PyPI - zizmor - Versions diffs - 0.10.0__tar.gz → 1.0.0__tar.gz - Mend

zizmor 0.10.0tar.gz → 1.0.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of zizmor might be problematic. Click here for more details.

Files changed (156) hide show

{zizmor-0.10.0 → zizmor-1.0.0}/.github/workflows/ci.yml RENAMED Viewed

@@ -17,7 +17,7 @@ jobs:
       - name: Format
         run: cargo fmt && git diff --exit-code
-      - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2
+      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2
       - name: Lint
         run: cargo clippy -- -D warnings
@@ -29,7 +29,7 @@ jobs:
       with:
         persist-credentials: false
-    - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2
+    - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2
     - name: Test
       run: cargo test

{zizmor-0.10.0 → zizmor-1.0.0}/.github/workflows/pypi.yml RENAMED Viewed

@@ -42,7 +42,7 @@ jobs:
           sccache: 'true'
           manylinux: auto
       - name: Upload wheels
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
         with:
           name: wheels-linux-${{ matrix.platform.target }}
           path: dist
@@ -72,7 +72,7 @@ jobs:
           sccache: 'true'
           manylinux: musllinux_1_2
       - name: Upload wheels
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
         with:
           name: wheels-musllinux-${{ matrix.platform.target }}
           path: dist
@@ -97,7 +97,7 @@ jobs:
           args: --release --out dist
           sccache: 'true'
       - name: Upload wheels
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
         with:
           name: wheels-windows-${{ matrix.platform.target }}
           path: dist
@@ -122,7 +122,7 @@ jobs:
           args: --release --out dist
           sccache: 'true'
       - name: Upload wheels
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
         with:
           name: wheels-macos-${{ matrix.platform.target }}
           path: dist
@@ -139,7 +139,7 @@ jobs:
           command: sdist
           args: --out dist
       - name: Upload sdist
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
         with:
           name: wheels-sdist
           path: dist

{zizmor-0.10.0 → zizmor-1.0.0}/.github/workflows/site.yml RENAMED Viewed

@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v3
+        uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v3
       - name: build site
         run: make site

{zizmor-0.10.0 → zizmor-1.0.0}/.github/workflows/zizmor.yml RENAMED Viewed

@@ -19,13 +19,13 @@ jobs:
         with:
           persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4
+        uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v4
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif . > results.sarif
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           sarif_file: results.sarif
           category: zizmor

