Skip to content

Fix CI/CD security to follow zizmor recommendations#767

Open
kiwamizamurai wants to merge 2 commits intoanthropics:mainfrom
kiwamizamurai:fix-ci-vuln
Open

Fix CI/CD security to follow zizmor recommendations#767
kiwamizamurai wants to merge 2 commits intoanthropics:mainfrom
kiwamizamurai:fix-ci-vuln

Conversation

@kiwamizamurai
Copy link
Contributor

@kiwamizamurai kiwamizamurai commented Dec 24, 2025
edited
Loading

Description

Securing our CI/CD pipeline using Zizmor

Type of change

  • Chore (doesn't directly affect users, e.g refactoring or CI/CD changes)

Changes

  • Pinned actions by changing from uses: ...@v1.2.3 to uses: ...@<commit-sha> # v1.2.3
  • Set appropriate permissions everywhere (permissions: {} at workflow level, minimal permissions per job)
  • Set persist-credentials: false on actions/checkout where credentials are not needed
  • Fixed template injection vulnerabilities by passing values through environment variables
  • Added zizmor.yml configuration to document intentional exceptions and the job in ci.yml

Results

Metric Before After
Total findings 164 0
High severity 6 0
Medium severity 44 0

other repos using zizmor

  1. https://docs.zizmor.sh/trophy-case/

@kiwamizamurai
chore: update CI workflows to use specific action versions and add pe…
83d2d50 
…rmissions

- Updated actions/checkout to a specific commit for consistency.
- Updated oven-sh/setup-bun to specific commits for version control.
- Added permissions to various jobs to enhance security and control.
- Introduced a new job 'zizmor' for running the zizmor action.
- Ensured all workflows now include 'persist-credentials: false' for better credential management.
@kiwamizamurai
chore: add zizmor configuration to ignore specific lines in release.yml
46501bb 
- Introduced a new .github/zizmor.yml file.
- Configured rules to ignore specific lines in release.yml that require persist-credentials for git push operations.
@kiwamizamurai
Copy link
Contributor Author

kiwamizamurai commented Dec 24, 2025

@ashwin-ant
Hello

The previous PR #763 was motivated by a recent CTF I participated in.
In that PR, I manually verified a vulnerability I learned about there.

Since then, I’ve found a convenient tool for vulnerability validation, so in this PR I’ve addressed the vulnerability and introduced CI using that tool.

I’d appreciate your review.

kiwamizamurai
kiwamizamurai commented Dec 24, 2025
View reviewed changes
.github/workflows/ci.yml
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
Copy link
Contributor Author

@kiwamizamurai kiwamizamurai Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.zizmor.sh/integrations/

kiwamizamurai
kiwamizamurai commented Dec 24, 2025
View reviewed changes
.github/zizmor.yml
ignore:
# These checkouts need persist-credentials for git push to create/update tags
- release.yml:23
- release.yml:99 No newline at end of file
Copy link
Contributor Author

@kiwamizamurai kiwamizamurai Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.zizmor.sh/configuration/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kiwamizamurai