Skip to content

✨ Add zizmor to permissions allowlist #4758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

✨ Add zizmor to permissions allowlist #4758

wants to merge 1 commit into from

Conversation

martincostello
Copy link
Contributor

What kind of change does this PR introduce?

Add zizmorcore/zizmor-action as an action that does not trigger a warning for use of security-events: write.

What is the current behavior?

Using the action generates a finding similar to the below:

score is 0: jobLevel 'security-events' permission set to 'write'
Remediation tip: Visit [https://app.stepsecurity.io/secureworkflow](https://app.stepsecurity.io/secureworkflow/github.com/martincostello/update-dotnet-sdk/build.yml/main?enable=permissions).
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help

What is the new behavior (if this is a feature change)?**

No finding is generated for use of security-events: write in a job that uses zizmorcore/zizmor-action.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

None.

Does this PR introduce a user-facing change?

Add `zizmorcore/zizmor-action` to allow-list for use of `security-events: write`.

@Copilot Copilot AI review requested due to automatic review settings August 15, 2025 16:41
@martincostello martincostello requested a review from a team as a code owner August 15, 2025 16:41
@martincostello martincostello requested review from justaugustus and raghavkaul and removed request for a team August 15, 2025 16:41
Copilot
Copilot AI reviewed Aug 15, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds zizmorcore/zizmor-action to the allowlist of GitHub Actions that are permitted to use security-events: write permission without triggering a security warning. The action performs code scanning and uploads SARIF files to GitHub, which legitimately requires this permission.

  • Adds zizmorcore/zizmor-action to the allowlist in the permissions checker
  • Includes test case to verify the action is properly allowed
  • Follows the same pattern as existing security scanning tools like hlint-scan

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
checks/raw/permissions.go Adds zizmor-action to the allowlist of actions permitted to use security-events write permission
checks/testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml Adds test case for zizmor-action to verify it doesn't trigger security warnings

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@codecov Codecov
Copy link

codecov bot commented Aug 15, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.30%. Comparing base (353ed60) to head (e990802).
⚠️ Report is 216 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4758      +/-   ##
==========================================
+ Coverage   66.80%   68.30%   +1.49%     
==========================================
  Files         230      249      +19     
  Lines       16602    18929    +2327     
==========================================
+ Hits        11091    12929    +1838     
- Misses       4808     5137     +329     
- Partials      703      863     +160
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@martincostello
Add zizmor to permissions allowlist
e990802 
- Add zizmor to permissions allowlist.
- Fix workflow error.

Signed-off-by: martincostello <[email protected]>
@martincostello martincostello force-pushed the add-zizmor-to-allowlist branch from 82ae86d to e990802 Compare August 15, 2025 17:03
@github-actions GitHub Actions
Copy link

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Aug 26, 2025
@martincostello
Copy link
Contributor Author

Awaiting review.

@github-actions github-actions bot removed the Stale label Aug 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@justaugustus justaugustus Awaiting requested review from justaugustus justaugustus is a code owner automatically assigned from ossf/scorecard-maintainers

@raghavkaul raghavkaul Awaiting requested review from raghavkaul raghavkaul is a code owner automatically assigned from ossf/scorecard-maintainers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
OpenSSF Scorecard
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@martincostello