{zizmor-0.10.0 → zizmor-1.0.0}/Cargo.lock RENAMED Viewed

@@ -97,9 +97,9 @@ dependencies = [
 [[package]]
 name = "anyhow"
-version = "1.0.94"
+version = "1.0.95"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1fd03a028ef38ba2276dce7e33fcd6369c158a1bca17946c4b1b701891c1ff7"
+checksum = "34ac096ce696dc2fcabef30516bb13c0a68a11d30131d3df6f04711467681b04"
 [[package]]
 name = "arrayvec"
@@ -283,9 +283,9 @@ dependencies = [
 [[package]]
 name = "clap-verbosity-flag"
-version = "3.0.1"
+version = "3.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "54381ae56ad222eea3f529c692879e9c65e07945ae48d3dc4d1cb18dbec8cf44"
+checksum = "2678fade3b77aa3a8ff3aae87e9c008d3fb00473a41c71fbf74e91c8c7b37e84"
 dependencies = [
  "clap",
  "tracing-core",
@@ -349,6 +349,15 @@ dependencies = [
  "libc",
 ]
+[[package]]
+name = "crc32fast"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3"
+dependencies = [
+ "cfg-if",
+]
 [[package]]
 name = "crypto-common"
 version = "0.1.6"
@@ -452,6 +461,28 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
+[[package]]
+name = "filetime"
+version = "0.2.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "35c0522e981e68cbfa8c3f978441a5f34b30b96e146b33cd3359176b50fe8586"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "libredox",
+ "windows-sys 0.59.0",
+]
+[[package]]
+name = "flate2"
+version = "1.0.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c936bfdafb507ebbf50b8074c54fa31c5be9a1e7e5f467dd659697041407d07c"
+dependencies = [
+ "crc32fast",
+ "miniz_oxide",
+]
 [[package]]
 name = "fnv"
 version = "1.0.7"
@@ -585,9 +616,9 @@ checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
 [[package]]
 name = "github-actions-models"
-version = "0.15.0"
+version = "0.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d1b2a17936ffbdd2c25b57f76efee924ddb0bd8ae402834616117dbc772d2f8a"
+checksum = "9ac510798ef644c8dc4d1cedf58ccda3721096b209d52ee255e4e59c92e8e51d"
 dependencies = [
  "indexmap",
  "serde",
@@ -1030,6 +1061,17 @@ version = "0.2.166"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2ccc108bbc0b1331bd061864e7cd823c0cab660bbe6970e66e2c0614decde36"
+[[package]]
+name = "libredox"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
+dependencies = [
+ "bitflags",
+ "libc",
+ "redox_syscall",
+]
 [[package]]
 name = "linked-hash-map"
 version = "0.5.6"
@@ -1217,7 +1259,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b7cafe60d6cf8e62e1b9b2ea516a089c008945bb5a275416789e7db0bc199dc"
 dependencies = [
  "memchr",
- "thiserror 2.0.8",
+ "thiserror 2.0.9",
  "ucd-trie",
 ]
@@ -1431,6 +1473,15 @@ dependencies = [
  "getrandom",
 ]
+[[package]]
+name = "redox_syscall"
+version = "0.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834"
+dependencies = [
+ "bitflags",
+]
 [[package]]
 name = "reflink-copy"
 version = "0.1.20"
@@ -1488,9 +1539,9 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 [[package]]
 name = "reqwest"
-version = "0.12.9"
+version = "0.12.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a77c62af46e79de0a562e1a9849205ffcb7fc1238876e9bd743357570e04046f"
+checksum = "7fe060fe50f524be480214aba758c71f99f90ee8c83c5a36b5e9e1d568eb4eb3"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -1520,6 +1571,7 @@ dependencies = [
  "sync_wrapper",
  "tokio",
  "tokio-rustls",
+ "tower",
  "tower-service",
  "url",
  "wasm-bindgen",
@@ -1674,9 +1726,9 @@ dependencies = [
 [[package]]
 name = "serde"
-version = "1.0.216"
+version = "1.0.217"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b9781016e935a97e8beecf0c933758c97a5520d32930e460142b4cd80c6338e"
+checksum = "02fc4265df13d6fa1d00ecff087228cc0a2b5f3c0e87e258d8b94a156e984c70"
 dependencies = [
  "serde_derive",
 ]
@@ -1697,15 +1749,15 @@ dependencies = [
  "strum",
  "strum_macros",
  "syn 2.0.90",
- "thiserror 2.0.8",
+ "thiserror 2.0.9",
  "typed-builder",
 ]
 [[package]]
 name = "serde_derive"
-version = "1.0.216"
+version = "1.0.217"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "46f859dbbf73865c6627ed570e78961cd3ac92407a2d117204c49232485da55e"
