Add zizmor and frizbee CI/CD security checks#290
Merged
Conversation
Add two new reusable workflows alongside existing actionlint:
- zizmor: scans workflows for security vulnerabilities (injection risks,
secret exposure, unsafe ${{}} expansion)
- frizbee: checks that all actions and container images are pinned to
commit SHAs or image digests
Both run unconditionally in goCI.yml (no opt-out flags) and in the
workflows repo's own CI.
Also pins previously unpinned references:
- docker://rhysd/actionlint:latest → 1.7.11@sha256:digest
- actions/cache@v5 → @sha (v5.0.3) in goTest.yml and codeql-analysis.yml
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Add explicit `permissions: contents: read` to the zizmor and frizbee job calls in ci.yml and goCI.yml to resolve zizmor's "overly broad permissions" warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix template injection in docker-buildx-push.yml (cosign step) - Fix spoofable bot-conditions in dependabot-auto-merge.yml - Add .github/zizmor.yml with targeted ignores for intentional patterns (internal unpinned-uses, excessive-permissions on reusable callers) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Explain why each rule is suppressed to aid future reviewers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
dopey
previously approved these changes
Mar 3, 2026
The frizbee-action requires GITHUB_TOKEN and doesn't have an 'action' input. Set open_pr: false (we only want check mode) and pass the token via env. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Pin google-github-actions/auth and setup-gcloud to SHAs in goreleaser.yml - Normalize Docker image refs to index.docker.io format with digest (required by frizbee-action for proper pinning detection) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The frizbee-action Docker image (v0.0.5) bundles an older version of frizbee that flags cosmetic comment differences as unpinned. Install the CLI (v0.1.8) directly for consistent behavior with local runs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
code-scan.yml references codeql-analysis.yml within the same repo, so use ./.github/workflows/ instead of the cross-repo @main ref. Removes the corresponding unpinned-uses zizmor suppression. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The goreleaser.yml google-github-actions refs are now pinned to SHAs, so the unpinned-uses suppressions are no longer needed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add top-level permissions: contents: read to ci.yml, goCI.yml, and sync-winget-fork.yml. Add security-events: write to code-scan.yml and the goCI codeql job (required by CodeQL). Remove redundant per-job permissions where they now inherit from the workflow level. This eliminates every excessive-permissions finding, allowing us to delete .github/zizmor.yml entirely — zero suppressed warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
dopey
approved these changes
Mar 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As recommended in this recent security research paper, adds zizmor (workflow security scanner) and frizbee (action pinning checker) as reusable workflows alongside existing actionlint
goCI.yml(unconditional — no opt-out flags) andci.ymldocker://rhysd/actionlint:latest→1.7.11@sha256:digest,actions/cache@v5→@sha(v5.0.3)Together the three tools cover: syntax errors (actionlint), security vulnerabilities (zizmor), and supply-chain pinning (frizbee).
New reusable workflows
zizmor.yml— useszizmorcore/zizmor-action@v0.5.0(pinned to SHA), medium severity/confidence thresholdsfrizbee.yml— usesstacklok/frizbee-action@v0.0.5(pinned to SHA), check-only mode with fail on unpinnedDesign decision
zizmor and frizbee run unconditionally — unlike actionlint/govulncheck which have
run-*boolean flags. Security checks should not be opt-out at the repo level.Follow-up PRs (separate from this one)
zizmor.yml+frizbee.yml) for all 15 repos that have actionlint callersTest plan
${{github.event.issue.title}}injection🤖 Generated with Claude Code