .env ./.env/bin/pip install .[dev] ``` -------------------------------- ### Run zizmor in LSP mode Source: https://docs.zizmor.sh/integrations Start zizmor in Language Server Protocol (LSP) mode. In this mode, zizmor communicates with the editor via stdin and stdout only. No other arguments are accepted. ```bash zizmor --lsp ``` -------------------------------- ### Remediate Unpinned Actions: Before Source: https://docs.zizmor.sh/audits Example of a workflow with unpinned GitHub Actions dependencies, including a specific version for pypa/gh-action-pypi-publish and a Docker image without a version tag. ```yaml name: unpinned-uses on: [push] jobs: unpinned-uses: runs-on: ubuntu-latest steps: - uses: pypa/gh-action-pypi-publish@v1.12.4 with: persist-credentials: false - uses: docker://ubuntu with: entrypoint: /bin/echo args: hello! ``` -------------------------------- ### Run Zizmor with JSON output Source: https://docs.zizmor.sh/usage Execute Zizmor with the `--format=json` flag to get a flat array of findings. Pipe the output to `jq` for easier parsing. ```bash zizmor --format=json . | jq .\[0\] ``` -------------------------------- ### Dynamic Matrix Generation in GitHub Actions Source: https://docs.zizmor.sh/usage This example demonstrates a GitHub Actions workflow where a job's matrix is generated dynamically at runtime by a previous job. Static analysis tools like Zizmor cannot fully analyze such dynamic behavior, potentially flagging runtime-dependent variables as risks. ```yaml build-matrix: name: Build the matrix runs-on: ubuntu-latest outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - id: set-matrix run: | echo "matrix=$(python generate_matrix.py)" >> "${GITHUB_OUTPUT}" run: name: ${{ matrix.name }} needs: - build-matrix runs-on: ubuntu-latest strategy: matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }} steps: - run: | echo "hello ${{ matrix.something }}" ``` -------------------------------- ### Run zizmor in GitHub Actions Source: https://docs.zizmor.sh/integrations This GitHub Actions workflow installs uv and runs zizmor to check the repository. Remove the `env:` block to run only offline audits. Findings exceeding 10 will be logged but not rendered as annotations. ```yaml jobs: zizmor: name: zizmor via PyPI runs-on: ubuntu-latest permissions: contents: read # Only needed for private repos. Needed to clone the repo. steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Install the latest version of uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Run zizmor 🌈 run: uvx "zizmor@${ZIZMOR_VERSION}" --format=github . env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} ``` -------------------------------- ### Secure Container Credentials with Secrets Source: https://docs.zizmor.sh/audits Replace hardcoded container credentials with encrypted secrets to prevent exposure. This example shows the 'Before' and 'After' states of a workflow configuration. ```yaml on: push: jobs: test: runs-on: ubuntu-latest container: image: fake.example.com/example credentials: username: user password: ${{ secrets.REGISTRY_PASSWORD }} services: service-1: image: fake.example.com/anotherexample credentials: username: user password: ${{ secrets.REGISTRY_PASSWORD }} steps: - run: echo 'hello!' ``` -------------------------------- ### Run zizmor on remote GitHub repositories Source: https://docs.zizmor.sh/quickstart Audit workflows and composite actions directly from GitHub repositories using a GitHub API token. Requires the `gh` CLI to be installed for token retrieval. ```bash # audit all workflows and composite actions in zizmorcore/zizmor # assumes you have `gh` installed zizmor --gh-token=$(gh auth token) zizmorcore/zizmor ``` ```bash zizmor --gh-token=$(gh auth token) zizmorcore/zizmor zizmorcore/gha-hazmat ``` -------------------------------- ### Configure unpinned-uses policies Source: https://docs.zizmor.sh/audits Define custom policies for the `unpinned-uses` audit to control how action references are pinned. This example shows how to enforce hash-pinning for `actions/checkout` and ref-pinning for other actions in the `actions/*` namespace. ```yaml rules: unpinned-uses: config: policies: actions/checkout: hash-pin actions/*: ref-pin ``` -------------------------------- ### Running with Default Persona Source: https://docs.zizmor.sh/usage When using the default 'regular' persona, Zizmor may not report findings that are considered low-signal or false positives. This example shows no findings reported for a self-hosted runner configuration. ```bash $ zizmor self-hosted.yml ``` ```text 🌈 completed self-hosted.yml No findings to report. Good job! (1 suppressed) ``` -------------------------------- ### Add Version Comment to Hash-Pinned Action Source: https://docs.zizmor.sh/audits This example demonstrates a GitHub Actions workflow step where a version comment is missing for a hash-pinned action. The audit flags this for clarity and proper automation behavior. ```yaml jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 ``` ```yaml jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 ``` -------------------------------- ### Live Development Server for zizmor Website Source: https://docs.zizmor.sh/development Run a development server that monitors