zizmor 0.8.0__tar.gz

zizmor-0.8.0/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: woodruffw
+thanks_dev: u/gh/woodruffw

zizmor-0.8.0/.github/ISSUE_TEMPLATE/bug-report.yml

@@ -0,0 +1,77 @@
+name: Bug Report
+description: File a bug report.
+title: "[BUG]: "
+labels:
+  - bug
+  - triage
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this bug report!
+
+        Please read the following parts of this template carefully.
+        Invalid or incomplete submissions take longer to triage,
+        and may be given a lower priority or closed outright
+        if not actionable.
+
+  - type: checkboxes
+    attributes:
+      label: Pre-submission checks
+      description: |
+        By submitting this issue, you affirm that you've satisfied the
+        following conditions.
+      options:
+        - label: >-
+            I am **not** filing a feature request. These should be filed via
+            the feature request form instead.
+          required: true
+        - label: >-
+            I have looked through the
+            [open issues](https://github.com/woodruffw/zizmor/issues?q=is%3Aissue+is%3Aopen+)
+            for a duplicate report.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: Expected behavior
+      description: A clear and concise description of what you expected to happen.
+      placeholder: |
+        I expected `zizmor ...` to do X, Y, and Z.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Actual behavior
+      description: A clear and concise description of what actually happened.
+      placeholder: |
+        Instead of doing X, Y, and Z, `zizmor ...` produced the following error: ...
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Reproduction steps
+      description: A step-by-step list of actions that we can take to reproduce the actual behavior.
+      placeholder: |
+        1. Do this
+        2. Do that
+        3. Do another thing
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Logs
+      description: |
+        If applicable, please paste any logs or console errors here.
+
+        If you can re-run the command that produced the error, run it with
+        `--verbose` and paste the full verbose logs here.
+      render: plain text
+
+  - type: textarea
+    attributes:
+      label: Additional context
+      description: Add any other additional context about the problem here.

zizmor-0.8.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Discussions Forum
+    url: https://github.com/woodruffw/zizmor/discussions
+    about: Please ask and answer questions here.
+  - name: Security Reports
+    url: https://github.com/woodruffw/zizmor/security/advisories
+    about: Please report potential security vulnerabilities here.

zizmor-0.8.0/.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,52 @@
+name: Feature request
+description: Suggest an idea or enhancement for zizmor
+title: "Feature: "
+labels:
+  - enhancement
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank for for making a `zizmor` feature request!
+
+        Please read the following parts of this form carefully.
+        Invalid or incomplete submissions take longer to triage,
+        and may be given a lower priority or closed outright
+        if not actionable.
+
+  - type: checkboxes
+    attributes:
+      label: Pre-submission checks
+      description: |
+        By submitting this issue, you affirm that you've satisfied the following conditions.
+      options:
+        - label: >-
+            I am **not** reporting a bug (crash, false positive/negative, etc).
+            These must be filed via the bug report template.
+          required: true
+        - label: >-
+            I have looked through the open issues for a duplicate request.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What's the problem this feature will solve?
+      description: |
+        A clear and concise description of the problem.
+      placeholder: |
+        I'm always frustrated when ...
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Describe the solution you'd like
+      description: A clear and concise description of what you want to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Additional context
+      description: |
+        Any additional context, screenshots, or other material about the feature request.

zizmor-0.8.0/.github/dependabot.yml

@@ -0,0 +1,19 @@
+version: 2
+updates:
+  - package-ecosystem: cargo
+    directory: "/"
+    schedule:
+      interval: weekly
+    groups:
+      cargo:
+        patterns:
+          - "*"
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      github-actions:
+        patterns:
+          - "*"

zizmor-0.8.0/.github/release.yml

@@ -0,0 +1,29 @@
+changelog:
+  exclude:
+    labels:
+      - tests
+      - chore
+      - no-changelog
+    authors:
+      - dependabot
+
+  categories:
+    - title: New Features 🌈
+      labels:
+        - enhancement
+        - new-audit
+        - cli
+
+    - title: Bug Fixes 🐛
+      labels:
+        - bugfix
+        - false-negative
+        - false-positive
+
+    - title: Performance Improvements 🚄
+      labels:
+        - performance
+
+    - title: Documentation Improvements 📖
+      labels:
+        - documentation

zizmor-0.8.0/.github/workflows/ci.yml

@@ -0,0 +1,36 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - name: Format
+        run: cargo fmt && git diff --exit-code
+
+      - name: Lint
+        run: cargo clippy -- -D warnings
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      with:
+        persist-credentials: false
+
+    - name: Test
+      run: cargo test
+
+    - name: Test snippets
+      run: |
+        make snippets
+        git diff --exit-code