+checksum = "5a9bf7cf98d04a2b28aead066b7496853d4779c9cc183c440dbac457641e19a0"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1714,9 +1766,9 @@ dependencies = [
 [[package]]
 name = "serde_json"
-version = "1.0.133"
+version = "1.0.134"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7fceb2473b9166b2294ef05efcb65a3db80803f0b03ef86a5fc88a2b85ee377"
+checksum = "d00f4175c42ee48b15416f6193a959ba3a0d67fc699a0db9ad12df9f83991c7d"
 dependencies = [
  "itoa",
  "memchr",
@@ -1995,6 +2047,17 @@ dependencies = [
  "syn 2.0.90",
 ]
+[[package]]
+name = "tar"
+version = "0.4.43"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c65998313f8e17d0d553d28f91a0df93e4dbbbf770279c7bc21ca0f09ea1a1f6"
+dependencies = [
+ "filetime",
+ "libc",
+ "xattr",
+]
 [[package]]
 name = "tempfile"
 version = "3.14.0"
@@ -2031,11 +2094,11 @@ dependencies = [
 [[package]]
 name = "thiserror"
-version = "2.0.8"
+version = "2.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08f5383f3e0071702bf93ab5ee99b52d26936be9dedd9413067cbdcddcb6141a"
+checksum = "f072643fd0190df67a8bab670c20ef5d8737177d6ac6b2e9a236cb096206b2cc"
 dependencies = [
- "thiserror-impl 2.0.8",
+ "thiserror-impl 2.0.9",
 ]
 [[package]]
@@ -2051,9 +2114,9 @@ dependencies = [
 [[package]]
 name = "thiserror-impl"
-version = "2.0.8"
+version = "2.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2f357fcec90b3caef6623a099691be676d033b40a058ac95d2a6ade6fa0c943"
+checksum = "7b50fa271071aae2e6ee85f842e2e28ba8cd2c5fb67f11fcb1fd70b276f9e7d4"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2208,6 +2271,27 @@ dependencies = [
  "toml_datetime",
 ]
+[[package]]
+name = "tower"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
+dependencies = [
+ "futures-core",
+ "futures-util",
+ "pin-project-lite",
+ "sync_wrapper",
+ "tokio",
+ "tower-layer",
+ "tower-service",
+]
+[[package]]
+name = "tower-layer"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"
 [[package]]
 name = "tower-service"
 version = "0.3.3"
@@ -2289,9 +2373,9 @@ dependencies = [
 [[package]]
 name = "tree-sitter"
-version = "0.24.4"
+version = "0.24.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b67baf55e7e1b6806063b1e51041069c90afff16afcbbccd278d899f9d84bca4"
+checksum = "5f2434c86ba59ed15af56039cc5bf1acf8ba76ce301e32ef08827388ef285ec5"
 dependencies = [
  "cc",
  "regex",
@@ -2328,12 +2412,12 @@ dependencies = [
 [[package]]
 name = "tree-sitter-yaml"
-version = "0.6.1"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aad27ec46ad343d8b514f64dd3fdffb478c592ece561b6c935d90ef55589c6b6"
+checksum = "d0c99f2b92b677f1a18b6b232fa9329afb5758118238a7d0b29cae324ef50d5e"
 dependencies = [
  "cc",
- "tree-sitter",
+ "tree-sitter-language",
 ]
 [[package]]
@@ -2894,6 +2978,17 @@ version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51"
+[[package]]
+name = "xattr"
+version = "1.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8da84f1a25939b27f6820d92aed108f83ff920fdf11a7b19366c27c4cda81d4f"
+dependencies = [
+ "libc",
+ "linux-raw-sys",
+ "rustix",
+]
 [[package]]
 name = "xxhash-rust"
 version = "0.8.12"
@@ -2902,11 +2997,11 @@ checksum = "6a5cbf750400958819fb6178eaa83bee5cd9c29a26a40cc241df8c70fdd46984"
 [[package]]
 name = "yamlpath"
-version = "0.13.0"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "98b19abff49f569d353d8fbf024f83a440a28e2e024e1e57f379417ed0cd1216"
+checksum = "e41a4009f1260c7a08b722f096be598c00e3e0aa13f9bed662282acb5d2dbfa5"
 dependencies = [
- "thiserror 1.0.69",
+ "thiserror 2.0.9",
  "tree-sitter",
  "tree-sitter-yaml",
 ]
@@ -3013,7 +3108,7 @@ dependencies = [
 [[package]]
 name = "zizmor"
-version = "0.10.0"
+version = "1.0.0"
 dependencies = [
  "annotate-snippets",
  "anstream",
@@ -3023,6 +3118,7 @@ dependencies = [
  "clap",
  "clap-verbosity-flag",
  "etcetera",
+ "flate2",
  "github-actions-models",
  "http-cache-reqwest",
  "human-panic",
@@ -3042,6 +3138,8 @@ dependencies = [
  "serde_json",
  "serde_json_path",
  "serde_yaml",
+ "streaming-iterator",
+ "tar",
  "terminal-link",
  "tokio",
  "tracing",

