Skip to content

Add github actions static analysis #1211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 3, 2025
Merged

Add github actions static analysis #1211

merged 6 commits into from
Jun 3, 2025

Conversation

kingbuzzman
Copy link
Contributor

@kingbuzzman kingbuzzman commented Jun 3, 2025
edited
Loading

TODO: change --persona=regular -> --persona=pedantic (in another PR)

@kingbuzzman kingbuzzman mentioned this pull request Jun 3, 2025
Open
@kingbuzzman kingbuzzman requested a review from Copilot June 3, 2025 09:33
@kingbuzzman kingbuzzman marked this pull request as ready for review June 3, 2025 09:33
Copilot
Copilot AI reviewed Jun 3, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds Zizmor static analysis to the CI pipeline by installing the tool, wiring it into tox, and defining GitHub Actions pinning policies.

  • Integrate zizmor into tox.ini for workflow scans
  • Pin zizmor==1.9.0 in pyproject.toml alongside existing linters
  • Introduce a Zizmor rules file to enforce action ref-pinning

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
tox.ini Added zizmor command with --persona=regular flag
pyproject.toml Added zizmor==1.9.0 to the linting dependencies
.github/zizmor.yml Defined unpinned-uses policy for GitHub Actions pins
Comments suppressed due to low confidence (1)

.github/zizmor.yml:1

  • Zizmor looks for its config in .zizmor.yml at the repo root by default. Either move this file to the root or pass --config .github/zizmor.yml when invoking zizmor so the rules are actually applied.
rules:

tox.ini
@@ -48,6 +48,7 @@ commands =
ruff check --diff {posargs:pytest_django pytest_django_test tests}
ruff format --quiet --diff {posargs:pytest_django pytest_django_test tests}
mypy {posargs:pytest_django pytest_django_test tests}
zizmor --persona=regular .github/workflows/deploy.yml .github/workflows/main.yml
Copy link
Preview

Copilot AI Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description notes switching --persona=regular to --persona=pedantic, but the command still uses regular. Update the flag to --persona=pedantic to apply the stricter analysis.

Suggested change
zizmor --persona=regular .github/workflows/deploy.yml .github/workflows/main.yml
zizmor --persona=pedantic .github/workflows/deploy.yml .github/workflows/main.yml

Copilot uses AI. Check for mistakes.

Copy link
Contributor Author

@kingbuzzman kingbuzzman Jun 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOL close. I'll do this in another PR to keep the changes to a minimum

@kingbuzzman kingbuzzman enabled auto-merge (squash) June 3, 2025 09:36
@kingbuzzman kingbuzzman merged commit 007b7fa into main Jun 3, 2025
20 checks passed
@kingbuzzman kingbuzzman deleted the dev/zizmor branch June 3, 2025 09:37
@kingbuzzman kingbuzzman mentioned this pull request Jun 3, 2025
Merged
@webknjaz
Copy link
Member

webknjaz commented Jun 4, 2025

@kingbuzzman you could also stick this into GHA (additionally) to have Zizmor report its findings through into the GH Security Analysis UI and they'd show up in PRs too.

---

name: GitHub Actions Security Analysis with zizmor 🌈

on:  # yamllint disable-line rule:truthy
  push:
  pull_request:

jobs:
  zizmor:
    name: 🌈 zizmor

    permissions:
      security-events: write

    # yamllint disable-line rule:line-length
    uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@3bb5e95068d0f44b6d2f3f7e91379bed1d2f96a8

...

@kingbuzzman
Copy link
Contributor Author

@webknjaz I noticed this—I didn’t include it because I think it makes more sense to be able to run everything locally. If both options are available, I worry there could be a version conflict, where one tool reports something different from the other. Personally, I prefer to see everything locally for consistency.
That’s just my perspective, though—what do you think?

@kingbuzzman
Copy link
Contributor Author

LOL I just noticed you wrote that 😄

i can format it out to sarif and display it...

@kingbuzzman kingbuzzman mentioned this pull request Jun 4, 2025
Merged
@webknjaz
Copy link
Member

webknjaz commented Jun 4, 2025

As for having a shared behavior — I prefer using a config file so all different invocations would pick it up. But the CLI toggles you use aren't available like that. Apparently, @woodruffw wanted people to use CLI args. Though, I would argue there's a case for allowing the defaults in the config too.

@woodruffw
Copy link

Apparently, @woodruffw wanted people to use CLI args. Though, I would argue there's a case for allowing the defaults in the config too.

Not exactly wanted -- it's more that zizmor's config serves too many different purposes (it's both per-repo and can be used globally for policies), which has made me hesitant to add more features/knobs until I do a larger refactor. I'm not opposed to having configurations for these kinds of things, I just want to get them right since there's a long (and growing) compat tail with zizmor's users 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kingbuzzman @webknjaz @woodruffw