Skip to content

feat: add zizmor workflow checks for GitHub Actions#662

Merged
CommanderK5 merged 2 commits intomainfrom
feat/zizmor
Jan 21, 2026
Merged

feat: add zizmor workflow checks for GitHub Actions#662
CommanderK5 merged 2 commits intomainfrom
feat/zizmor

Conversation

@CommanderK5
Copy link
Contributor

@CommanderK5 CommanderK5 commented Jan 16, 2026

Description

This PR adds a zizmor security scan to the CI pipeline to analyze new and existing GitHub Actions workflows under .github/workflows/.

  • Runs zizmor on PRs and fails the check when HIGH severity (or above) issues are found, so they can block merges.
  • Runs zizmor on main to produce security reporting (where applicable), keeping visibility into findings over time.
  • Intended to be added as a required status check so workflow-security regressions can’t land unnoticed.

Reference: #642 (comment) / zizmor-action

Type of Change

  • New module
  • New template
  • Bug fix
  • Feature/enhancement
  • Documentation
  • Other - CI / security tooling

Testing & Validation

  • Validation via PR check - opened a test PR with a deliberately risky workflow and confirmed zizmor reports and blocks on HIGH findings

Related Issues

#642 (comment) / zizmor-action

jdomeracki-coder
jdomeracki-coder reviewed Jan 19, 2026
View reviewed changes
Copy link
Contributor

@jdomeracki-coder jdomeracki-coder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice first PR!

I think one minor addition could be to upload the SARIF to GitHub Code scanning

Example:
https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/integrate-with-existing-tools/uploading-a-sarif-file-to-github

@jdomeracki-coder
Copy link
Contributor

jdomeracki-coder commented Jan 19, 2026

Also I think that we should review the blocking findings from:
https://github.com/coder/registry/actions/runs/21075932061/job/60617647791?pr=662

Switching to checksums instead of tags is for the most part a one time change

@CommanderK5 CommanderK5 mentioned this pull request Jan 21, 2026
Merged
9 tasks
CommanderK5 added a commit that referenced this pull request Jan 21, 2026
@CommanderK5
CI: Pin GitHub Actions and fix zizmor high-severity findings (#667)
ec57cb5 
## Description

This PR fixes zizmor --min-severity high findings in our GitHub Actions
workflows by:
- Pinning all uses: references to immutable commit SHAs (replaces
floating tags like @v6 / @main).
- Pinning internal Terraform setup action usage
(coder/coder/.github/actions/setup-tf@main) to a fixed ref/commit.
- Pinning crate-ci/typos to a commit SHA.
- Removing GitHub expression template expansion inside a run: block in
version-bump.yaml (prevents template injection flagged by zizmor).


## Type of Change

- [ ] New module
- [ ] New template
- [ ] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [x] Other

## Module Information

N/A

## Template Information

N/A

## Testing & Validation

- [ ] Tests pass (`bun test`)
- [ ] Code formatted (`bun fmt`)
- [x] Changes tested locally - zizmor .github/workflows/* --min-severity
high

## Related Issues

- #642
- #662
@CommanderK5 CommanderK5 merged commit 01365fb into main Jan 21, 2026
6 checks passed
@CommanderK5 CommanderK5 deleted the feat/zizmor branch January 21, 2026 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdomeracki-coder jdomeracki-coder jdomeracki-coder approved these changes

Assignees

@CommanderK5 CommanderK5

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CommanderK5 @jdomeracki-coder