{zizmor-0.10.0 → zizmor-1.0.0}/Cargo.toml RENAMED Viewed

@@ -1,7 +1,7 @@
 [package]
 name = "zizmor"
 description = "Static analysis for GitHub Actions"
-version = "0.10.0"
+version = "1.0.0"
 edition = "2021"
 repository = "https://github.com/woodruffw/zizmor"
 homepage = "https://github.com/woodruffw/zizmor"
@@ -15,14 +15,15 @@ rust-version = "1.80.1"
 [dependencies]
 annotate-snippets = "0.11.5"
 anstream = "0.6.18"
-anyhow = "1.0.94"
+anyhow = "1.0.95"
 camino = { version = "1.1.9", features = ["serde1"] }
 clap = { version = "4.5.23", features = ["derive", "env"] }
-clap-verbosity-flag = { version = "3.0.0", features = [
+clap-verbosity-flag = { version = "3.0.2", features = [
     "tracing",
 ], default-features = false }
 etcetera = "0.8.0"
-github-actions-models = "0.15.0"
+flate2 = "1.0.35"
+github-actions-models = "0.17.0"
 http-cache-reqwest = "0.15.0"
 human-panic = "2.0.1"
 indexmap = "2.7.0"
@@ -32,25 +33,28 @@ owo-colors = "4.1.0"
 pest = "2.7.15"
 pest_derive = "2.7.15"
 regex = "1.11.1"
-reqwest = { version = "0.12.9", features = [
+reqwest = { version = "0.12.11", features = [
     "blocking",
     "json",
     "rustls-tls",
 ], default-features = false }
 reqwest-middleware = "0.4.0"
-serde = { version = "1.0.216", features = ["derive"] }
+serde = { version = "1.0.217", features = ["derive"] }
 serde-sarif = "0.7.0"
-serde_json = "1.0.133"
+serde_json = "1.0.134"
 serde_yaml = "0.9.34"
+# TODO remove pending https://github.com/tree-sitter/tree-sitter/pull/4034
+streaming-iterator = "0.1.9"
+tar = "0.4.43"
 terminal-link = "0.1.0"
 tokio = { version = "1.42.0", features = ["rt-multi-thread"] }
 tracing = "0.1.41"
 tracing-indicatif = "0.3.8"
 tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
-tree-sitter = "0.24.4"
+tree-sitter = "0.24.6"
 tree-sitter-bash = "0.23.3"
 tree-sitter-powershell = "0.24.4"
-yamlpath = "0.13.0"
+yamlpath = "0.14.0"
 [profile.dev.package]
 insta.opt-level = 3

{zizmor-0.10.0 → zizmor-1.0.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: zizmor
-Version: 0.10.0
+Version: 1.0.0
 Summary: Static analysis for GitHub Actions
 Keywords: cli,github-actions,static-analysis,security
 Home-Page: https://github.com/woodruffw/zizmor

{zizmor-0.10.0 → zizmor-1.0.0}/docs/audits.md RENAMED Viewed

@@ -295,7 +295,7 @@ Use [encrypted secrets] instead of hardcoded credentials.
 | Type     | Examples              | Introduced in | Works offline  | Enabled by default |
 |----------|-----------------------|---------------|----------------|--------------------|
-| Workflow  | [impostor-commit.yml] | v0.1.0        | ❌             | ✅                 |
+| Workflow, Action  | [impostor-commit.yml] | v0.1.0        | ❌             | ✅                 |
 [impostor-commit.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/impostor-commit.yml
@@ -333,9 +333,9 @@ within an authentic commit (or an authentic tag/branch reference).
 ## `known-vulnerable-actions`
-| Type     | Examples                       | Introduced in | Works offline  | Enabled by default |
-|----------|--------------------------------|---------------|----------------|--------------------|
-| Workflow  | [known-vulnerable-actions.yml] | v0.1.0        | ❌             | ✅                 |
+| Type             | Examples                       | Introduced in | Works offline  | Enabled by default |
+|------------------|--------------------------------|---------------|----------------|--------------------|
+| Workflow, Action | [known-vulnerable-actions.yml] | v0.1.0        | ❌             | ✅                 |
 [known-vulnerable-actions.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/known-vulnerable-actions.yml
@@ -357,9 +357,10 @@ the action if one is available, or remove the action's usage entirely.
 ## `ref-confusion`
-| Type     | Examples            | Introduced in | Works offline  | Enabled by default |
-|----------|---------------------|---------------|----------------|--------------------|
-| Workflow  | [ref-confusion.yml] | v0.1.0        | ❌             | ✅                 |
+| Type             | Examples            | Introduced in | Works offline  | Enabled by default |
+|------------------|---------------------|---------------|----------------|--------------------|
+| Workflow, Action | [ref-confusion.yml] | v0.1.0        | ❌             | ✅                 |
 [ref-confusion.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/ref-confusion.yml
@@ -431,7 +432,7 @@ there are steps you can take to minimize their risk:
 | Type     | Examples                 | Introduced in | Works offline  | Enabled by default |
 |----------|--------------------------|---------------|----------------|--------------------|
-| Workflow  | [template-injection.yml] | v0.1.0        | ✅             | ✅                 |
+| Workflow, Action  | [template-injection.yml] | v0.1.0        | ✅             | ✅                 |
 [template-injection.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/template-injection.yml
@@ -546,9 +547,9 @@ or @rubygems/release-gem for canonical examples of using it.
 ## `unpinned-uses`
-| Type     | Examples                     | Introduced in | Works offline  | Enabled by default |
-|----------|------------------------------|---------------|----------------|--------------------|
-| Workflow  | [unpinned.yml]              | v0.4.0        | ✅             | ✅                 |
+| Type             | Examples                     | Introduced in | Works offline  | Enabled by default |
+|------------------|------------------------------|---------------|----------------|--------------------|
+| Workflow, Action | [unpinned.yml]              | v0.4.0        | ✅             | ✅                 |
 [unpinned.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/unpinned.yml
@@ -622,7 +623,7 @@ A before/after example is shown below.
 | Type     | Examples                | Introduced in | Works offline  | Enabled by default |
 |----------|-------------------------|---------------|----------------|--------------------|
-| Workflow  | [insecure-commands.yml] | v0.5.0        | ✅             | ✅                 |
+| Workflow, Action  | [insecure-commands.yml] | v0.5.0        | ✅             | ✅                 |
 [insecure-commands.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/insecure-commands.yml
@@ -668,7 +669,7 @@ In general, users should use for [GitHub Actions environment files]
 | Type     | Examples           | Introduced in | Works offline  | Enabled by default |
 |----------|--------------------|---------------|----------------|--------------------|
-| Workflow  | [github-env.yml]   | v0.6.0        | ✅             | ✅                 |
+| Workflow, Action  | [github-env.yml]   | v0.6.0        | ✅             | ✅                 |
 [github-env.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/github-env.yml

