Skip to content

Add zizmor workflow for GitHub Actions static analysis#667

Merged
adamreeve merged 1 commit into
G-Research:masterfrom
david-wagih:zizmor
Jun 22, 2026
Merged

Add zizmor workflow for GitHub Actions static analysis#667
adamreeve merged 1 commit into
G-Research:masterfrom
david-wagih:zizmor

Conversation

@david-wagih

Copy link
Copy Markdown
Contributor

Summary

Adds a zizmor workflow that performs static analysis of the repository's GitHub Actions workflows to detect security issues (template injection, excessive GITHUB_TOKEN permissions, credential persistence, unpinned actions, etc.).

  • Runs on push and pull_request to master.
  • Uploads results as SARIF to GitHub Code Scanning so findings surface in the Security tab and on PRs.
  • Findings are reported but do not fail the build, so this is non-disruptive to merge.
  • Top-level permissions: {} with least-privilege job permissions; the action and actions/checkout are pinned to commit SHAs and check out with persist-credentials: false.

This mirrors the same zizmor scanning already adopted in other G-Research repositories (e.g. consuldotnet, common-actions, NuPerfMonitor).

🤖 Generated with Claude Code

Runs zizmor (https://docs.zizmor.sh) on push and pull_request to scan
the repository's GitHub Actions workflows for security issues and
uploads results as SARIF to Code Scanning. Findings are reported but
do not fail the build.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@adamreeve adamreeve merged commit b81cbad into G-Research:master Jun 22, 2026
53 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants