Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(zizmor): add a reusable workflow for zizmor GitHub Actions static analysis #605

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat(zizmor): add a reusable workflow for zizmor GitHub Actions static analysis #605

wants to merge 2 commits into from

Conversation

iainlane
Copy link
Member

@iainlane iainlane commented Dec 2, 2024

This is a reusable workflow which runs the zizmor static analysis tool on a repo's GitHub Actions workflow files. This will report things such as whether there is potential for untrusted code to be injected via a template. See a full list of checks in the documentation.

This workflow will run zizmor, upload results to GitHub's code scanning service (requires an Advanced Security subscription for private repositories), and comment on the pull request with the results. The comment will be re-posted on each run - and previous comments hidden - so the most recent comment will always show the current results.

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 2, 2024
View reviewed changes
.github/workflows/reusable-zizmor.yml Fixed Show fixed Hide fixed
.github/workflows/reusable-zizmor.yml Fixed Show fixed Hide fixed
.github/workflows/reusable-zizmor.yml Fixed Show fixed Hide fixed
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
@iainlane iainlane force-pushed the iainlane/add-zizmor-reusable-workflow branch 6 times, most recently from 2f972d2 to 9488aad Compare December 2, 2024 14:24
@iainlane
feat(zizmor): add a reusable workflow for zizmor GitHub Actions stati…
94890b3 
…c analysis

This is a [reusable workflow] which runs the [`zizmor`][zizmor] static
analysis tool on a repo's GitHub Actions workflow files. This will
report things such as whether there is potential for untrusted code to
be injected via a template. See a full list of checks in [the
documentation][zizmor-checks].

This workflow will run zizmor, upload results to GitHub's code scanning
service (requires an Advanced Security subscription for private
repositories), and comment on the pull request with the results. The
comment will be re-posted on each run - and previous comments hidden -
so the most recent comment will always show the current results.

[reusable workflow]: https://docs.github.com/en/actions/using-workflows/reusing-workflows
[zizmor]: https://woodruffw.github.io/zizmor/
[zizmor-checks]: https://woodruffw.github.io/zizmor/audits/
@iainlane iainlane force-pushed the iainlane/add-zizmor-reusable-workflow branch from 9488aad to 94890b3 Compare December 2, 2024 14:28
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
@iainlane
Copy link
Member Author

iainlane commented Dec 2, 2024
edited
Loading

In this PR I introduced and fixed some problems that the script found. You can see that above 👍

If you look at the files changed tab, you can see results for the other files (same as in the comment)

@iainlane iainlane marked this pull request as ready for review December 2, 2024 14:31
@iainlane iainlane requested a review from a team as a code owner December 2, 2024 14:31
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 3, 2024

😢 zizmor failed with exit code 14.

Expand for full output 
help[template-injection]: code injection via template expansion
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/test-get-vault-secrets.yaml:56:9
   |
56 |         - name: Check secret value is ${{ matrix.instance }}
   |           -------------------------------------------------- help: this step
57 |           if: matrix.instance != 'invalid'
58 |           run: |
   |  _________-
59 | |           if [[ "${{ env.INSTANCE }}" != "${{ matrix.instance }}" ]]; then
60 | |             echo "Test failed: secret value does not match vault_instance input"
61 | |             exit 1
62 | |           fi
   | |____________- help: env.INSTANCE may expand into attacker-controllable code
   |
   = note: audit confidence → High

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/test-get-vault-secrets.yaml:44:9
   |
44 |         - name: Checkout code
   |  _________-
45 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/test-get-vault-secrets.yaml:73:9
   |
73 |         - name: Checkout code
   |  _________-
74 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

error[excessive-permissions]: overly broad workflow or job-level permissions
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/test-get-vault-secrets.yaml:23:1
   |
23 | / permissions:
24 | |   contents: read
25 | |   id-token: write
   | |_________________^ id-token: write is overly broad at the workflow level
   |
   = note: audit confidence → High

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/test-techdocs-rewrite-relative-links.yaml:28:9
   |
28 |         - name: Checkout code
   |  _________-
29 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/build-trigger-argo-workflow.yaml:27:9
   |
27 |         - name: Checkout code
   |  _________-
28 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/renovate.yml:41:9
   |
41 |         - name: Checkout Code
   |  _________-
42 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
...  |
45 | |             .github/renovate-config.json5
46 | |             actions/get-vault-secrets
   | |_____________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/test-lint-pr-title.yml:31:9
   |
31 |       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   |         ------------------------------------------------------------------------ does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/test-setup-argo.yml:43:9
   |
43 |         - name: Checkout code
   |  _________-
44 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
45 | |         with:
46 | |           sparse-checkout: |
47 | |             actions/setup-argo
   | |______________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/test-find-pr-for-commit.yml:46:9
   |
46 |         - name: Checkout code
   |  _________-
47 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/codeql.yml:46:9
   |
46 |         - name: Checkout repository
   |  _________-
47 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/lint-shared-workflows.yaml:54:9
   |
54 |         - name: Checkout
   |  _________-
55 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/lint-shared-workflows.yaml:26:9
   |
26 |         - name: Checkout
   |  _________-
27 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

error[excessive-permissions]: overly broad workflow or job-level permissions
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/lint-shared-workflows.yaml:17:1
   |
17 | / permissions:
18 | |   contents: read
19 | |   actions: write
   | |________________^ actions: write is overly broad at the workflow level
   |
   = note: audit confidence → High

