chore(precommit): scope zizmor hook to workflows, actions and dependabot

[pfe-nazaries]

Context

The zizmor pre-commit hook in .pre-commit-config.yaml was configured with files: ^\.github/, which matches any file under .github/. zizmor only audits GitHub Actions workflows, composite actions and Dependabot configs, so any commit touching a non-auditable .github/ file (issue templates, labeler.yml, CODEOWNERS, the labeler-action config, zizmor.yml itself, …) failed the hook with exit code 3:

zizmor...................................................................Failed
- hook id: zizmor
- exit code: 3

  WARN collect_inputs: zizmor::registry::input: failed to validate input as workflow:
  input does not match expected validation schema
  fatal: no audit was performed
  error: no inputs collected

Reproducible on master today: the recent issue-template addition (.github/ISSUE_TEMPLATE/new-check-request.yml, #10976) is enough to break the hook for anyone whose chain runs zizmor on those paths.

Description

Narrow the files: regex to the inputs zizmor actually audits:

files: ^\.github/(workflows|actions)/.+\.ya?ml$|^\.github/dependabot\.ya?ml$

Coverage matrix (verified with prek run zizmor --files <path>):

Path	Before	After	Audited by zizmor?
.github/workflows/api-bump-version.yml	run	run ✓	yes (workflow)
.github/actions/<x>/action.yml	run	run ✓	yes (composite action)
.github/dependabot.yml	run	run ✓	yes
.github/ISSUE_TEMPLATE/new-check-request.yml	fail (exit 3)	skip ✓	no
.github/labeler.yml / CODEOWNERS / zizmor.yml / pull_request_template.md	run-then-fail or skip	skip ✓	no
.pre-commit-config.yaml (manifest)	n/a	skip ✓	no

An inline comment in the hook block records the why, so the next maintainer doesn't broaden the regex back.

Steps to review

prek run zizmor --files .github/workflows/api-bump-version.yml         # passes
prek run zizmor --files .github/ISSUE_TEMPLATE/new-check-request.yml   # skipped, no error
prek run zizmor --files .github/labeler.yml                            # skipped, no error

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests. — N/A (pre-commit config only, no runtime code)
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings — inline comment added in the hook block
• Review if backport is needed. — No, dev tooling only
• Review if is needed to change the Readme.md — No
• Ensure new entries are added to CHANGELOG.md, if applicable. — Not user-visible; no-changelog label applied

SDK/CLI

• Are there new checks included in this PR? No

UI

• All issue/task requirements work as expected on the UI — N/A
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px) — N/A
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px) — N/A
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px) — N/A
• Ensure new entries are added to CHANGELOG.md, if applicable. — N/A

API

• All issue/task requirements work as expected on the API — N/A
• Endpoint response output (if applicable) — N/A
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable) — N/A
• Performance test results (if applicable) — N/A
• Any other relevant evidence of the implementation (if applicable) — N/A
• Verify if API specs need to be regenerated. — N/A
• Check if version updates are required (e.g., specs, Poetry, etc.). — N/A
• Ensure new entries are added to CHANGELOG.md, if applicable. — N/A

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler:6835aea
Last scan: 2026-05-05 08:15:19 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	5
Total	5

5 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy