Skip to content

feat(security): add zizmor GitHub Actions scanner across CI, mise, and pre-commit#230

Draft
scottschreckengaust wants to merge 2 commits into
mainfrom
feat/zizmor-security-scanner
Draft

feat(security): add zizmor GitHub Actions scanner across CI, mise, and pre-commit#230
scottschreckengaust wants to merge 2 commits into
mainfrom
feat/zizmor-security-scanner

Conversation

@scottschreckengaust

Copy link
Copy Markdown
Member

Refs #221

What

Wires zizmor (static analyzer for GitHub Actions) into all three layers, matching how every other scanner (bandit, semgrep, checkov, gitleaks) is already integrated.

Layer Change
CI New zizmor job in security-scanners.yml: uvx zizmor --format sarif .github/ → uploads SARIF to code scanning
pre-commit Official zizmorcore/zizmor-pre-commit hook (--offline), auto-scoped by pre-commit to changed workflow/action files
mise security:zizmor task (via uvx), added to the security aggregate that build runs

Bonus: added a grype pre-commit hook (local, manual stage) for parity with the CI grype job — no upstream grype hook exists, so it wraps the mise-provided grype.

Advisory, not blocking (yet)

A baseline run reports 72 pre-existing findings (1 high, 12 medium) across existing workflows — unrelated to adding zizmor. Per the standard "new scanner vs. existing backlog" playbook, this ships advisory:

  • CI: job runs, uploads SARIF, but exits 0 (::notice, not ::error) — does not fail the build.
  • mise: uvx zizmor ... || true — reports without failing mise run build.
  • pre-commit: the official hook only scans changed workflow files, so it enforces "leave touched workflows clean" without dumping the whole backlog on every commit.

Follow-up (tracked in #221): burn down the 72 findings, then flip CI/mise to gating by removing || true / gating on exit code.

Notes

  • No repo dependency added — zizmor runs via uvx (ephemeral, same pattern as pytest in feat(build): run unit tests in build via pytest #227). Pre-commit hook is pinned to v1.26.1.
  • zizmor 1.26.1's CLI emits native SARIF (--format sarif), so the CI job mirrors the bandit/grype SARIF-upload pattern exactly.

Verification

  • mise run security:zizmor → runs, reports findings, exits 0 (advisory).
  • pre-commit run zizmor --files .github/workflows/merge-prevention.ymlPassed.
  • pre-commit validate-config → valid; hook rev v1.26.1 confirmed to exist.
  • Workflow + pre-commit YAML parse; lint:md and fmt:check clean.

Generated with Claude Code


By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

Wire zizmor into all three layers, matching the existing scanner pattern
(bandit/semgrep/checkov/gitleaks live in mise + pre-commit + CI):

- CI: new `zizmor` job in security-scanners.yml — runs `uvx zizmor
  --format sarif .github/`, uploads SARIF to code scanning. ADVISORY
  (exit 0) because the repo has a pre-existing findings backlog (#221);
  flip to gating once cleared.
- pre-commit: official zizmorcore/zizmor-pre-commit hook (--offline),
  scoped by pre-commit to changed workflow/action files — enforces
  "leave touched workflows clean" without failing on the whole backlog.
- mise: `security:zizmor` task (uvx, `|| true` advisory) added to the
  `security` aggregate that `build` runs.

Bonus: add a `grype` pre-commit hook (local, manual stage) for parity
with the CI grype job — no upstream hook exists, so it wraps the
mise-provided grype.

No repo dependency added — zizmor runs via uvx (ephemeral). Updates
AGENTS.md. Refs #221.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants