diff --git a/.github/workflows/shared-zizmor-scan.yaml b/.github/workflows/shared-zizmor-scan.yaml index 80327428..9054ca9c 100644 --- a/.github/workflows/shared-zizmor-scan.yaml +++ b/.github/workflows/shared-zizmor-scan.yaml @@ -25,7 +25,7 @@ on: description: >- Block (fail the job) on findings at or above this severity: never|informational|low|medium|high. Independent of the report floor. - Defaults to `never` (non-blocking). Set to `high` to gate on High only. + Defaults to `never` (non-blocking). type: string default: 'never' config: @@ -45,6 +45,8 @@ on: they live) are covered too — not just `.github/workflows`. zizmor honors `.gitignore` when collecting inputs. Ensure the caller's trigger `paths` cover everywhere scannable files live, or changes can slip through. + With the default `.` an empty repo skips green; with explicit paths an + empty scan fails closed. type: string default: '.' zizmor_version: @@ -121,12 +123,26 @@ jobs: set -e # Fail hard on anything that isn't a clean run (0) or a findings run - # (11-14). An errored or empty scan (bad scan_paths, install failure, arg - # error) must NOT pass silently under fail_severity: never — for a security - # control, fail-open is the worst outcome. Dump both streams so the real - # cause is visible. + # (11-14): an errored scan must not pass silently under + # fail_severity: never. Exception: exit 3 ("no inputs collected") on + # the default '.' scan means the repo has no Actions content — skip + # green; with explicit scan_paths it's more likely a typo — fail. case "${code}" in 0|11|12|13|14) : ;; + 3) + if [ "${SCAN_PATHS}" = "." ]; then + echo "No GitHub Actions workflows or composite actions in this repo; nothing to scan." + { + echo "## 🌈 zizmor — GitHub Actions security scan" + echo "" + echo "Nothing to scan: this repo has no GitHub Actions workflows or composite actions. Skipped." + } >> "${GITHUB_STEP_SUMMARY}" + exit 0 + fi + echo "zizmor collected no inputs from scan_paths='${SCAN_PATHS}' (exit 3); failing." + cat zizmor.log report.txt + exit 1 + ;; *) echo "zizmor did not complete a scan (exit ${code}); failing." cat zizmor.log report.txt diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index 3a598bf3..934b79fb 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -14,6 +14,5 @@ permissions: jobs: zizmor: + # Bare call: severity floors come from the shared workflow's defaults. uses: ./.github/workflows/shared-zizmor-scan.yaml - with: - fail_severity: never # report-only for now; set to `high` later to gate on High-severity diff --git a/README.md b/README.md index 134ab0c8..f96141bd 100644 --- a/README.md +++ b/README.md @@ -42,8 +42,8 @@ The marker goes in the commit message, not the branch name or PR title. This is `shared-zizmor-scan.yaml` runs [zizmor](https://docs.zizmor.sh) over a repo's GitHub Actions workflows to catch workflow-security issues. By default it runs all offline zizmor rules except `unpinned-uses` (disabled in -config — SHA-pinning was declined for UID2), reports **High-severity** findings -(`min_severity`), and is non-blocking (`fail_severity: never`). +config — SHA-pinning was declined for UID2), reports **High-severity** findings, +and is non-blocking. Adopt it by adding a small caller workflow to the target repo: @@ -63,8 +63,6 @@ permissions: jobs: zizmor: uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-zizmor-scan.yaml@v3 - with: - fail_severity: never # report-only; set to `high` to block PRs on High-severity findings ``` For one-off false positives in a consuming repo, add an inline