+
Skip to content

v1.10.0
Compare
Choose a tag to compare
@woodruffw woodruffw released this 26 Jun 18:31
· 28 commits to main since this release
v1.10.0
39f229f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈🔗

  • New audit: anonymous-definition detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

    Many thanks to @andrewpollack for implementing this audit!

  • Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

    • artipacked: zizmor will attempt to add persist-credentials: false to actions/checkout steps that do not already have it.

    • template-injection: zizmor will attempt to rewrite run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate env: block to set FOO_BAR to the expression's evaluation.

    Read more about the new auto-fix mode in the documentation.

    Many thanks to @mostafa for implementing this feature!

Enhancements 🌱🔗

  • The artipacked audit now produces findings on composite action definitions, rather than just workflow definitions (#896)
  • The use-trusted-publishing audit now produces findings on composite action definitions, rather than just workflow definitions (#899)
  • The bot-conditions audit now detects more spoofable actor checks, including checks against well-known user IDs for bot accounts (#905)
  • The template-injection and other audits now produce more precise findings when analyzing env context accesses for static-ness (#911)
  • The template-injection audit now produces more precise findings when analyzing inputs context accesses (#919)
  • zizmor now produces more descriptive error messages when it fails to parse a workflow or action definition (#956)
  • The bot-conditions audit now returns precise spans for flagged actor checks, instead of flagging the entire if: value (#949)
  • The template-injection audit now returns precise spans for flagged contexts and expressions, instead of flagging the entire script block (#958)
  • The obfuscation audit now returns precise spans for flagged expressions (#969)
  • The obfuscation audit now detects computed indices (e.g. inputs.foo[inputs.bar]) as a potentially obfuscatory pattern (#969)

Bug Fixes 🐛🔗

  • The template-injection audit no longer crashes when attempting to evaluate the static-ness of an environment context within a composite action uses: step (#887)
  • The bot-conditions audit now correctly analyzes index-style contexts, e.g. github['actor'] (#905)
  • Fixed a bug where zizmor would fail to parse expressions that contained >= or <= (#916)
  • Fixed a bug where zizmor would fail to parse expressions containing contexts with interstitial whitespace (#958)
Assets 8
Loading
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载