v1.3.0

This release comes with one new audit (overprovisioned-secrets), plus a handful of bugfixes and analysis improvements to existing audits. It also comes with a special easter egg for those who wish to kvell about their audit results.

New Features 🌈🔗

• New audit: overprovisioned-secrets detects uses of the secrets context that result in excessive secret provisioning (#485)
• Added a special naches mode for when you're feeling particularly proud of your audit results (#490)

Improvements 🌱🔗

• zizmor produces slightly more informative error messages when given an invalid input file (#482)
• Case insensitivity in contexts is now handeled more consistently and pervasively (#491)

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would fail to discover actions within subdirectories of .github/workflows (#477)
• Fixed a bug where zizmor would fail to parse composite action definitions with no name field (#487)

v1.2.2

Bug Fixes 🐛🔗

• The excessive-permissions audit is now more precise about both reusable workflows and reusable workflow calls (#473)

Improvements 🌱🔗

• Fetch failures when running zizmor org/repo are now more informative (#475)

v1.2.1

This is a small corrective release for some SARIF behavior that changed with v1.2.0.

Bug Fixes 🐛🔗

• SARIF outputs now use relative paths again, but more correctly than before v1.2.0 (#469)

v1.2.0

This release comes with one new audit (bot-conditions), plus a handful of bugfixes and analysis improvements to existing audits.

One bugfix in this release is also a slight behavior change: zizmor now emits SARIF outputs with absolute paths. This should not affect most users, but may make it slightly harder to share SARIF outputs between machines without fully reproducing exact file paths. If this affects you, please let us know!

New Features 🌈🔗

• New audit: bot-conditions detects spoofable uses of github.actor within dangerous triggers (#460)

Improvements 🌱🔗

• The unpinned-uses audit no longer flags local reusable workflows or actions as unpinned/unhashed (#439)
• The excessive-permissions audit has been refactored, and better captures both true positive and true negative cases (#441)
• The SARIF output mode (--format=sarif) now always returns absolute paths in its location information, rather than attempting to infer a (sometimes incorrect) repository-relative path (#453)
• zizmor now provides manylinux wheel builds for aarch64 (#457)

Bug Fixes 🐛🔗

• The template-injection audit no longer considers github.event.pull_request.base.sha dangerous (#445)
• The artipacked audit now correctly handles the strings 'true' and 'false' as their boolean counterparts (#448)
• Expressions that span multiple source lines are now parsed correctly (#461)
• Workflows that contain timeout-minutes: ${{ expr }} are now parsed correctly (#462)

v1.1.1

Fixed

• Fixed a regression where workflows with calls to unpinned reusable workflows
  would fail to parse (#437)

v1.1.0

This release comes with one new audit (secrets-inherit), plus a slew of bugfixes and internal refactors that unblock future improvements!

Added🔗

• New audit: secrets-inherit detects use of secrets: inherit with reusable workflow calls (#408)

Improved🔗

• The template-injection audit now detects injections in calls to azure/cli and azure/powershell (#421)

Fixed🔗

• The template-injection audit no longer consider github.server_url dangerous (#412)
• The template-injection audit no longer crashes when evaluating the static-ness of an environment for a uses: step (#420)

v1.0.1

v1.0.1

This is a small quality and bugfix release. Thank you to everybody
who helped by reporting and shaking out bugs from our first stable release!

Improved

• The github-env audit now detects dangerous writes to GITHUB_PATH,
  is more precise, and can produce multiple findings per run block (#391)

Fixed

• workflow_call.secrets keys with missing values are now parsed correctly (#388)
• The cache-poisoning audit no longer incorrectly treats docker/build-push-action as
  a publishing workflow is push: false is explicitly set (#389)
• The template-injection audit no longer considers github.action_path
  to be a potentially dangerous expansion (#402)
• The github-env audit no longer skips run: steps with non-trivial
  shell: stanzas (#403)

v1.0.0

This is the first stable release of zizmor!

Starting with this release, zizmor will use Semantic Versioning for
its versioning scheme. In short, this means that breaking changes will only
happen with a new major version.

This stable release comes with a large number of new features as well
as stability commitments for existing features; read more below!

Added

• Composite actions (i.e. action.yml where the action is not a Docker
  or JavaScript action) are now supported, and are audited by default
  when running zizmor on a directory or remote repository (#331)

  !!! tip

    Composite action discovery and auditing can be disabled by passing
    `--collect=workflows-only`. Conversely, workflow discovery and auditing
    can be disabled by passing `--collect=actions-only`.
  

  See #350 for the status of each audit's support for analyzing
  composite actions.

• The GitHub host to connect to can now be configured with --gh-hostname
  or GH_HOST in the environment (#371)

  This can be used to connect to a GitHub Enterprise (GHE) instance
  instead of the default github.com instance.

Improved

• The cache-poisoning audit is now aware of common publishing actions
  and uses then to determine whether to produce a finding (#338, #341)
• The cache-poisoning audit is now aware of configuration-free caching
  actions, such as @Mozilla-Actions/sccache-action (#345)
• The cache-poisoning audit is now aware of even more caching actions
  (#346)
• The cache-poisoning audit is now aware of common publishing triggers
  (such as pushing to a release branch) and uses them to determine whether
  to produce a finding (#352)
• The github-env audit is now significantly more precise on bash and pwsh
  inputs (#354)

Fixed

• The excessive-permissions audit is now less noisy on single-job workflows (#337)
• Expressions like function().foo.bar are now parsed correctly (#340)
• The cache-poisoning defaults for setup-go were fixed (#343)
• uses: matching is now case-insensitive where appropriate (#353)
• Quoted YAML keys (like 'on': foo) are now parsed correctly (#368)

v0.10.0

What's Changed

New Features 🌈

• feat: handle powershell in github-env audit by @woodruffw in #227
• feat: template-injection: filter static envs by @woodruffw in #318
• feat: add 'primary' locations by @woodruffw in #328
• feat: initial cache-poisoning audit by @ubiratansoares in #294
• feat: Fix Sarif schema and add rules to Sarif files by @fcasal in #330

Bug Fixes 🐛

• fix: template-injection: more safe contexts by @woodruffw in #309
• fix: expands_to_static_values considers expressions inside strings by @woodruffw in #317
• fix: sarif: add result and kind by @woodruffw in #68
• fix: sarif: use ResultKind for kind by @woodruffw in #326

Performance Improvements 🚄

• refactor: use http-cache for caching, optimize network calls by @woodruffw in #304

Documentation Improvements 📖

• docs: support commits in trophy case by @woodruffw in #303
• docs: Fix typo in development.md by @JustusFluegel in #305

New Contributors

• @jsoref made their first contribution in #299
• @JustusFluegel made their first contribution in #305
• @fcasal made their first contribution in #330

Full Changelog: v0.9.2...v0.10.0

v0.9.2

What's Changed

Bug Fixes 🐛

• fix: template-injection: consider runner.tool_cache safe by @woodruffw in #297

Documentation Improvements 📖

• docs: more trophies by @woodruffw in #296

Full Changelog: v0.9.1...v0.9.2