zizmor-0.8.0/.github/workflows/pypi.yml

@@ -0,0 +1,174 @@
+name: zizmor wheel builds for PyPI
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - '*'
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  linux:
+    runs-on: ${{ matrix.platform.runner }}
+    strategy:
+      matrix:
+        platform:
+          - runner: ubuntu-22.04
+            target: x86_64
+          - runner: ubuntu-22.04
+            target: x86
+          # FUBAR
+          # - runner: ubuntu-22.04
+          #   target: aarch64
+          - runner: ubuntu-22.04
+            target: armv7
+          - runner: ubuntu-22.04
+            target: s390x
+          - runner: ubuntu-22.04
+            target: ppc64le
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Build wheels
+        uses: PyO3/maturin-action@v1
+        with:
+          target: ${{ matrix.platform.target }}
+          args: --release --out dist
+          sccache: 'true'
+          manylinux: auto
+      - name: Upload wheels
+        uses: actions/upload-artifact@v4
+        with:
+          name: wheels-linux-${{ matrix.platform.target }}
+          path: dist
+
+  musllinux:
+    runs-on: ${{ matrix.platform.runner }}
+    strategy:
+      matrix:
+        platform:
+          - runner: ubuntu-22.04
+            target: x86_64
+          - runner: ubuntu-22.04
+            target: x86
+          - runner: ubuntu-22.04
+            target: aarch64
+          - runner: ubuntu-22.04
+            target: armv7
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Build wheels
+        uses: PyO3/maturin-action@v1
+        with:
+          target: ${{ matrix.platform.target }}
+          args: --release --out dist
+          sccache: 'true'
+          manylinux: musllinux_1_2
+      - name: Upload wheels
+        uses: actions/upload-artifact@v4
+        with:
+          name: wheels-musllinux-${{ matrix.platform.target }}
+          path: dist
+
+  windows:
+    runs-on: ${{ matrix.platform.runner }}
+    strategy:
+      matrix:
+        platform:
+          - runner: windows-latest
+            target: x64
+          - runner: windows-latest
+            target: x86
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Build wheels
+        uses: PyO3/maturin-action@v1
+        with:
+          target: ${{ matrix.platform.target }}
+          args: --release --out dist
+          sccache: 'true'
+      - name: Upload wheels
+        uses: actions/upload-artifact@v4
+        with:
+          name: wheels-windows-${{ matrix.platform.target }}
+          path: dist
+
+  macos:
+    runs-on: ${{ matrix.platform.runner }}
+    strategy:
+      matrix:
+        platform:
+          - runner: macos-13
+            target: x86_64
+          - runner: macos-14
+            target: aarch64
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Build wheels
+        uses: PyO3/maturin-action@v1
+        with:
+          target: ${{ matrix.platform.target }}
+          args: --release --out dist
+          sccache: 'true'
+      - name: Upload wheels
+        uses: actions/upload-artifact@v4
+        with:
+          name: wheels-macos-${{ matrix.platform.target }}
+          path: dist
+
+  sdist:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Build sdist
+        uses: PyO3/maturin-action@v1
+        with:
+          command: sdist
+          args: --out dist
+      - name: Upload sdist
+        uses: actions/upload-artifact@v4
+        with:
+          name: wheels-sdist
+          path: dist
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/zizmor
+    if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }}
+    needs: [linux, musllinux, windows, macos, sdist]
+    permissions:
+      # Use to sign the release artifacts
+      id-token: write
+      # Used to upload release artifacts
+      contents: write
+      # Used to generate artifact attestation
+      attestations: write
+    steps:
+      - uses: actions/download-artifact@v4
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'wheels-*/*'
+      - name: Publish to PyPI
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        uses: PyO3/maturin-action@v1
+        with:
+          command: upload
+          args: --non-interactive --skip-existing wheels-*/*

zizmor-0.8.0/.github/workflows/release.yml

@@ -0,0 +1,19 @@
+on:
+  release:
+    types:
+      - published
+
+name: release
+
+jobs:
+  crates:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - name: publish to crates.io
+        run: cargo publish
+        env:
+          CARGO_REGISTRY_TOKEN: "${{ secrets.CARGO_REGISTRY_TOKEN }}"

