Issue #771: Add static analysis with zizmor. #799
Conversation
| jobs: | ||
| zizmor: | ||
| name: Run Zizmor Security Analysis | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Pin the ubuntu version, so 26 doesn't break things later?
| runs-on: ubuntu-latest | |
| runs-on: ubuntu-24.04 |
|
Note from today's sync. Let's add this workflow directly to this Drainpipe project as a way to test it out. Then we can decide if this is something we want to include with Drainpipe. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
I added the testZizmor.yml to the GitHub workflows, and it ran successfully. However, github-advanced-security encountered an error here. Could you please review the error? The usage follows the instructions from the README in fabasoad/setup-zizmor-action. |
|
I’ve resolved several Zizmor issues. You can see that the Zizmor alerts have been closed here |
|
@elvism-lullabot Let's update this pull request so that it only scaffolds this file when Drainpipe is configured to run security checks. see: https://github.com/Lullabot/drainpipe?tab=readme-ov-file#security Also, we need to make sure all checks are passing before this can be merged. |
|
@mrdavidburns Do we need to move the Zizmor check into the scaffold folder and remove it from the GitHub workflows, or should we keep it there for this project? |
|
I'm still not 100% this should be shipped w/ Drainpipe. If we do it would need to be configurable and something we can turn on with configuration. cc @deviantintegral |
|
For the Zizmor configuration rules, we can use a zizmor.yml file to add or ignore specific rules (see: https://docs.zizmor.sh/configuration/). I also added a rule with a path under the ignore section: However, it seems this only works when using the file name (e.g., TestFunctional.yml ). In that case, the errors related to the rule in that file was marked as fixed after adding it to the ignore list. For enabling the configuration, we could consider using Security:Zizmor, which copies the configuration files from both security and zizmor, while keeping the Security configuration unchanged. |
|
Let's talk about this on the call tomorrow. |
|
@elvism-lullabot can you file a separate PR just to do the bit around pinning remote workflows? Like these lines:
|
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 |
Check warning
Code scanning / zizmor
detects commit SHAs that don't match their version comment tags Warning
See #771