Introducing zizmor: now you can have beautiful clean workflows

from blog ENOSUCHBLOG, | ↗ original
This is an announcement for zizmor, a new tool for finding security issues in GitHub Actions setups. You can run it on one or more workflow definitions1, and it’ll emit cargo-style diagnostics, SARIF, or JSON as you please. Support for custom actions (e.g. action.yml within actions/checkout or similar) is planned, but not implemented yet. ↩
This is a short summary. ↗ Open original to view full content

Related

GitHub action security: zizmor
Ned Batchelder's blog | original ↗
Auditing commit messages on GitHub
Redowan's Reflections | original ↗
GitHub's Mysterious robots.txt
Ersei 'n Stuff | original ↗
Scraping GitHub Contributor Emails
nelson.cloud ☁️ | original ↗
Github action template for Python based projects
Redowan's Reflections | original ↗
[notes] 2024.12.25.1706
Sympolymathesy, by Chris Krycho | original ↗
Indie Hackers Alfred Workflow
Kevin B. Ridgway's Digital Garden on the Web | original ↗
[notes] Publishing to GitHub Pages via GitHub Actions
Sympolymathesy, by Chris Krycho | original ↗
Weekly Update 434
Troy Hunt's Blog | original ↗
Introducing gh_announce: Automate github release announcements on twitter with this python bot
Prahlad Yeri | original ↗
GitHub action security: zizmor
Ned Batchelder's blog | original ↗
Auditing commit messages on GitHub
Redowan's Reflections | original ↗
GitHub's Mysterious robots.txt
Ersei 'n Stuff | original ↗
Scraping GitHub Contributor Emails
nelson.cloud ☁️ | original ↗
Github action template for Python based projects
Redowan's Reflections | original ↗
[notes] 2024.12.25.1706
Sympolymathesy, by Chris Krycho | original ↗
Indie Hackers Alfred Workflow
Kevin B. Ridgway's Digital Garden on the Web | original ↗
[notes] Publishing to GitHub Pages via GitHub Actions
Sympolymathesy, by Chris Krycho | original ↗
Weekly Update 434
Troy Hunt's Blog | original ↗
Introducing gh_announce: Automate github release announcements on twitter with this python bot
Prahlad Yeri | original ↗
GitHub action security: zizmor
Ned Batchelder's blog | original ↗
Auditing commit messages on GitHub
Redowan's Reflections | original ↗
GitHub's Mysterious robots.txt
Ersei 'n Stuff | original ↗
Scraping GitHub Contributor Emails
nelson.cloud ☁️ | original ↗
Github action template for Python based projects
Redowan's Reflections | original ↗
[notes] 2024.12.25.1706
Sympolymathesy, by Chris Krycho | original ↗
Indie Hackers Alfred Workflow
Kevin B. Ridgway's Digital Garden on the Web | original ↗
[notes] Publishing to GitHub Pages via GitHub Actions
Sympolymathesy, by Chris Krycho | original ↗
Weekly Update 434
Troy Hunt's Blog | original ↗
Introducing gh_announce: Automate github release announcements on twitter with this python bot
Prahlad Yeri | original ↗

More from ENOSUCHBLOG

Be aware of the Makefile effect
10 Jan 2025 | original ↗

I’m not aware of a perfect1 term for this, so I’m making one up: the Makefile effect2. The Makefile effect resembles other phenomena, like cargo culting, normalization of deviance, “write-only language,” &c. I’ll argue in this post that it’s a little different from each of these, insofar as it’s not inherently ineffective or bad and concerns the...

zizmor 1.0
2 Jan 2025 | original ↗

Happy New Year!

zizmor would have caught the Ultralytics workflow vulnerability
6 Dec 2024 | original ↗

TL;DR: zizmor would have caught the vulnerability that caused this…mostly. Read on for details.

Security means securing people where they are
18 Nov 2024 | original ↗

Standard disclaimer: These are my personal opinions, not the opinions of my employer, PyPI, or any open source I projects I participate in (either for funsies or because I’m paid to). In particular, nothing I write below can be interpreted to imply (or imply the negation of) similar opinions by any of the above, except where explicitly stated.

YAML feature extraction with yamlpath
10 Sept 2024 | original ↗

Another Rust crate announcement: this time I’m announcing yamlpath, a small library for format-preserving YAML feature extraction.