^{Originally posted by dfabbie May 6, 2025}
Hello Zizmor community,
I've been integrating Zizmor into our GitHub Actions workflow to scan for security issues. I've encountered what appears to be false positive detection for the artipacked finding, and I'm hoping to understand if this is expected behavior or if I'm missing something.

Description
Zizmor flags files as missing persist-credentials: false even when that setting is properly included in the workflow file.
Here's a snippet from one of our workflow files:

yamlsteps:
  - name: Checkout
    uses: actions/checkout@v4
    with:
      persist-credentials: false

However, Zizmor reports this as:

"ident": "artipacked",
"desc": "credential persistence through GitHub Actions artifacts",
"locations": [
  {
    "symbolic": {
      "key": {
        "Local": {
          "prefix": ".",
          "given_path": "./workflows/deploy.yaml"
        }
      },
      "annotation": "does not set persist-credentials: false",
      ...
    },
    "concrete": {
      "location": {
        "start_point": {
          "row": 19,
          "column": 8
        },
        "end_point": {
          "row": 20,
          "column": 33
        },
        ...
      },
      "feature": "name: Checkout\n        uses: actions/checkout@v4",
      ...
    }
  }
]

Based on the feature field and the location coordinates, it appears Zizmor is only analyzing the action name and uses lines, but not checking the with: block below it where persist-credentials: false is actually set.

Is this expected behavior, or is this a bug in Zizmor's detection logic?
Is there a way to configure Zizmor to check the entire step definition, including the with: block?
Are there any recommended approaches to handle these false positives?

I appreciate any insights or suggestions.

Thank you!