New Features 🌈🔗

• zizmor now has experimental support for IDE/editor integrations via zizmor --lsp; see the IDE integration documentation for more information (#984)

Enhancements 🌱🔗

• The bot-conditions audit now supports auto-fixes for many findings (#921)
• The bot-conditions audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈🔗

• New audit: anonymous-definition detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

  Many thanks to @andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • artipacked: zizmor will attempt to add persist-credentials: false to actions/checkout steps that do not already have it.

  • template-injection: zizmor will attempt to rewrite run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @mostafa for implementing this feature!

Enhancements 🌱🔗

• The artipacked audit now produces findings on composite action definitions, rather than just workflow definitions (#896)
• The use-trusted-publishing audit now produces findings on composite action definitions, rather than just workflow definitions (#899)
• The bot-conditions audit now detects more spoofable actor checks, including checks against well-known user IDs for bot accounts (#905)
• The template-injection and other audits now produce more precise findings when analyzing env context accesses for static-ness (#911)
• The template-injection audit now produces more precise findings when analyzing inputs context accesses (#919)
• zizmor now produces more descriptive error messages when it fails to parse a workflow or action definition (#956)
• The bot-conditions audit now returns precise spans for flagged actor checks, instead of flagging the entire if: value (#949)
• The template-injection audit now returns precise spans for flagged contexts and expressions, instead of flagging the entire script block (#958)
• The obfuscation audit now returns precise spans for flagged expressions (#969)
• The obfuscation audit now detects computed indices (e.g. inputs.foo[inputs.bar]) as a potentially obfuscatory pattern (#969)

Bug Fixes 🐛🔗

• The template-injection audit no longer crashes when attempting to evaluate the static-ness of an environment context within a composite action uses: step (#887)
• The bot-conditions audit now correctly analyzes index-style contexts, e.g. github['actor'] (#905)
• Fixed a bug where zizmor would fail to parse expressions that contained >= or <= (#916)
• Fixed a bug where zizmor would fail to parse expressions containing contexts with interstitial whitespace (#958)

New Features 🌈🔗

• zizmor now supports generating completions for Nushell (#838)

Enhancements 🌱🔗

• The template-injection audit has been rewritten, and is now significantly more precise and general over contexts supplied via GitHub's webhook payloads (i.e. github.event.*) (#745)
• The template-injection audit now detects vulnerable template injections in more actions inputs, thanks to an integration with CodeQL's sink metadata (#849)

Bug Fixes 🐛🔗

• The insecure-commands now correctly detects different truthy values in ACTIONS_ALLOW_UNSECURE_COMMANDS (#840)
• The template-injection audit now correctly emits pedantic findings in a blanket manner, rather than filtering them based on the presence of other findings (#745)
• CLI: Fixed a misleading error message when zizmor is used with a GitHub host other than github.com (#863)

Announcements 📣🔗

• zizmor's website has changed! The new website is hosted at docs.zizmor.sh. The old website will redirect to the new one for a while, but users should update any old links in preparation for the v1.8.0 release, which will likely remove the redirects entirely (#769)

• zizmor is now hosted under the @zizmorcore GitHub organization as zizmorcore/zizmor. The old repository at woodruffw/zizmor will redirect to the new one, but users should update any old links to limit confusion

New Features 🌈🔗

• zizmor now supports the ZIZMOR_CONFIG environment variable as an alternative to --config (#789)

Bug Fixes 🐛🔗

• zizmor now correctly handles index-style contexts in the template-injection audit (#800, #806)

See https://docs.zizmor.sh/release-notes/#v170 for full release notes.

See https://woodruffw.github.io/zizmor/release-notes/#v160 for full release notes.