zizmor-0.8.0/.github/workflows/site.yml

@@ -0,0 +1,51 @@
+name: Deploy zizmor site
+
+on:
+  push:
+    branches:
+      - main
+      - site-staging
+
+  workflow_dispatch:
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+permissions: {}
+
+jobs:
+  deploy:
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v3
+
+      - name: build site
+        run: make site
+
+      - name: Setup Pages
+        if: github.repository_owner == 'woodruffw'
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
+        with:
+          path: site_html
+
+      - name: Deploy to GitHub Pages
+        if: github.repository_owner == 'woodruffw'
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

zizmor-0.8.0/.github/workflows/zizmor.yml

@@ -0,0 +1,33 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["*"]
+
+jobs:
+  zizmor:
+    name: zizmor latest via Cargo
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - name: Setup Rust
+        uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1
+      - name: Get zizmor
+        run: cargo install zizmor
+      - name: Run zizmor 🌈
+        run: zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        with:
+          sarif_file: results.sarif
+          category: zizmor

zizmor-0.8.0/.gitignore

@@ -0,0 +1,9 @@
+/target
+
+# website artifacts
+/site_html
+.cache
+
+# IDEs / Editors
+.idea
+.DS_STORE

zizmor-0.8.0/.pre-commit-hooks.yaml

@@ -0,0 +1,6 @@
+- id: zizmor
+  name: zizmor
+  description: 'Find security issues in GitHub Actions CI/CD setups'
+  language: rust
+  files: \.github/workflows/.*\.yml$
+  entry: zizmor

zizmor-0.8.0/CONTRIBUTING.md

@@ -0,0 +1,84 @@
+# Contributing to `zizmor`
+
+Thank you for your interest in contributing to `zizmor`!
+
+This is intended to be a "high-level" guide with some suggestions
+for ways to contribute. Once you've picked a contribution idea,
+please see our [development docs]
+for concrete guidance on specific development tasks and style prescriptions.
+
+## How to contribute
+
+Here's a short list of steps you can follow to contribute:
+
+1. *Figure out what you want to contribute.* See the
+   [contribution ideas](#contribution-ideas) section below if you're looking
+   for ideas!
+2. *File or reply to an issue, if appropriate.* Some contributions require
+   new issues (like new bugs), while others involve an existing issue
+   (like known documentation defects). Others don't require an issue at all,
+   like small typo fixes. In general, if you aren't sure, *error on the side
+   of making or replying to an issue* — it helps maintain shared
+   development context.
+3. *Hack away.* Once you know what you're working on, refer to our
+   [development docs] for help with specific development tasks. And don't be
+   afraid to ask for help!
+
+## Contribution ideas
+
+Here are some ways that you can contribute to `zizmor`. These aren't the only
+ways; they're just for inspiration.
+
+### Good first issues
+
+We use the ["good first issue"] label to track issues that we think are
+(somewhat) easy and/or straightforward, making them good choices for an
+early contribution.
+
+To work on one of these, **please leave a comment** on its issue before opening
+a pull request to make sure nobody else duplicates your work!
+
+["good first issue"]: https://github.com/woodruffw/zizmor/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22
+
+### Writing documentation
+
+One of the best ways to help us with `zizmor` is to help us improve our
+documentation!
+
+Here are some things we could use help with:
+
+* Improving our [CLI usage recipes](https://woodruffw.github.io/zizmor/usage/).
+* Improving the detail in our
+  [audit documentation pages](https://woodruffw.github.io/zizmor/audits/).
+* Improving our internal (Rust API) documentation, especially in conjunction
+  with more unit tests.
+
+More generally, see [issues labeled with `documentation`] for a potential
+list of documentation efforts to contribute on.
+
+[issues labeled with `documentation`]: https://github.com/woodruffw/zizmor/issues?q=is%3Aissue+is%3Aopen+label%3Adocumentation
+
+### Writing unit tests
+
+We can always use more unit tests! Pick a part of the Rust codebase and
+start testing.
+
+Keep the cardinal rule of unit testing in mind: a unit test must test
+**a single unit** of behavior. If it tests more than one unit, then
+consider making it an integration test instead.
+
+### Reducing false positives/negatives in audits
+
+Static analysis is inherently imprecise, and `zizmor` is no exception.
+
+We track imprecision bugs with the ["false positive"] and ["false negative"]
+labels. These can sometimes be tricky to address, so we recommend
+(but don't require) leaving an explanatory comment on the issue before
+beginning a pull request.
+
+["false positive"]: https://github.com/woodruffw/zizmor/issues?q=is%3Aopen+label%3Afalse-positive
+
+["false negative"]: https://github.com/woodruffw/zizmor/issues?q=is%3Aopen+label%3Afalse-negative
+
+[development docs]: https://woodruffw.github.io/zizmor/development/
+