v1.14.2

Bug Fixes 🐛🔗

• Fixed a bug where the use-trusted-publishing audit would produce-false positive findings for some run: blocks that implicitly performed trusted publishing (#1191)

v1.14.1

Bug Fixes 🐛🔗

• Fixed a bug where the ref-version-mismatch would incorrectly show the wrong commit SHAs in its findings (#1183)

v1.14.0

New Features 🌈🔗

• New audit: ref-version-mismatch detects mismatches between hash-pinned action references and their version comments (#972)

  Many thanks to @segiddins for implementing this audit!

Enhancements 🌱🔗

• zizmor no longer uses the "Unknown" severity or confidence levels for any findings. All findings previously categorized at these levels are now given a more meaningful level (#1164)

• The use-trusted-publishing audit now detects various Trusted Publishing patterns for the npm ecosystem (#1161)

  Many thanks to @KristianGrafana for implementing this improvement!

• The unsound-condition audit now supports auto-fixes for many findings (#1089)

  Many thanks to @mostafa for implementing this improvement!

• zizmor's error handling has been restructured, improving the quality of error messages and their associated suggestions (#1169)

Bug Fixes 🐛🔗

• Fixed a bug where the cache-poisoning audit would fail to detect some cache usage variants in newer versions of actions/setup-node (#1152)

• Fixed a bug where the obfuscation audit would incorrectly flag some subexpressions as constant-reducible when they were not (#1170)

Deprecations ⚠️🔗

• The unknown values for --min-severity and --min-confidence are now deprecated. These values were already no-ops (and have been since introduction), and will be removed in a future release (#1164)

  Until removal, using these values will emit a warning.

v1.13.0

New Features 🌈🔗

• New audit: undocumented-permissions detects explicit permission grants that lack an explanatory comment (#1131)

  Many thanks to @johnbillion for proposing and implementing this audit!

Enhancements 🌱🔗

• zizmor's configuration discovery behavior has been significantly refactored, making it easier to audit multiple independent inputs with their own configuration files (#1094)

  For most users, this change should cause no compatibility issues. For example, the following commands will continue to load the same configuration files as before:

  zizmor .
  zizmor .github/
  

  For other users, the behavior will change, but in a way that's intended to correct a long-standing bug with configuration discovery. In particular, the following commands will now behave differently:

  # OLD: would discover config in $CWD
  # NEW: will discover two different configs, one in each of the repos
  zizmor ./repoA ./repoB
  

  Separately from these changes, zizmor continues to support --config <path> and ZIZMOR_CONFIG with the exact same behavior as before.

  See Configuration - Discovery for a detailed explanation of the new behavior.

• Audit rules can now be disabled entirely in zizmor's configuration. See rules..disable for details (#1132)

• The obfuscation audit now supports auto-fixes for many findings (#1088)

Bug Fixes 🐛🔗

• zizmor now correctly honors --strict-collection when collecting from remote inputs. This also means that the default collection strictness has changed for remote inputs to match all other inputs (#1122)

• Fixed a bug where zizmor would crash on certain UTF-8 inputs lacking an explicit final newline due to a bug in the annotate-snippets crate (#1136)

v1.12.1

Bug Fixes 🐛🔗

• Fixed a bug where the cache-poisoning would incorrectly detect the opposite cases for cache enablement (#1081)

v1.12.0

New Features 🌈🔗

• New audit: unsound-condition detects if: conditions that inadvertently always evaluate to true (#1053)

Enhancements 🌱🔗

• The cache-poisoning audit now supports auto-fixes for many findings (#923)
• The known-vulnerable-actions audit now supports auto-fixes for many findings (#1019)
• zizmor is now stricter about parsing uses: clauses. In particular, zizmor will no longer accept uses: org/repo without a trailing @ref, as GitHub Actions itself does not accept this syntax (#1019)
• The use-trusted-publishing audit now detects many more patterns, including cargo publish and other run: blocks that make use of publishing commands directly (#1042)
• The insecure-commands audit now supports auto-fixes for many findings (#1045)
• The template-injection audit now detects more action injection sinks (#1059)

Bug Fixes 🐛🔗

• Fixed a bug where --fix would fail to preserve comments when modifying block-style YAML mappings (#995)
• Fixed a bug where zizmor would crash when given a GitHub API token with leading or trailing whitespace (#1027)
• Fixed a bug where template-injection findings in --fix mode would be incorrectly patched when referencing an env.* context (#1052)
• Fixed a bug where template-injection findings in --fix mode would be patched with shell syntax that didn't match the step's actual shell (#1064)

v1.11.1-rc1

chore: prep for 1.11.1-rc1 release (#1008)

v1.11.0

New Features 🌈🔗

• zizmor now has experimental support for IDE/editor integrations via zizmor --lsp; see the IDE integration documentation for more information (#984)

Enhancements 🌱🔗

• The bot-conditions audit now supports auto-fixes for many findings (#921)
• The bot-conditions audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

v1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈🔗

• New audit: anonymous-definition detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

  Many thanks to @andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • artipacked: zizmor will attempt to add persist-credentials: false to actions/checkout steps that do not already have it.

  • template-injection: zizmor will attempt to rewrite run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @mostafa for implementing this feature!

Enhancements 🌱🔗

• The artipacked audit now produces findings on composite action definitions, rather than just workflow definitions (#896)
• The use-trusted-publishing audit now produces findings on composite action definitions, rather than just workflow definitions (#899)
• The bot-conditions audit now detects more spoofable actor checks, including checks against well-known user IDs for bot accounts (#905)
• The template-injection and other audits now produce more precise findings when analyzing env context accesses for static-ness (#911)
• The template-injection audit now produces more precise findings when analyzing inputs context accesses (#919)
• zizmor now produces more descriptive error messages when it fails to parse a workflow or action definition (#956)
• The bot-conditions audit now returns precise spans for flagged actor checks, instead of flagging the entire if: value (#949)
• The template-injection audit now returns precise spans for flagged contexts and expressions, instead of flagging the entire script block (#958)
• The obfuscation audit now returns precise spans for flagged expressions (#969)
• The obfuscation audit now detects computed indices (e.g. inputs.foo[inputs.bar]) as a potentially obfuscatory pattern (#969)

Bug Fixes 🐛🔗

• The template-injection audit no longer crashes when attempting to evaluate the static-ness of an environment context within a composite action uses: step (#887)
• The bot-conditions audit now correctly analyzes index-style contexts, e.g. github['actor'] (#905)
• Fixed a bug where zizmor would fail to parse expressions that contained >= or <= (#916)
• Fixed a bug where zizmor would fail to parse expressions containing contexts with interstitial whitespace (#958)

v1.9.0

New Features 🌈🔗

• zizmor now supports generating completions for Nushell (#838)

Enhancements 🌱🔗

• The template-injection audit has been rewritten, and is now significantly more precise and general over contexts supplied via GitHub's webhook payloads (i.e. github.event.*) (#745)
• The template-injection audit now detects vulnerable template injections in more actions inputs, thanks to an integration with CodeQL's sink metadata (#849)

Bug Fixes 🐛🔗

• The insecure-commands now correctly detects different truthy values in ACTIONS_ALLOW_UNSECURE_COMMANDS (#840)
• The template-injection audit now correctly emits pedantic findings in a blanket manner, rather than filtering them based on the presence of other findings (#745)
• CLI: Fixed a misleading error message when zizmor is used with a GitHub host other than github.com (#863)