Releases: zizmorcore/zizmor
v1.4.1
v1.4.0
This release comes with one new audit (unredacted-secrets), plus a handful of bugfixes and analysis improvements to existing audits. It also comes with improvements to SARIF presentation, ignore comments, as well as an official Docker image!
New Features ππ
zizmornow has official Docker images! You can find them on the GitHub Container Registry under ghcr.io/woodruffw/zizmor (#532)- New audit: unredacted-secrets detects secret accesses that are not redacted in logs (#549)
Improvements π±π
- SARIF outputs are now slightly more aligned with GitHub Code Scanning expectations (#528)
# zizmor: ignore[rule]comments can now have trailing explanations, e.g.# zizmor: ignore[rule] because reasons(#531)- The bot-conditions audit now detects
github.triggering_actoras another spoofable actor check (#559)
Bug Fixes ππ
- Fixed a bug where
zizmorwould fail to parse workflows withworkflow_dispatchtriggers that contained non-string inputs (#563)
Upcoming Changes π§π
- The next minor release of
zizmorwill be built with Rust 2024. This should have no effect on most users, but may require users who build zizmor from source to update their Rust toolchain.
v1.3.1
Improvements π±π
- Passing both --offline and a GitHub token (either implicitly with GH_TOKEN or explicitly with --gh-token) no longer results in an error. --offline is now given precedence, regardless of any other flags or environment settings (#519)
Bug Fixes ππ
- Fixed a bug where zizmor would fail to parse composite actions with inputs/outputs that are missing descriptions (#502)
- Expressions that contain indices with non-semantic whitespace are now parsed correctly (#511)
- Fixed a false positive in [ref-confusion] where partial tag matches were incorrectly considered confusable (#519)
- Fixed a bug where zizmor would fail to parse workflow definitions with an expression inside strategy.max-parallel (#522)
v1.3.0
This release comes with one new audit (overprovisioned-secrets), plus a handful of bugfixes and analysis improvements to existing audits. It also comes with a special easter egg for those who wish to kvell about their audit results.
New Features ππ
- New audit: overprovisioned-secrets detects uses of the secrets context that result in excessive secret provisioning (#485)
- Added a special naches mode for when you're feeling particularly proud of your audit results (#490)
Improvements π±π
- zizmor produces slightly more informative error messages when given an invalid input file (#482)
- Case insensitivity in contexts is now handeled more consistently and pervasively (#491)
Bug Fixes ππ
v1.2.2
v1.2.1
v1.2.0
This release comes with one new audit (bot-conditions), plus a handful of bugfixes and analysis improvements to existing audits.
One bugfix in this release is also a slight behavior change: zizmor now emits SARIF outputs with absolute paths. This should not affect most users, but may make it slightly harder to share SARIF outputs between machines without fully reproducing exact file paths. If this affects you, please let us know!
New Features ππ
- New audit: bot-conditions detects spoofable uses of github.actor within dangerous triggers (#460)
Improvements π±π
- The unpinned-uses audit no longer flags local reusable workflows or actions as unpinned/unhashed (#439)
- The excessive-permissions audit has been refactored, and better captures both true positive and true negative cases (#441)
- The SARIF output mode (--format=sarif) now always returns absolute paths in its location information, rather than attempting to infer a (sometimes incorrect) repository-relative path (#453)
- zizmor now provides manylinux wheel builds for aarch64 (#457)
Bug Fixes ππ
- The template-injection audit no longer considers github.event.pull_request.base.sha dangerous (#445)
- The artipacked audit now correctly handles the strings 'true' and 'false' as their boolean counterparts (#448)
- Expressions that span multiple source lines are now parsed correctly (#461)
- Workflows that contain timeout-minutes: ${{ expr }} are now parsed correctly (#462)
v1.1.1
v1.1.0
This release comes with one new audit (secrets-inherit), plus a slew of bugfixes and internal refactors that unblock future improvements!
Addedπ
- New audit: secrets-inherit detects use of secrets: inherit with reusable workflow calls (#408)
Improvedπ
- The template-injection audit now detects injections in calls to azure/cli and azure/powershell (#421)
Fixedπ
- The template-injection audit no longer consider github.server_url dangerous (#412)
- The template-injection audit no longer crashes when evaluating the static-ness of an environment for a uses: step (#420)
v1.0.1
v1.0.1
This is a small quality and bugfix release. Thank you to everybody
who helped by reporting and shaking out bugs from our first stable release!
Improved
- The github-env audit now detects dangerous writes to
GITHUB_PATH,
is more precise, and can produce multiple findings per run block (#391)
Fixed
workflow_call.secretskeys with missing values are now parsed correctly (#388)- The cache-poisoning audit no longer incorrectly treats
docker/build-push-actionas
a publishing workflow ispush: falseis explicitly set (#389) - The template-injection audit no longer considers
github.action_path
to be a potentially dangerous expansion (#402) - The github-env audit no longer skips
run:steps with non-trivial
shell:stanzas (#403)