investigate zizmor to check out GH Actions workflows

[williballenthin]

https://blog.yossarian.net/2024/10/27/Now-you-can-have-beautiful-clean-workflows

[colton-gabertan]

Results

Overall, it did a great job in sniffing out persistent credential issues, jobs with high permissions, and areas for potential template/ arbitrary code injection. Great solution to help fall in line with best practices in areas where applicable. I can see it being a bit noisy about a few jobs that do require high permissions i.e. build.yml; however, there is a ton of great documentation around how to tune zizmor. One thing that the local test does not cover is stuff like known-vulnerable-actions, impostor commits, and ref confusion, which are inherent vulnerabilities presented by how git/github works, and it would require another secret to be implemented.

The installation was a simple pip install, so it could be worth-while to treat it in the same manner as pre-commit by including it in the dev dependencies for capa. Or, on the flipside, it could be useful as a similar CI workflow to the scorecard.yml, targeting only a set of specific workflows to check.

Local Test Run

Here's a few examples of what a local run looks like using capa's latest CI files:

2025-01-24T08:45:01.304528Z  WARN zizmor: skipping impostor-commit: can't run without a GitHub API token
2025-01-24T08:45:01.304568Z  WARN zizmor: skipping ref-confusion: can't run without a GitHub API token
2025-01-24T08:45:01.304603Z  WARN zizmor: skipping known-vulnerable-actions: can't run without a GitHub API token
2025-01-24T08:45:01.339350Z  INFO audit: zizmor: 🌈 completed build.yml
2025-01-24T08:45:01.341629Z  INFO audit: zizmor: 🌈 completed changelog.yml
2025-01-24T08:45:01.343620Z  INFO audit: zizmor: 🌈 completed pip-audit.yml
2025-01-24T08:45:01.345501Z  INFO audit: zizmor: 🌈 completed publish.yml
2025-01-24T08:45:01.347398Z  INFO audit: zizmor: 🌈 completed scorecard.yml
2025-01-24T08:45:01.349731Z  INFO audit: zizmor: 🌈 completed tag.yml
2025-01-24T08:45:01.352019Z  INFO audit: zizmor: 🌈 completed tests.yml
2025-01-24T08:45:01.354322Z  INFO audit: zizmor: 🌈 completed web-deploy.yml
2025-01-24T08:45:01.356889Z  INFO audit: zizmor: 🌈 completed web-release.yml
2025-01-24T08:45:01.358995Z  INFO audit: zizmor: 🌈 completed web-tests.yml
warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> build.yml:44:9
   |
44 |         - name: Checkout capa
   |  _________-
45 | |         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
46 | |         with:
47 | |           submodules: true
   | |__________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

error[excessive-permissions]: overly broad permissions
  --> build.yml:14:3
   |
14 |   contents: write
   |   ^^^^^^^^^^^^^^^ contents: write is overly broad at the workflow level
   |
   = note: audit confidence → High

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> changelog.yml:3:1
  |
3 | / on:
4 | |   # We need pull_request_target instead of pull_request because a write
... |
7 | |   pull_request_target:
8 | |     types: [opened, edited, synchronize]
  | |________________________________________^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> pip-audit.yml:16:9
   |
16 |         - name: Check out repository code
   |  _________-
17 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low
.
.
.
.
54 findings (24 suppressed): 0 unknown, 0 informational, 1 low, 21 medium, 8 high