zizmor 1.3.1__tar.gz → 1.4.0__tar.gz

{zizmor-1.3.1 → zizmor-1.4.0}/.github/dependabot.yml

@@ -17,3 +17,12 @@ updates:
       github-actions:
         patterns:
           - "*"
+
+  - package-ecosystem: docker
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      docker:
+        patterns:
+          - "*"

{zizmor-1.3.1 → zizmor-1.4.0}/.github/workflows/ci.yml

@@ -33,7 +33,7 @@ jobs:
 
     - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2
 
-    - uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
+    - uses: astral-sh/setup-uv@1edb52594c857e2b5b13128931090f0640537287 # v5.3.0
 
     - name: Test
       run: cargo test --features online-tests
@@ -52,7 +52,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
+      - uses: astral-sh/setup-uv@1edb52594c857e2b5b13128931090f0640537287 # v5.3.0
 
       - name: Test site
         run: make site

zizmor-1.4.0/.github/workflows/docker.yml

@@ -0,0 +1,156 @@
+name: Build and publish Docker images
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'The version of zizmor to build against'
+        required: true
+
+      latest:
+        description: 'Whether to tag the image as latest'
+        required: false
+        default: true
+        type: boolean
+
+permissions: {}
+
+env:
+  ZIZMOR_IMAGE: ghcr.io/woodruffw/zizmor
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+          - runner: ubuntu-latest
+            platform: linux/amd64
+            platform-pair: linux-amd64
+          - runner: ubuntu-24.04-arm
+            platform: linux/arm64
+            platform-pair: linux-arm64
+
+    name: Build and publish Docker image (${{ matrix.image.runner }})
+
+    runs-on: ${{ matrix.image.runner }}
+
+    environment:
+      name: docker
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
+        with:
+          cache-binary: false
+
+      - name: Extract Docker metadata
+        id: docker-metadata
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
+        with:
+          images: "${{ env.ZIZMOR_IMAGE }}"
+
+      - name: Login to GHCR
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v6
+        if: github.repository_owner == 'woodruffw'
+        with:
+          registry: ghcr.io
+          username: "${{ github.repository_owner }}"
+          password: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6
+        with:
+          platforms: ${{ matrix.image.platform }}
+          labels: ${{ steps.docker-metadata.outputs.labels }}
+          outputs: type=image,"name=${{ env.ZIZMOR_IMAGE }}",push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${DIGEST}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+
+      - name: Upload digest
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
+        with:
+          name: digests-${{ matrix.image.platform-pair }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    needs: build
+    runs-on: ubuntu-latest
+
+    environment:
+      name: docker
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to GHCR
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v6
+        if: github.repository_owner == 'woodruffw'
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
+        with:
+          cache-binary: false
+
+      - name: Extract Docker metadata
+        id: docker-metadata
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: index
+        with:
+          images: "${{ env.ZIZMOR_IMAGE }}"
+          tags: |
+            type=raw,value=${{ github.event.inputs.version }}
+            typw=raw,value=latest,enable=${{ github.event.inputs.latest }}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        # NOTE: annotation technique adapted from Ruff's build-docker.yml,
+        # see: https://github.com/astral-sh/ruff/blob/6e34f74c16/.github/workflows/build-docker.yml
+        run: |
+          readarray -t lines <<< "$DOCKER_METADATA_OUTPUT_ANNOTATIONS"
+          annotations=()
+          for line in "${lines[@]}"; do
+            annotations+=(--annotation "$line")
+          done
+
+          docker buildx imagetools create \
+            "${annotations[@]}" \
+            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.ZIZMOR_IMAGE }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect "${ZIZMOR_IMAGE}:${VERSION}"
+        env:
+          VERSION: ${{ steps.docker-metadata.outputs.version }}

