Skip to content

Commit 39e2c4e

Browse files
authored
chore(vuln): bump zizmor scanner and scope-suppress scanner token (SEC-357) (#9)
🔒 Scanned for secrets using gitleaks 8.30.1
1 parent 2b398d1 commit 39e2c4e

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

.github/workflows/zizmor.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ jobs:
4343
with:
4444
app-id: ${{ vars.ZIZMOR_SCANNER_APP_ID }}
4545
private-key: ${{ secrets.ZIZMOR_SCANNER_PRIVATE_KEY }}
46-
owner: rudderlabs
46+
owner: rudderlabs # zizmor: ignore[github-app] org-wide read-only scanner token (contents+metadata: read); breadth is intentional for action-ref resolution, write exposure is nil
4747
permission-contents: read
4848
permission-metadata: read
4949

@@ -79,7 +79,7 @@ jobs:
7979
--volume "${GITHUB_WORKSPACE}:/workspace:ro" \
8080
--workdir "/workspace" \
8181
--env "GH_TOKEN=${SCANNER_TOKEN}" \
82-
"ghcr.io/zizmorcore/zizmor:1.23.1@sha256:a58f658823d78dd38762f1ce44e31265d636bbfb8b1462cef1dfb1af788d3b86" \
82+
"ghcr.io/zizmorcore/zizmor:1.26.1@sha256:d1117e5dbd9ee4970644067b534ab6ab50371f3c6f7f4d05446eb603a6e78f48" \
8383
--format=sarif \
8484
--persona=regular \
8585
--min-severity=medium \

0 commit comments

Comments
 (0)