Releases: zizmorcore/zizmor
Releases Β· zizmorcore/zizmor
v1.9.0
New Features ππ
- zizmor now supports generating completions for Nushell (#838)
Enhancements π±π
- The template-injection audit has been rewritten, and is now significantly more precise and general over contexts supplied via GitHub's webhook payloads (i.e. github.event.*) (#745)
- The template-injection audit now detects vulnerable template injections in more actions inputs, thanks to an integration with CodeQL's sink metadata (#849)
Bug Fixes ππ
- The insecure-commands now correctly detects different truthy values in ACTIONS_ALLOW_UNSECURE_COMMANDS (#840)
- The template-injection audit now correctly emits pedantic findings in a blanket manner, rather than filtering them based on the presence of other findings (#745)
- CLI: Fixed a misleading error message when zizmor is used with a GitHub host other than github.com (#863)
v1.8.0
Announcements π£π
-
zizmor's website has changed! The new website is hosted at docs.zizmor.sh. The old website will redirect to the new one for a while, but users should update any old links in preparation for the v1.8.0 release, which will likely remove the redirects entirely (#769)
-
zizmor is now hosted under the @zizmorcore GitHub organization as zizmorcore/zizmor. The old repository at woodruffw/zizmor will redirect to the new one, but users should update any old links to limit confusion
New Features ππ
- zizmor now supports the ZIZMOR_CONFIG environment variable as an alternative to --config (#789)
Bug Fixes ππ
- zizmor now correctly handles index-style contexts in the template-injection audit (#800, #806)
v1.8.0-rc3
fix(ci): tell gh release upload where to go (#834)
v1.8.0-rc1
fix: don't use wildcards for in-workspace deps (#832)
v1.8.0-rc0
chore: prep prerelease v1.8.0-rc0 (#831)
v1.7.0
See https://docs.zizmor.sh/release-notes/#v170 for full release notes.
v1.6.0
See https://woodruffw.github.io/zizmor/release-notes/#v160 for full release notes.
v1.5.2
Bug Fixes ππ
- Fixed a bug where zizmor would over-eagerly parse invalid and commented-out expressions, resulting in spurious warnings (#570)
- Fixed a bug where zizmor would fail to honor
# zizmor: ignore[rule]comments in unintuitive cases (#612) - Fixed a regression in zizmor's SARIF output format that caused suboptimal presentation of findings on GitHub (#621)
Upcoming Changes π§π
- The official PyPI builds for zizmor will support fewer architectures in the next release, due to cross-compilation and testing difficulties. This should have no effect on the overwhelming majority of users. See #603 for additional details.
v1.5.1
v1.5.0
New Features ππ
- The overprovisioned-secrets audit now detects indexing operations on the secrets context that result in overprovisioning (#573)
- zizmor now ignores patterns in .gitignore (and related files, like .git/info/exclude) by default when performing input collection. This makes input collection significantly faster for users with local development state and more closely reflects typical user expectations. Users who wish to explicitly collect everything regardless of ignore patterns can continue to use --collect=all (#575)
- zizmor now has a --no-progress flag that disables progress bars, even if the terminal supports them (#589)
- zizmor now has a --color flag that controls when zizmor's output is colorized (beyond basic terminal detection) (#586)
Bug Fixes ππ
- Fixed zizmor's path presentation behavior to correctly present unambiguous paths in both SARIF and "plain" outputs when multiple input directories are given (#572)