{zizmor-1.3.1 → zizmor-1.4.0}/.github/workflows/pypi.yml

@@ -40,14 +40,14 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
+        uses: PyO3/maturin-action@53965ae436bfa278197425c78ac1e3eeebc7cc33 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
           sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} # zizmor: ignore[cache-poisoning]
           manylinux: ${{ matrix.platform.manylinux }}
       - name: Upload wheels
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
         with:
           name: wheels-linux-${{ matrix.platform.target }}
           path: dist
@@ -70,14 +70,14 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
+        uses: PyO3/maturin-action@53965ae436bfa278197425c78ac1e3eeebc7cc33 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
           sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} # zizmor: ignore[cache-poisoning]
           manylinux: musllinux_1_2
       - name: Upload wheels
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
         with:
           name: wheels-musllinux-${{ matrix.platform.target }}
           path: dist
@@ -96,13 +96,13 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
+        uses: PyO3/maturin-action@53965ae436bfa278197425c78ac1e3eeebc7cc33 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
           sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} # zizmor: ignore[cache-poisoning]
       - name: Upload wheels
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
         with:
           name: wheels-windows-${{ matrix.platform.target }}
           path: dist
@@ -121,13 +121,13 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
+        uses: PyO3/maturin-action@53965ae436bfa278197425c78ac1e3eeebc7cc33 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
           sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} # zizmor: ignore[cache-poisoning]
       - name: Upload wheels
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
         with:
           name: wheels-macos-${{ matrix.platform.target }}
           path: dist
@@ -139,12 +139,12 @@ jobs:
         with:
           persist-credentials: false
       - name: Build sdist
-        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
+        uses: PyO3/maturin-action@53965ae436bfa278197425c78ac1e3eeebc7cc33 # v1
         with:
           command: sdist
           args: --out dist
       - name: Upload sdist
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
         with:
           name: wheels-sdist
           path: dist
@@ -172,7 +172,7 @@ jobs:
           subject-path: 'wheels-*/*'
       - name: Publish to PyPI
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
-        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
+        uses: PyO3/maturin-action@53965ae436bfa278197425c78ac1e3eeebc7cc33 # v1
         with:
           command: upload
           args: --non-interactive --skip-existing wheels-*/*

{zizmor-1.3.1 → zizmor-1.4.0}/.github/workflows/site.yml

@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
+        uses: astral-sh/setup-uv@1edb52594c857e2b5b13128931090f0640537287 # v5.3.0
 
       - name: build site
         run: make site

{zizmor-1.3.1 → zizmor-1.4.0}/.github/workflows/zizmor.yml

@@ -21,13 +21,13 @@ jobs:
         with:
           persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
+        uses: astral-sh/setup-uv@1edb52594c857e2b5b13128931090f0640537287 # v5.3.0
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif . > results.sarif
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: results.sarif
           category: zizmor

{zizmor-1.3.1 → zizmor-1.4.0}/Cargo.lock

@@ -97,9 +97,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.95"
+version = "1.0.96"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34ac096ce696dc2fcabef30516bb13c0a68a11d30131d3df6f04711467681b04"
+checksum = "6b964d184e89d9b6b67dd2715bc8e74cf3107fb2b529990c90cf517326150bf4"
 
 [[package]]
 name = "arrayvec"
@@ -273,9 +273,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
 [[package]]
 name = "clap"
-version = "4.5.27"
+version = "4.5.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "769b0145982b4b48713e01ec42d61614425f27b7058bda7180a3a41f30104796"
+checksum = "92b7b18d71fad5313a1e320fa9897994228ce274b60faa4d694fe0ea89cd9e6d"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -293,9 +293,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.27"
+version = "4.5.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b26884eb4b57140e4d2d93652abfa49498b938b3c9179f9fc487b0acc3edad7"
+checksum = "a35db2071778a7344791a4fb4f95308b5673d219dee3ae348b86642574ecc90c"
 dependencies = [
  "anstream",
  "anstyle",
@@ -305,9 +305,9 @@ dependencies = [
 
 [[package]]
 name = "clap_derive"
-version = "4.5.24"
+version = "4.5.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "54b755194d6389280185988721fffba69495eed5ee9feeee9a599b53db80318c"
+checksum = "bf4ced95c6f4a675af3da73304b9ac4ed991640c36374e4b46795c49e17cf1ed"
 dependencies = [
  "heck",
  "proc-macro2",
@@ -475,9 +475,9 @@ dependencies = [
 