{zizmor-0.10.0 → zizmor-1.0.0}/docs/configuration.md RENAMED Viewed

@@ -59,7 +59,11 @@ where `filename.yml` is the base filename of the workflow, and `line` and
 location to ignore. If one or both are absent, then the rule applies to the
 entire file or entire line.
-By example, here is a configuration file with two different audit ignore
+!!! important
+    Composite action findings cannot be ignored via `zizmor.yml` currently.
+For example, here is a configuration file with two different audit ignore
 rule groups:
 ```yaml title="zizmor.yml"

{zizmor-0.10.0 → zizmor-1.0.0}/docs/installation.md RENAMED Viewed

@@ -10,14 +10,18 @@ description: Installation instructions for zizmor.
 === ":simple-rust: crates.io"
+    ![Crates.io Version](https://img.shields.io/crates/v/zizmor)
     You can install `zizmor` from <https://crates.io> with `cargo`:
     ```bash
-    cargo install zizmor
+    cargo install --locked zizmor
     ```
 === ":simple-homebrew: Homebrew"
+    ![Homebrew Formula Version](https://img.shields.io/homebrew/v/zizmor)
     `zizmor` is provided by [Homebrew](https://brew.sh/):
     ```bash
@@ -26,6 +30,8 @@ description: Installation instructions for zizmor.
 === ":simple-pypi: PyPI"
+    ![PyPI - Version](https://img.shields.io/pypi/v/zizmor)
     !!! tip
         Despite being available on PyPI, `zizmor` is a compiled binary
@@ -51,6 +57,10 @@ description: Installation instructions for zizmor.
 === ":simple-anaconda: Conda"
+    [![Anaconda-Server Badge](https://anaconda.org/conda-forge/zizmor/badges/version.svg)](https://anaconda.org/conda-forge/zizmor)
+    [![Anaconda-Server Badge](https://anaconda.org/conda-forge/zizmor/badges/latest_release_date.svg)](https://anaconda.org/conda-forge/zizmor)
+    [![Anaconda-Server Badge](https://anaconda.org/conda-forge/zizmor/badges/platforms.svg)](https://anaconda.org/conda-forge/zizmor)
     !!! note
         This is a community-maintained package.
@@ -67,6 +77,8 @@ description: Installation instructions for zizmor.
 === ":material-nix: Nix"
+    [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/zizmor.svg)](https://repology.org/project/zizmor/versions)
     !!! note
         This is a community-maintained package.

zizmor 0.10.0__tar.gz → 1.0.0__tar.gz

Potentially problematic release.

zizmor 0.10.0tar.gz → 1.0.0tar.gz