Skip to content

ci: added zizmor static security check #2874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 8, 2025
Merged

ci: added zizmor static security check #2874

merged 1 commit into from
Oct 8, 2025

Conversation

@mahlau-flex
Copy link
Contributor

@mahlau-flex mahlau-flex commented Oct 8, 2025
edited by greptile-apps bot
Loading

Added a static check for security vulnearbilities using zizmor.

Greptile Overview

Updated On: 2025-10-08 06:18:05 UTC

Summary

This PR integrates zizmor, a static security analysis tool, into the GitHub Actions workflow to automatically scan for security vulnerabilities in workflow configurations. The implementation adds a new `zizmor` job that runs independently with `security-events: write` permissions to upload security scan results to GitHub's Security tab. The job uses pinned action versions with commit hashes for enhanced security, runs on the latest Ubuntu environment, and includes proper error handling.

The change fits well within the existing CI/CD infrastructure by leveraging the established pattern of independent security jobs that integrate into the overall PR requirements. The zizmor job becomes part of the dependency chain for the test-pr-requirements job, ensuring that security checks are mandatory for all pull requests. This proactive approach to security scanning helps maintain the integrity of the CI/CD pipeline by catching potential vulnerabilities before they reach production.

PR Description Notes:

  • Minor typo in description: "vulnearbilities" should be "vulnerabilities"

Important Files Changed

Changed Files
Filename Score Overview
.github/workflows/tidy3d-python-client-tests.yml 5/5 Added zizmor static security analysis job with proper permissions and integrated it into PR requirements

Confidence score: 5/5

  • This PR is safe to merge with minimal risk as it adds a security enhancement without modifying existing functionality
  • Score reflects well-implemented security best practices including pinned action versions, proper permissions, and clean integration
  • No files require special attention as the implementation follows established patterns and security guidelines

Sequence Diagram

sequenceDiagram
    participant User
    participant GitHub
    participant GitHubActions as "GitHub Actions"
    participant Zizmor as "Zizmor Tool"
    participant SecurityEvents as "Security Events"

    User->>GitHub: "Push to PR branch or trigger workflow"
    GitHub->>GitHubActions: "Trigger workflow event"
    GitHubActions->>GitHubActions: "Determine test scope"
    
    alt If tests needed
        GitHubActions->>GitHubActions: "Start parallel jobs (lint, zizmor, etc.)"
        
        par Zizmor Security Check
            GitHubActions->>GitHubActions: "Checkout repository"
            GitHubActions->>Zizmor: "Run static security analysis"
            Zizmor->>Zizmor: "Analyze GitHub Actions workflows"
            Zizmor->>SecurityEvents: "Report security findings"
            Zizmor->>GitHubActions: "Return analysis results"
        and Other Jobs
            GitHubActions->>GitHubActions: "Run lint checks"
            GitHubActions->>GitHubActions: "Run local/remote tests"
            GitHubActions->>GitHubActions: "Verify schema changes"
        end
        
        GitHubActions->>GitHubActions: "Wait for all jobs to complete"
        GitHubActions->>GitHubActions: "Check PR requirements"
        
        alt All checks pass
            GitHubActions->>User: "✅ All required test jobs passed!"
        else Any check fails
            GitHubActions->>User: "❌ Static check of github actions with zizmor failed"
        end
    end
Loading

greptile-apps[bot]
greptile-apps bot reviewed Oct 8, 2025
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, no comments

Edit Code Review Agent Settings | Greptile

@github-advanced-security
Copy link

github-advanced-security bot commented Oct 8, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 8, 2025
View reviewed changes
.github/workflows/tidy3d-python-client-tests.yml
elif [[ "${{ github.event_name }}" == 'pull_request' && "${{ needs.lint-branch-name.result }}" != 'success' ]]; then
echo "❌ Linting of branch name failed."
exit 1
elif [[ "${{ needs.zizmor.result }}" != 'success' ]]; then

Check notice

Code scanning / zizmor

code injection via template expansion Note

code injection via template expansion
@mahlau-flex
Copy link
Contributor Author

mahlau-flex commented Oct 8, 2025

While the github action zizmor only checks the newly created changes, running zizmor locally checks all worflow files and gives the following found security vulnerabilities in our github actions:

93 findings (43 suppressed, 29 fixable): 12 informational, 0 low, 19 medium, 19 high

A lot of the high vulnerability issues are possible code injections through the the template expansion blocks "${{ ... }}", actions which are not pinned to a hash, or write permissions that are set too broadly. I will see to fix all of these vulnerabilities as well.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

Diff Coverage

Diff: origin/develop...HEAD, staged and unstaged changes

No lines with coverage information in this diff.

yaugenst-flex
yaugenst-flex approved these changes Oct 8, 2025
View reviewed changes
Copy link
Collaborator

@yaugenst-flex yaugenst-flex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this is great!

@yaugenst-flex yaugenst-flex added this pull request to the merge queue Oct 8, 2025
Merged via the queue into develop with commit 3ebf6b8 Oct 8, 2025
67 of 84 checks passed
@yaugenst-flex yaugenst-flex deleted the FXC-3472-Add-static-analysis-for-GitHub-Actions-workflows branch October 8, 2025 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yaugenst-flex yaugenst-flex yaugenst-flex approved these changes

@frederikschubertflex frederikschubertflex frederikschubertflex approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mahlau-flex @yaugenst-flex @frederikschubertflex