 [[package]]
 name = "flate2"
-version = "1.0.35"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c936bfdafb507ebbf50b8074c54fa31c5be9a1e7e5f467dd659697041407d07c"
+checksum = "11faaf5a5236997af9848be0bef4db95824b1d534ebc64d0f0c6cf3e67bd38dc"
 dependencies = [
  "crc32fast",
  "miniz_oxide",
@@ -616,9 +616,9 @@ checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
 
 [[package]]
 name = "github-actions-models"
-version = "0.25.0"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3d33cc977e9aaa73b0e447c5c387e1720dcdfbc54e7f86e32c76e2a78bfcb9c"
+checksum = "63a17952a0374993a4c7f8df12bd75b3d1ed8fb9c78e8dbaa32cf451143faaaa"
 dependencies = [
  "indexmap",
  "serde",
@@ -1168,9 +1168,9 @@ checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
 
 [[package]]
 name = "miniz_oxide"
-version = "0.8.0"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2d80299ef12ff69b16a84bb182e3b9df68b5a91574d3d4fa6e41b65deec4df1"
+checksum = "8e3e04debbb59698c15bacbb6d93584a8c0ca9cc3213cb423d31f760d8843ce5"
 dependencies = [
  "adler2",
 ]
@@ -1259,9 +1259,9 @@ checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"
 
 [[package]]
 name = "owo-colors"
-version = "4.1.0"
+version = "4.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fb37767f6569cd834a413442455e0f066d0d522de8630436e2a1761d9726ba56"
+checksum = "1036865bb9422d3300cf723f657c2851d0e9ab12567854b1f4eba3d77decf564"
 
 [[package]]
 name = "percent-encoding"
@@ -1620,9 +1620,9 @@ dependencies = [
 
 [[package]]
 name = "reqwest-middleware"
-version = "0.4.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d1ccd3b55e711f91a9885a2fa6fbbb2e39db1776420b062efc058c6410f7e5e3"
+checksum = "64e8975513bd9a7a43aad01030e79b3498e05db14e9d945df6483e8cf9b8c4c4"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -1763,9 +1763,9 @@ dependencies = [
 
 [[package]]
 name = "serde"
-version = "1.0.217"
+version = "1.0.218"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "02fc4265df13d6fa1d00ecff087228cc0a2b5f3c0e87e258d8b94a156e984c70"
+checksum = "e8dfc9d19bdbf6d17e22319da49161d5d0108e4188e8b680aef6299eed22df60"
 dependencies = [
  "serde_derive",
 ]
@@ -1792,9 +1792,9 @@ dependencies = [
 
 [[package]]
 name = "serde_derive"
-version = "1.0.217"
+version = "1.0.218"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a9bf7cf98d04a2b28aead066b7496853d4779c9cc183c440dbac457641e19a0"
+checksum = "f09503e191f4e797cb8aac08e9a4a4695c5edf6a2e70e376d961ddd5c969f82b"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1803,9 +1803,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.138"
+version = "1.0.139"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d434192e7da787e94a6ea7e9670b26a036d0ca41e0b7efb2676dd32bae872949"
+checksum = "44f86c3acccc9c65b153fe1b85a3be07fe5515274ec9f0653b4a0875731c72a6"
 dependencies = [
  "itoa",
  "memchr",
@@ -2086,9 +2086,9 @@ dependencies = [
 
 [[package]]
 name = "tar"
-version = "0.4.43"
+version = "0.4.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c65998313f8e17d0d553d28f91a0df93e4dbbbf770279c7bc21ca0f09ea1a1f6"
+checksum = "1d863878d212c87a19c1a610eb53bb01fe12951c0501cf5a0d65f724914a667a"
 dependencies = [
  "filetime",
  "libc",
@@ -3151,7 +3151,7 @@ dependencies = [
 
