feat(security): add zizmor GitHub Actions scanner across CI, mise, and pre-commit#230
Draft
scottschreckengaust wants to merge 2 commits into
Draft
feat(security): add zizmor GitHub Actions scanner across CI, mise, and pre-commit#230scottschreckengaust wants to merge 2 commits into
scottschreckengaust wants to merge 2 commits into
Conversation
Wire zizmor into all three layers, matching the existing scanner pattern (bandit/semgrep/checkov/gitleaks live in mise + pre-commit + CI): - CI: new `zizmor` job in security-scanners.yml — runs `uvx zizmor --format sarif .github/`, uploads SARIF to code scanning. ADVISORY (exit 0) because the repo has a pre-existing findings backlog (#221); flip to gating once cleared. - pre-commit: official zizmorcore/zizmor-pre-commit hook (--offline), scoped by pre-commit to changed workflow/action files — enforces "leave touched workflows clean" without failing on the whole backlog. - mise: `security:zizmor` task (uvx, `|| true` advisory) added to the `security` aggregate that `build` runs. Bonus: add a `grype` pre-commit hook (local, manual stage) for parity with the CI grype job — no upstream hook exists, so it wraps the mise-provided grype. No repo dependency added — zizmor runs via uvx (ephemeral). Updates AGENTS.md. Refs #221. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refs #221
What
Wires zizmor (static analyzer for GitHub Actions) into all three layers, matching how every other scanner (bandit, semgrep, checkov, gitleaks) is already integrated.
zizmorjob insecurity-scanners.yml:uvx zizmor --format sarif .github/→ uploads SARIF to code scanningzizmorcore/zizmor-pre-commithook (--offline), auto-scoped by pre-commit to changed workflow/action filessecurity:zizmortask (viauvx), added to thesecurityaggregate thatbuildrunsBonus: added a
grypepre-commit hook (local,manualstage) for parity with the CI grype job — no upstream grype hook exists, so it wraps the mise-provided grype.Advisory, not blocking (yet)
A baseline run reports 72 pre-existing findings (1 high, 12 medium) across existing workflows — unrelated to adding zizmor. Per the standard "new scanner vs. existing backlog" playbook, this ships advisory:
::notice, not::error) — does not fail the build.uvx zizmor ... || true— reports without failingmise run build.Follow-up (tracked in #221): burn down the 72 findings, then flip CI/mise to gating by removing
|| true/ gating on exit code.Notes
uvx(ephemeral, same pattern as pytest in feat(build): run unit tests in build via pytest #227). Pre-commit hook is pinned tov1.26.1.--format sarif), so the CI job mirrors the bandit/grype SARIF-upload pattern exactly.Verification
mise run security:zizmor→ runs, reports findings, exits 0 (advisory).pre-commit run zizmor --files .github/workflows/merge-prevention.yml→ Passed.pre-commit validate-config→ valid; hook revv1.26.1confirmed to exist.lint:mdandfmt:checkclean.Generated with Claude Code
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.