🧪 Integrate Zizmor checks into GHA CI/CD 🌈 #16268
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
webknjaz
force-pushed
the
maintenance/gha-security-zizmor
branch
from
38a8fe3 to
7a16c63
Compare
|
Checks aren't working, try rebase And I looked at the overview: https://github.com/ansible/awx/security/code-scanning?query=pr%3A16268+is%3Aopen and correct me if I'm wrong, but it seems to be the same as the SonarCloud output? Is that the intent? We already see these regularly. @chrismeyersfsu started addressing some of the issues, but seems to be a manual process, which makes no sense. I'm fine to get a patch for each of the issues, approve+merge or reject. Because I see no reason that can't be automated.... but I guess I don't see what this does that helps? |
This was because of GitHub's outage yesterday. Rebased now to re-trigger.
No idea, that page is 404 for me as I don't have access to see it. FTR, I've never seen SonarCloud assessing security and common issues with setting up GHA, nor have I seen it being configurable. It's a black box that does something but it was never useful to me. Maybe @woodruffw knows of a better comparison.
This basically helps avoid using commonly known insecure practices in GH Actions+Workflows. And yes, it automates checking for typical mistakes. You aren't limited to seeing the reports in GH UI — it can be invoked locally, I just wanted to start w/ the integration that would surface new problems in PRs right away. It also has an auto-fixing mode where possible: https://docs.zizmor.sh/usage/#auto-fixing-results Here's the list of rules in currently checks with well-written explanation for each: https://docs.zizmor.sh/audits/ |
This linter guards against common insecure setups in GitHub Actions and Workflows. It is authored and maintained by a member of the PyPA, contributor to PyPI, former employee of the Trail Of Bits. Ref: https://zizmor.sh
webknjaz
force-pushed
the
maintenance/gha-security-zizmor
branch
from
7a16c63 to
b1bd8d2
Compare
Yeah, I'm not aware of a commercial product that has a similar footprint. I know a few commercial tools have begun to integrate or use zizmor internally though, so I suppose it isn't out of the question that SonarCloud does that for zizmor. But I wouldn't know for certain 🙂 (The closest equivalents I'm aware of are GitHub's own CodeQL, plus poutine from Boost Security. But I feel somewhat confident in saying that zizmor has the best coverage + actionability defaults of the major tools.) |
|
I see, it does seem different. Zizmor gives 138 items, SonarCloud gives 1,146, and when I dive in, some are qualitatively reporting the same thing (like unpinned github action reference) but word differently. |
3 participants
This linter guards against common insecure setups in GitHub Actions and Workflows. It is authored and maintained by a member of the PyPA, contributor to PyPI, former employee of the Trail Of Bits.
Ref: https://zizmor.sh