 [[package]]
 name = "zizmor"
-version = "1.3.1"
+version = "1.4.0"
 dependencies = [
  "annotate-snippets",
  "anstream",

{zizmor-1.3.1 → zizmor-1.4.0}/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "zizmor"
 description = "Static analysis for GitHub Actions"
-version = "1.3.1"
+version = "1.4.0"
 edition = "2021"
 repository = "https://github.com/woodruffw/zizmor"
 homepage = "https://github.com/woodruffw/zizmor"
@@ -21,22 +21,22 @@ online-tests = ["gh-token-tests"]
 [dependencies]
 annotate-snippets = "0.11.5"
 anstream = "0.6.18"
-anyhow = "1.0.95"
+anyhow = "1.0.96"
 camino = { version = "1.1.9", features = ["serde1"] }
-clap = { version = "4.5.27", features = ["derive", "env"] }
+clap = { version = "4.5.30", features = ["derive", "env"] }
 clap-verbosity-flag = { version = "3.0.2", features = [
     "tracing",
 ], default-features = false }
 etcetera = "0.8.0"
-flate2 = "1.0.35"
-github-actions-models = "0.25.0"
+flate2 = "1.1.0"
+github-actions-models = "0.26.0"
 http-cache-reqwest = "0.15.1"
 human-panic = "2.0.1"
 indexmap = "2.7.1"
 indicatif = "0.17.11"
 itertools = "0.14.0"
 line-index = "0.1.2"
-owo-colors = "4.1.0"
+owo-colors = "4.2.0"
 pest = "2.7.15"
 pest_derive = "2.7.15"
 regex = "1.11.1"
@@ -45,14 +45,14 @@ reqwest = { version = "0.12.12", features = [
     "json",
     "rustls-tls",
 ], default-features = false }
-reqwest-middleware = "0.4.0"
-serde = { version = "1.0.217", features = ["derive"] }
+reqwest-middleware = "0.4.1"
+serde = { version = "1.0.218", features = ["derive"] }
 serde-sarif = "0.7.0"
-serde_json = "1.0.138"
+serde_json = "1.0.139"
 serde_yaml = "0.9.34"
 # TODO remove pending https://github.com/tree-sitter/tree-sitter/pull/4034
 streaming-iterator = "0.1.9"
-tar = "0.4.43"
+tar = "0.4.44"
 terminal-link = "0.1.0"
 tokio = { version = "1.43.0", features = ["rt-multi-thread"] }
 tracing = "0.1.41"

zizmor-1.4.0/Dockerfile

@@ -0,0 +1,30 @@
+FROM python:3.13-slim-bullseye AS build
+
+LABEL org.opencontainers.image.source=https://github.com/woodruffw/zizmor
+
+# Zizmor version to install (set as an argument to pair with zizmor releases)
+ARG ZIZMOR_VERSION
+
+ENV PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1
+
+RUN set -eux && \
+    apt-get update && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN pip install zizmor && \
+    which zizmor
+
+# ------------------------------------------------------------------------------
+# Runtime image
+# ------------------------------------------------------------------------------
+
+FROM debian:bullseye-slim
+
+# Copy necessary files from build stage
+COPY --from=build /usr/local/bin/zizmor /app/zizmor
+
+# Set the entrypoint to zizmor
+ENTRYPOINT ["/app/zizmor"]

{zizmor-1.3.1 → zizmor-1.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: zizmor
-Version: 1.3.1
+Version: 1.4.0
 License-File: LICENSE
 Summary: Static analysis for GitHub Actions
 Keywords: cli,github-actions,static-analysis,security

{zizmor-1.3.1 → zizmor-1.4.0}/docs/audits.md

@@ -877,7 +877,7 @@ not using `pull_request_target` for auto-merge workflows.
 
 | Type     | Examples                | Introduced in | Works offline  | Enabled by default |
 |----------|-------------------------|---------------|----------------|--------------------|
-| Workflow  | [overprovisioned-secrets.yml]   | v1.3.0      | ✅             | ✅                 |
+| Workflow, Action  | [overprovisioned-secrets.yml]   | v1.3.0      | ✅             | ✅                 |
 
 [overprovisioned-secrets.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/overprovisioned-secrets.yml
 
@@ -934,6 +934,74 @@ Secrets should be accessed individually by name.
               SECRET_TWO: ${{ secrets.SECRET_TWO }}
     ```
 
+## `unredacted-secrets`
+
+| Type     | Examples                | Introduced in | Works offline  | Enabled by default |
+|----------|-------------------------|---------------|----------------|--------------------|
+| Workflow, Action  | [unredacted-secrets.yml]   | v1.4.0      | ✅             | ✅                 |
+
+[unredacted-secrets.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/unredacted-secrets.yml
+
+Detects potential secret leakage via redaction failures.
+
+Typically, users access the `secrets` context via its individual members:
+
+```yaml
+env:
+  PASSWORD: ${{ secrets.PASSWORD }}
+```
+
+This allows the Actions runner to redact the secret values from the job logs,
+as it knows the exact string value of each secret.
+
+However, if the user instead treats the secret as a structured value,
+e.g. JSON:
+
+```yaml
+env:
+  PASSWORD: ${{ fromJSON(secrets.MY_SECRET).password }}
+```
+
+...then the `password` field is not redacted, as the runner does not
+treat arbitrary substrings of secrets as secret values.
+
+Other resources:
+
+* [Using secrets in GitHub Actions]
+
+### Remediation
+
+In general, users should avoid treating secrets as structured values.
+For example, instead of storing a JSON object in a secret, store the
+individual fields as separate secrets.
+
+=== "Before :warning:"
+
+    ```yaml title="unredacted-secrets.yml" hl_lines="7-8"
+    jobs:
+      deploy:
+        runs-on: ubuntu-latest
+        steps:
+          - run: ./deploy.sh
+            env:
+              USERNAME: ${{ fromJSON(secrets.MY_SECRET).username }}
+              PASSWORD: ${{ fromJSON(secrets.MY_SECRET).password }}
+    ```
+
+=== "After :white_check_mark:"
+
+    ```yaml title="unredacted-secrets.yml" hl_lines="7-8"
+    jobs:
+      deploy:
+        runs-on: ubuntu-latest
+        steps:
+          - run: ./deploy.sh
+            env:
+              USERNAME: ${{ secrets.MY_SECRET_USERNAME }}
+              PASSWORD: ${{ secrets.MY_SECRET_PASSWORD }}
+    ```
+
+
 [ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts]: https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
 [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests]: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
 [What the fork? Imposter commits in GitHub Actions and CI/CD]: https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd
@@ -956,3 +1024,4 @@ Secrets should be accessed individually by name.
 [Principle of Least Authority]: https://en.wikipedia.org/wiki/Principle_of_least_privilege
 [Cacheract: The Monster in your Build Cache]: https://adnanthekhan.com/2024/12/21/cacheract-the-monster-in-your-build-cache/
 [GitHub Actions exploitations: Dependabot]: https://www.synacktiv.com/publications/github-actions-exploitation-dependabot
+[Using secrets in GitHub Actions]: https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions

{zizmor-1.3.1 → zizmor-1.4.0}/docs/installation.md

@@ -49,6 +49,14 @@ description: Installation instructions for zizmor.
     uvx zizmor --help
     ```
 
+=== ":simple-docker: Docker"
+
+    An official `zizmor` image is available from the [GitHub Container Registry](https://ghcr.io/woodruffw/zizmor):
+
+    ```bash
+    docker pull ghcr.io/woodruffw/zizmor:latest
+    ```
+
 === ":simple-anaconda: Conda"
 
     [![Anaconda-Server Badge](https://anaconda.org/conda-forge/zizmor/badges/version.svg)](https://anaconda.org/conda-forge/zizmor)
@@ -98,7 +106,6 @@ description: Installation instructions for zizmor.
     pacman -S zizmor
     ```
 
-
 === "Other ecosystems"
 
     !!! info