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/test-login-to-gar.yaml:36:9
   |
36 |         - name: Checkout code
   |  _________-
37 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

error[excessive-permissions]: overly broad workflow or job-level permissions
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/test-login-to-gar.yaml:23:1
   |
23 | / permissions:
24 | |   contents: read
25 | |   id-token: write
   | |_________________^ id-token: write is overly broad at the workflow level
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/publish-techdocs.yaml:80:9
    |
 80 |          - id: instance-settings
    |   _________^
 81 |  |         shell: sh
 82 |  |         run: |
    |  |_________^
 83 | ||           case "${{inputs.instance}}" in
...   ||
101 | ||           echo "aws-region=${aws_region}" | tee -a "${GITHUB_OUTPUT}"
102 | ||           echo "aws-bucket=${aws_bucket}" | tee -a "${GITHUB_OUTPUT}"
    | ||_____________________________________________________________________^ this step
    | ||_____________________________________________________________________^ inputs.instance may expand into attacker-controllable code
    |
    = note: audit confidence → Low

error[template-injection]: code injection via template expansion
   --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/publish-techdocs.yaml:130:9
    |
130 | ... - name: Publish docs site
    |       ^^^^^^^^^^^^^^^^^^^^^^^ this step
131 | ...   if: inputs.publish
132 | ...   run: techdocs-cli publish --publisher-type awsS3 --storage-name ${{ steps.instance-settings.outputs.aws-bucket }} --entity ${{ inputs.namespace }}/${{ inputs.kind }}/${{ inputs.name }}
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ inputs.namespace may expand into attacker-controllable code
    |
    = note: audit confidence → Low

error[template-injection]: code injection via template expansion
   --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/publish-techdocs.yaml:130:9
    |
130 | ... - name: Publish docs site
    |       ^^^^^^^^^^^^^^^^^^^^^^^ this step
131 | ...   if: inputs.publish
132 | ...   run: techdocs-cli publish --publisher-type awsS3 --storage-name ${{ steps.instance-settings.outputs.aws-bucket }} --entity ${{ inputs.namespace }}/${{ inputs.kind }}/${{ inputs.name }}
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ inputs.kind may expand into attacker-controllable code
    |
    = note: audit confidence → Low

error[template-injection]: code injection via template expansion
   --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/publish-techdocs.yaml:130:9
    |
130 | ... - name: Publish docs site
    |       ^^^^^^^^^^^^^^^^^^^^^^^ this step
131 | ...   if: inputs.publish
132 | ...   run: techdocs-cli publish --publisher-type awsS3 --storage-name ${{ steps.instance-settings.outputs.aws-bucket }} --entity ${{ inputs.namespace }}/${{ inputs.kind }}/${{ inputs.name }}
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ inputs.name may expand into attacker-controllable code
    |
    = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/publish-techdocs.yaml:56:9
   |
56 |         - id: checkout
   |  _________-
57 | |         name: Checkout
58 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/publish-techdocs.yaml:60:9
   |
60 |         - id: checkout-shared-workflows
   |  _________-
61 | |         name: Checkout shared workflows
...  |
66 | |           path: _shared-workflows-publish-techdocs
67 | |           submodules: "${{ inputs.checkout-submodules }}"
   | |_________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/check-for-non-releasable-actions.yaml:23:9
   |
23 |         - name: Checkout Code
   |  _________-
24 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
...  |
27 | |             ./actions
28 | |             ./release-please-config.json
   | |________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

error[template-injection]: code injection via template expansion
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/check-drone-signature.yaml:37:9
   |
37 |         - name: Check Drone signature
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
38 |           run: |
   |  _________^
39 | |           # Run drone sign command
...  |
48 | |             exit 1
49 | |           fi
   | |____________^ inputs.drone_config_path may expand into attacker-controllable code
   |
   = note: audit confidence → Low

error[template-injection]: code injection via template expansion
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/check-drone-signature.yaml:37:9
   |
37 |         - name: Check Drone signature
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
38 |           run: |
   |  _________^
39 | |           # Run drone sign command
...  |
48 | |             exit 1
49 | |           fi
   | |____________^ inputs.drone_config_path may expand into attacker-controllable code
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/check-drone-signature.yaml:22:9
   |
22 |         - name: Checkout repo
   |  _________-
23 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

help[unpinned-uses]: unpinned action reference
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/check-drone-signature.yaml:32:9
   |
32 |         uses: grafana/shared-workflows/actions/get-vault-secrets@main
   |         ------------------------------------------------------------- help: action is not pinned to a hash ref
   |
   = note: audit confidence → High

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /home/runner/work/shared-workflows/shared-workflows/.github/workflows/lint-pr-title.yml:17:9
   |
17 |         - name: Checkout
   |  _________-
18 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

32 findings (4 ignored): 0 unknown, 0 informational, 2 low, 17 medium, 9 high

@iainlane iainlane marked this pull request as draft January 20, 2025 16:39
@iainlane
Copy link
Member Author

I decided to leave this for the time being, because I don't want us to "randomly" add shared workflows for different tools and rely on repository owners to pick the ones they like. We as an organisation should have a position on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zerok zerok zerok approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@iainlane @zerok