Releases: woodruffw/zizmor
Releases · woodruffw/zizmor
v1.0.1
v1.0.1
This is a small quality and bugfix release. Thank you to everybody
who helped by reporting and shaking out bugs from our first stable release!
Improved
- The github-env audit now detects dangerous writes to
GITHUB_PATH,
is more precise, and can produce multiple findings per run block (#391)
Fixed
workflow_call.secretskeys with missing values are now parsed correctly (#388)- The cache-poisoning audit no longer incorrectly treats
docker/build-push-actionas
a publishing workflow ispush: falseis explicitly set (#389) - The template-injection audit no longer considers
github.action_path
to be a potentially dangerous expansion (#402) - The github-env audit no longer skips
run:steps with non-trivial
shell:stanzas (#403)
v1.0.0
This is the first stable release of zizmor!
Starting with this release, zizmor will use Semantic Versioning for
its versioning scheme. In short, this means that breaking changes will only
happen with a new major version.
This stable release comes with a large number of new features as well
as stability commitments for existing features; read more below!
Added
-
Composite actions (i.e.
action.ymlwhere the action is not a Docker
or JavaScript action) are now supported, and are audited by default
when runningzizmoron a directory or remote repository (#331)!!! tip
Composite action discovery and auditing can be disabled by passing `--collect=workflows-only`. Conversely, workflow discovery and auditing can be disabled by passing `--collect=actions-only`.See #350 for the status of each audit's support for analyzing
composite actions. -
The GitHub host to connect to can now be configured with
--gh-hostname
orGH_HOSTin the environment (#371)This can be used to connect to a GitHub Enterprise (GHE) instance
instead of the defaultgithub.cominstance.
Improved
- The cache-poisoning audit is now aware of common publishing actions
and uses then to determine whether to produce a finding (#338, #341) - The cache-poisoning audit is now aware of configuration-free caching
actions, such as @Mozilla-Actions/sccache-action (#345) - The cache-poisoning audit is now aware of even more caching actions
(#346) - The cache-poisoning audit is now aware of common publishing triggers
(such as pushing to a release branch) and uses them to determine whether
to produce a finding (#352) - The github-env audit is now significantly more precise on
bashandpwsh
inputs (#354)
Fixed
- The excessive-permissions audit is now less noisy on single-job workflows (#337)
- Expressions like
function().foo.barare now parsed correctly (#340) - The cache-poisoning defaults for
setup-gowere fixed (#343) uses:matching is now case-insensitive where appropriate (#353)- Quoted YAML keys (like
'on': foo) are now parsed correctly (#368)
v0.10.0
What's Changed
New Features 🌈
- feat: handle powershell in github-env audit by @woodruffw in #227
- feat: template-injection: filter static envs by @woodruffw in #318
- feat: add 'primary' locations by @woodruffw in #328
- feat: initial cache-poisoning audit by @ubiratansoares in #294
- feat: Fix Sarif schema and add rules to Sarif files by @fcasal in #330
Bug Fixes 🐛
- fix: template-injection: more safe contexts by @woodruffw in #309
- fix: expands_to_static_values considers expressions inside strings by @woodruffw in #317
- fix: sarif: add result and kind by @woodruffw in #68
- fix: sarif: use ResultKind for kind by @woodruffw in #326
Performance Improvements 🚄
- refactor: use http-cache for caching, optimize network calls by @woodruffw in #304
Documentation Improvements 📖
- docs: support commits in trophy case by @woodruffw in #303
- docs: Fix typo in development.md by @JustusFluegel in #305
New Contributors
- @jsoref made their first contribution in #299
- @JustusFluegel made their first contribution in #305
- @fcasal made their first contribution in #330
Full Changelog: v0.9.2...v0.10.0
Contributors
ubiratansoares, jsoref, and 3 other contributors
Assets 2
v0.9.2
What's Changed
Bug Fixes 🐛
- fix: template-injection: consider runner.tool_cache safe by @woodruffw in #297
Documentation Improvements 📖
- docs: more trophies by @woodruffw in #296
Full Changelog: v0.9.1...v0.9.2
Contributors
woodruffw
Assets 2
v0.9.1
What's Changed
Bug Fixes 🐛
- fix: dont crash when an expression does not expand a matrix by @ubiratansoares in #284