for changes in documentation files and rebuilds the site live. Access the site via the provided URL. ```bash make site-live ``` -------------------------------- ### Install zizmor with --locked flag Source: https://docs.zizmor.sh/troubleshooting Use the --locked flag with cargo install to force cargo to use exact dependencies from the Cargo.lock file, overriding yanked versions. This is an alternative to installing from binary distributions. ```bash cargo install --locked zizmor ``` -------------------------------- ### Run Snapshot Tests with Review and Online Features Source: https://docs.zizmor.sh/development A shortcut command to run snapshot tests, automatically enter review mode, and enable online tests with a GitHub token. ```bash cargo insta test --review # or, with online tests GH_TOKEN=$(gh auth token) cargo insta test --review --features online-tests ``` -------------------------------- ### Generate Developer Documentation with Cargo Source: https://docs.zizmor.sh/development Build the developer-specific documentation for zizmor using `cargo doc`. The `--open` flag will automatically open the documentation in your local browser. ```bash # build only cargo doc # build and open in the local browser cargo doc --open ``` -------------------------------- ### Build zizmor Locally with Cargo Source: https://docs.zizmor.sh/development Clone the repository and build the zizmor project using the `cargo build` command. You can then run the executable directly or use `cargo run`. ```bash git clone https://github.com/zizmorcore/zizmor && cd zizmor cargo build # cargo run -- --help also works ./target/debug/zizmor --help ``` -------------------------------- ### Example of Auto-fixable Finding Source: https://docs.zizmor.sh/usage This example shows how findings marked with a 'note: this finding has an auto-fix' annotation can be automatically corrected. It highlights a potential template injection vulnerability. ```yaml error[template-injection]: code injection via template expansion --> example.yml:18:36 | 17 | - run: | 18 | echo "doing a thing: ${{ inputs.test }}" | ^^^^^^^^^^^ may expand into attacker-controllable code | = note: audit confidence → High = note: this finding has an auto-fix ``` -------------------------------- ### Remediate Unredacted Secrets: Before Source: https://docs.zizmor.sh/audits Example of a deployment job that accesses username and password from a single JSON secret. This can lead to unredacted secrets in logs. ```yaml jobs: deploy: runs-on: ubuntu-latest steps: - run: ./deploy.sh env: USERNAME: ${{ fromJSON(secrets.MY_SECRET).username }} PASSWORD: ${{ fromJSON(secrets.MY_SECRET).password }} ``` -------------------------------- ### Run zizmor on local repositories Source: https://docs.zizmor.sh/quickstart Treat local directories as GitHub repositories to discover workflows and composite actions. Supports finding `.github/workflows` and `action.yml` files. ```bash # repo-a/ contains .github/workflows/{ci,tests}.yml # as well as custom-action/action.yml zizmor repo-a/ ``` ```bash # or with multiple directories zizmor repo-a/ ../../repo-b/ ``` ```bash # collect only workflows, not composite actions or Dependabot configs zizmor --collect=workflows repo-a/ ``` -------------------------------- ### Remediation for GitHub App Token Misuse Source: https://docs.zizmor.sh/audits When using GitHub App installation tokens, ensure tokens have limited lifespans and are scoped to only necessary repositories and permissions. ```yaml on: push: jobs: test: runs-on: ubuntu-latest container: image: fake.example.com/example credentials: username: user password: hackme services: service-1: image: fake.example.com/anotherexample credentials: username: user password: hackme steps: - run: echo 'hello!' ``` -------------------------------- ### Format and Lint Code with Cargo Source: https://docs.zizmor.sh/development Run cargo fmt for formatting and cargo clippy for linting. Running these locally can reduce review cycles. ```bash cargo fmt cargo clippy --fix ``` -------------------------------- ### Configure zizmor with pre-commit Source: https://docs.zizmor.sh/integrations Add zizmor to your `.pre-commit-config.yaml` to run it on every commit. The `files` option is optional for scanning specific files; otherwise, it scans the entire repository. ```yaml - repo: https://github.com/zizmorcore/zizmor-pre-commit rev: v1.22.0 hooks: - id: zizmor ``` -------------------------------- ### Secure Bot Actor Check for `pull_request` Source: https://docs.zizmor.sh/audits An example of a secure bot actor check for `pull_request` events, using `github.event.pull_request.user.login` to identify the actual PR creator. ```yaml on: pull_request jobs: automerge: runs-on: ubuntu-latest if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name steps: - run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} ``` -------------------------------- ### Secure Bot Actor Check for `pull_request_target` Source: https://docs.zizmor.sh/audits An example of a secure bot actor check for `pull_request_target` events, using `github.event.pull_request.user.login` to identify the actual PR creator. ```yaml on: pull_request_target jobs: automerge: runs-on: ubuntu-latest if: github.actor == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name steps: - run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} ``` -------------------------------- ### Zizmor Command-Line Help Output Source: https://docs.zizmor.sh/quickstart This is the detailed help output from the `zizmor -h` command, showing all available options for input, auditing, output, network, and general configuration. ```text Static analysis for GitHub Actions Usage: zizmor [OPTIONS] ... Input Options: ... The inputs to audit --collect ... Control which kinds of inputs are collected for auditing [default: default] [possible values: all, default, workflows, actions, dependabot] --strict-collection Fail instead of warning on syntax and schema errors in collected inputs Audit Options: --fix[=] Fix findings automatically, when available (EXPERIMENTAL) [possible values: safe, unsafe-only, all] -p, --pedantic Emit 'pedantic' findings --persona The persona to use while auditing [default: regular] [possible values: auditor, pedantic, regular] --min-severity Filter all results below this severity [possible values: informational, low, medium, high] --min-confidence Filter all results below this confidence [possible values: low, medium, high] --no-ignores Don't honor ignore comments or ignore rules in configuration Output Options: -v, --verbose... Increase logging verbosity -q, --quiet... Decrease logging verbosity --format The output format to emit. By default, cargo-style diagnostics will be emitted [default: plain] [possible values: plain, json, json-v1, sarif, github] --no-progress Don't show progress bars, even if the terminal supports them --color Control the use of color in output [possible values: auto, always, never] --render-links Whether to render OSC 8 links in the output [env: ZIZMOR_RENDER_LINKS=] [default: auto] [possible values: auto, always, never] --show-audit-urls Whether to render audit URLs in the output, separately from any URLs embedded in OSC 8 links [env: ZIZMOR_SHOW_AUDIT_URLS=] [default: auto] [possible values: auto, always, never] --no-exit-codes Disable all error codes besides success and tool failure Network Options: -o, --offline Perform only offline operations [env: ZIZMOR_OFFLINE=] --gh-token The GitHub API token to use [env: GH_TOKEN or GITHUB_TOKEN or ZIZMOR_GITHUB_TOKEN] --gh-hostname The GitHub Server Hostname. Defaults to github.com [env: GH_HOST=] [default: github.com] --no-online-audits Perform only offline audits [env: ZIZMOR_NO_ONLINE_AUDITS=] --cache-dir The directory to use for HTTP caching. By default, a host-appropriate user-caching directory will be used Options: --lsp Run in language server mode (EXPERIMENTAL) -c, --config The configuration file to load. This loads a single configuration file across all input groups, which may not be what you intend [env: ZIZMOR_CONFIG=] --no-config Disable all configuration loading --completions Generate tab completion scripts for the specified shell [possible values: bash, elvish, fish, nushell, powershell, zsh] --thanks Emit thank-you messages for zizmor's sponsors -h, --help Print help (see more with '--help') -V, --version Print version ``` -------------------------------- ### Zizmor Detailed Help Command Source: https://docs.zizmor.sh/quickstart Use this command for a more comprehensive version of the help information, providing deeper insights into Zizmor's functionalities. ```bash zizmor --help ``` -------------------------------- ### Run Online Benchmarks with GitHub Token Source: https://docs.zizmor.sh/development Execute online benchmarks by setting the GH_TOKEN environment variable. This requires authentication with GitHub. ```bash GH_TOKEN=$(gh auth token) make bench ``` -------------------------------- ### Configure Zizmor for Custom GitHub Hosts Source: https://docs.zizmor.sh/usage Use Zizmor with custom GitHub Enterprise instances by specifying the hostname. This allows analysis of repositories hosted on private or on-premises GitHub Enterprise servers. ```bash zizmor --gh-hostname custom.example.com ... ``` ```bash GH_HOST=custom.ghe.com zizmor ... ``` -------------------------------- ### Unsound Condition Example (Always True) Source: https://docs.zizmor.sh/audits Illustrates a common pitfall where a multi-line YAML string combined with a GitHub Actions expression results in a condition that always evaluates to true, despite appearing to be conditional. ```yaml if: | ${{ false }} ``` -------------------------------- ### Detect Mismatched Version Comments in Actions Source: https://docs.zizmor.sh/audits This example shows a GitHub Actions workflow step where the version comment does not match the pinned commit hash. This can lead to automation tools like Dependabot not updating correctly. ```yaml jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.2.2 ``` ```yaml jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 ``` -------------------------------- ### Run and Review Snapshot Tests with Cargo Insta Source: https://docs.zizmor.sh/development Manage snapshot tests using cargo insta. 'cargo insta test' runs tests and generates/updates snapshots, while 'cargo insta review' allows for manual review of changes. ```bash # run all the tests, generating new snapshots as necessary cargo insta test # review the new snapshots generated above cargo insta review ``` -------------------------------- ### Running Zizmor with a Specific Config File Source: https://docs.zizmor.sh/usage Pass a custom configuration file to Zizmor using the `--config` argument. This is useful when you need to specify a configuration that is not in the default location or has a custom name. ```bash zizmor --config my-zizmor-config.yml /dir/to/audit ``` -------------------------------- ### Set Concurrency Limits in Workflows Source: https://docs.zizmor.sh/audits Include a `concurrency` setting in your workflow to manage concurrent runs. Set `cancel-in-progress` to `true` to cancel older runs when a new one starts, preventing resource waste and potential race conditions. ```yaml concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true ``` -------------------------------- ### Run Unit and Integration Tests with Cargo Source: https://docs.zizmor.sh/development Orchestrate unit and integration tests using cargo test. Use flags like --bins to run only unit tests or --test to specify integration tests. ```bash # run only unit tests cargo test --bins # run specific integration tests cargo test --test acceptance cargo test --test snapshot # run all of the tests cargo test ``` -------------------------------- ### Audit Specific Directory Source: https://docs.zizmor.sh/release-notes This command audits the specified .github/ directory. It will load configuration files as before. ```bash zizmor .github/ ``` -------------------------------- ### Run JSON Schema Tests Source: https://docs.zizmor.sh/development Validate the JSON schema of the configuration file by enabling the 'schema' crate feature. ```bash cargo test --features schema ``` -------------------------------- ### Configure zizmor-action with custom PAT Source: https://docs.zizmor.sh/troubleshooting Provide a custom Personal Access Token (PAT) with read-only access to necessary repositories via the 'token' input in the zizmor-action. This resolves 'can't access ORG/REPO' errors when the default GITHUB_TOKEN lacks cross-repository permissions. ```yaml - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: token: ${{ secrets.ZIZMOR_GH_TOKEN }} ``` -------------------------------- ### Configure Pinned Dependencies with rules.secrets-outside-env.config.allow Source: https://docs.zizmor.sh/audits Define policies for pinning GitHub Actions dependencies. Use 'hash-pin' for specific actions and 'ref-pin' for broader categories. An implicit 'hash-pin' rule applies if no other rule matches. ```yaml rules: unpinned-uses: config: policies: "example/*": hash-pin "*": ref-pin ``` -------------------------------- ### Manual GitHub Actions Integration with SARIF Output Source: https://docs.zizmor.sh/integrations Manually integrate zizmor using `--format=sarif` for GitHub Advanced Security. This workflow requires specific permissions and uploads SARIF files for analysis. ```yaml name: GitHub Actions Security Analysis with zizmor 🌈 on: push: branches: ["main"] pull_request: branches: ["**"] env: ZIZMOR_VERSION: 1.26.1 permissions: {} jobs: zizmor: name: zizmor via PyPI runs-on: ubuntu-latest permissions: security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. contents: read # Only needed for private repos. Needed to clone the repo. actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Install the latest version of uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Run zizmor 🌈 run: uvx "zizmor@${ZIZMOR_VERSION}" --format=sarif . > results.sarif env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: results.sarif category: zizmor ``` -------------------------------- ### Update Action Usages with pinact Source: https://docs.zizmor.sh/development Run the pinact command via make to update 'uses:' clauses in the project's documentation. ```bash make pinact ``` -------------------------------- ### Audit Multiple Input Sources Source: https://docs.zizmor.sh/usage Audit various input sources, including local workflows, local directories, and remote repositories, in a single command. ```bash zizmor ../example.yml ../other-repo/ example/example ``` -------------------------------- ### Applying Unsafe Auto-fixes with Zizmor Source: https://docs.zizmor.sh/usage To apply 'unsafe' fixes, which may be correct but require manual review, use `--fix=all` to enable both safe and unsafe fixes, or `--fix=unsafe-only` to enable only unsafe fixes. These options also modify files in-place. ```bash zizmor --fix=all example.yml ``` ```bash zizmor --fix=unsafe-only example.yml ``` -------------------------------- ### Run Project Checks with Cargo Source: https://docs.zizmor.sh/development Execute these commands to ensure code formatting, linting, and tests pass before submitting a Pull Request. Ensure all warnings from clippy are addressed. ```bash cargo fmt cargo clippy -- -D warnings cargo test ``` -------------------------------- ### Force Update Snapshots with Online Features Source: https://docs.zizmor.sh/development Update snapshot files, including meta information, while running tests with online features enabled. Requires a GitHub token. ```bash GH_TOKEN=$(gh auth token) cargo insta test --force-update-snapshots --features online-tests ```