Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 21 additions & 5 deletions .github/workflows/shared-zizmor-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ on:
description: >-
Block (fail the job) on findings at or above this severity:
never|informational|low|medium|high. Independent of the report floor.
Defaults to `never` (non-blocking). Set to `high` to gate on High only.
Defaults to `never` (non-blocking).
type: string
default: 'never'
config:
Expand All @@ -45,6 +45,8 @@ on:
they live) are covered too — not just `.github/workflows`. zizmor honors
`.gitignore` when collecting inputs. Ensure the caller's trigger `paths`
cover everywhere scannable files live, or changes can slip through.
With the default `.` an empty repo skips green; with explicit paths an
empty scan fails closed.
type: string
default: '.'
zizmor_version:
Expand Down Expand Up @@ -121,12 +123,26 @@ jobs:
set -e

# Fail hard on anything that isn't a clean run (0) or a findings run
# (11-14). An errored or empty scan (bad scan_paths, install failure, arg
# error) must NOT pass silently under fail_severity: never — for a security
# control, fail-open is the worst outcome. Dump both streams so the real
# cause is visible.
# (11-14): an errored scan must not pass silently under
# fail_severity: never. Exception: exit 3 ("no inputs collected") on
# the default '.' scan means the repo has no Actions content — skip
# green; with explicit scan_paths it's more likely a typo — fail.
case "${code}" in
0|11|12|13|14) : ;;
3)
if [ "${SCAN_PATHS}" = "." ]; then
echo "No GitHub Actions workflows or composite actions in this repo; nothing to scan."
{
echo "## 🌈 zizmor — GitHub Actions security scan"
echo ""
echo "Nothing to scan: this repo has no GitHub Actions workflows or composite actions. Skipped."
} >> "${GITHUB_STEP_SUMMARY}"
exit 0
fi
echo "zizmor collected no inputs from scan_paths='${SCAN_PATHS}' (exit 3); failing."
cat zizmor.log report.txt
exit 1
;;
*)
echo "zizmor did not complete a scan (exit ${code}); failing."
cat zizmor.log report.txt
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/zizmor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,5 @@ permissions:

jobs:
zizmor:
# Bare call: severity floors come from the shared workflow's defaults.
uses: ./.github/workflows/shared-zizmor-scan.yaml
with:
fail_severity: never # report-only for now; set to `high` later to gate on High-severity
6 changes: 2 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,8 @@ The marker goes in the commit message, not the branch name or PR title. This is
`shared-zizmor-scan.yaml` runs [zizmor](https://docs.zizmor.sh) over a repo's GitHub
Actions workflows to catch workflow-security issues.
By default it runs all offline zizmor rules except `unpinned-uses` (disabled in
config — SHA-pinning was declined for UID2), reports **High-severity** findings
(`min_severity`), and is non-blocking (`fail_severity: never`).
config — SHA-pinning was declined for UID2), reports **High-severity** findings,
and is non-blocking.

Adopt it by adding a small caller workflow to the target repo:

Expand All @@ -63,8 +63,6 @@ permissions:
jobs:
zizmor:
uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-zizmor-scan.yaml@v3
with:
fail_severity: never # report-only; set to `high` to block PRs on High-severity findings
```

For one-off false positives in a consuming repo, add an inline
Expand Down