Full Changelog: v0.9.0...v0.9.1
Contributors
ubiratansoares
Assets 2
v0.9.0
What's Changed
New Features 🌈
- refactor: experiment with tracing by @woodruffw in #232
- feat: remove --no-progress by @woodruffw in #248
Bug Fixes 🐛
- fix: handle non-static env: in job steps by @woodruffw in #246
- fix: template-injection: ignore another safe context by @woodruffw in #254
- fix: download both .yml and .yaml from repos by @woodruffw in #265
- fix: bump annotate-snippets to fix crash by @woodruffw in #264
- fix: move artipacked pendantic finding to auditor by @woodruffw in #272
- fix: template-injection: ignore runner.temp by @woodruffw in #277
Performance Improvements 🚄
- feat: evaluates a matrix expansion only once by @ubiratansoares in #274
Documentation Improvements 📖
- docs: document installing with PyPI by @woodruffw in #242
- docs: add a trophy case by @woodruffw in #243
- docs: update pre-commit docs to point to new repo by @woodruffw in #247
- docs: switch GHA example to uvx by @woodruffw in #255
- docs: add template-injection tips by @woodruffw in #259
- docs: audits: add another env hacking reference by @woodruffw in #266
- docs: Rename "unsecure" to insecure by @szepeviktor in #270
- docs: more trophies by @woodruffw in #276
- docs: make the trophy case prettier by @woodruffw in #279
New Contributors
- @szepeviktor made their first contribution in #270
Full Changelog: v0.8.0...v0.9.0
Contributors
ubiratansoares, szepeviktor, and woodruffw
Assets 2
v0.8.0
What's Changed
New Features 🌈
- feat: remote auditing by @woodruffw in #230
Bug Fixes 🐛
- fix: template-injection: ignore issue/PR numbers by @woodruffw in #238
Documentation Improvements 📖
New Contributors
Full Changelog: v0.7.0...v0.8.0
Contributors
lazka and woodruffw
Assets 2
v0.7.0
What's Changed
New Features 🌈
- Split unpinned-uses into two separate checks by @funnelfiasco in #205
- feat: even more precision for bash steps in github-env by @ubiratansoares in #208
- feat: add Step::default_shell by @woodruffw in #213
- feat: handle
shell: shin github-env by @woodruffw in #216 - feat: primitive Windows batch handling in github-env by @woodruffw in #217
- feat: unpinned-uses: make unhashed check pedantic for now by @woodruffw in #219
- feat: add personas by @woodruffw in #226
Bug Fixes 🐛
- fix: bump github-actions-models by @woodruffw in #211
Documentation Improvements 📖
- docs: tweak installation layout by @woodruffw in #223
Full Changelog: v0.6.0...v0.7.0
Contributors
funnelfiasco, ubiratansoares, and woodruffw
Assets 2
v0.6.0
What's Changed
This is one of zizmor's bigger recent releases! Key enhancements include:
- A new
github-envaudit that detects dangerousGITHUB_ENVwrites,
courtesy of @ubiratansoares - The
--min-severityand--min-confidenceflags for filtering results,
courtest (in part) of @Ninja3047 - Support for
# zizmor: ignore[rule]comments, courtesy of @ubiratansoares
New Features 🌈
- feat: adds support to inlined ignores by @ubiratansoares in #187
- feat: add
--min-severityby @woodruffw in #193 - feat: add
--min-confidenceby @Ninja3047 in #196 - feat: adds new github-env audit by @ubiratansoares in #192
- feat: improve precision for github-env by @woodruffw in #199
- feat: generalized ignore comments by @woodruffw in #200
Documentation Improvements 📖
- docs: document ignore comments by @woodruffw in #190
- docs: usage: add note about support for ignore comments by @woodruffw in #191
- docs: add page descriptions by @woodruffw in #194
- docs: add more useful 3p references by @woodruffw in #198
New Contributors
- @Ninja3047 made their first contribution in #196
Full Changelog: v0.5.0...v0.6.0
Contributors
ubiratansoares, Ninja3047, and woodruffw
Assets 2
v0.5.0
What's Changed
New Features 🌈
- feat: improve workflow registry error by @woodruffw in #172
- feat: unsecure-commands-allowed audit by @ubiratansoares in #176
Documentation Improvements 📖
- docs: rewrite audit docs by @woodruffw in #167
- docs: enable social card generation by @miketheman in #175
- docs: more badges by @woodruffw in #180
- docs: adds recommentations on how to add or change audits by @ubiratansoares in #182
New Contributors
- @chenrui333 made their first contribution in #90
Full Changelog: v0.4.0...v0.5.0
Contributors
ubiratansoares, miketheman, and 2 other contributors