Created
April 9, 2026 12:31
-
-
Save Turbo87/cf1615b80f5c26871ebf836e7d84ceea to your computer and use it in GitHub Desktop.
zizmor audit results for rust-lang org (auditor persona)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:18 | |
| | pages: write | |
| = pages: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:19 | |
| | id-token: write | |
| = id-token: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:17 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:19 | |
| | actions-rs/cargo@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:24 | |
| | actions-rs/cargo@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:29 | |
| | actions-rs/cargo@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:34 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:42 | |
| | actions/configure-pages@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:46 | |
| | actions/upload-pages-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:60 | |
| | actions/deploy-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yaml:18 | |
| | name: Check formatting of all crates in the workspace | |
| = this step | |
| --> .github/workflows/ci.yaml:19 | |
| | actions-rs/cargo@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yaml:23 | |
| | name: Run cargo test --all | |
| = this step | |
| --> .github/workflows/ci.yaml:24 | |
| | actions-rs/cargo@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yaml:28 | |
| | name: Run cargo test --all-targets | |
| = this step | |
| --> .github/workflows/ci.yaml:29 | |
| | actions-rs/cargo@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yaml:17 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/mdbook.yml:34 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:11 | |
| | rust-test: | |
| = this job | |
| --> .github/workflows/ci.yaml:11 | |
| | rust-test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/mdbook.yml:18 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/mdbook.yml:19 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yaml:11 | |
| | rust-test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/mdbook.yml:29 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/mdbook.yml:51 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/template.yml:34 | |
| | name: Configure git | |
| = this step | |
| --> .github/workflows/template.yml:36 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/template.yml:35 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:34 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:35 | |
| | actions-rs/audit-check@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:49 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:50 | |
| | EmbarkStudios/cargo-deny-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:46 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:48 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:51 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:52 | |
| | taiki-e/install-action@cargo-hack | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:65 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:67 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:70 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:71 | |
| | taiki-e/install-action@cargo-hack | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:79 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:81 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:85 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:86 | |
| | taiki-e/install-action@cargo-hack | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:97 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:99 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:103 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:114 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:116 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:119 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:127 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:129 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:132 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:142 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:144 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:148 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:158 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:160 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:164 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:177 | |
| | github/codeql-action/upload-sarif@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:188 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:190 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:193 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:199 | |
| | coverallsapp/github-action@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/committed.yml:24 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/committed.yml:28 | |
| | crate-ci/committed@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pre-commit.yml:25 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pre-commit.yml:26 | |
| | j178/prek-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:17 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:20 | |
| | rust-lang/crates-io-auth-action@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust-next.yml:36 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust-next.yml:38 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust-next.yml:41 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust-next.yml:42 | |
| | taiki-e/install-action@cargo-hack | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust-next.yml:57 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust-next.yml:59 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust-next.yml:62 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust-next.yml:63 | |
| | taiki-e/install-action@cargo-hack | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/spelling.yml:23 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/spelling.yml:25 | |
| | crate-ci/typos@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/template.yml:31 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/audit.yml:35 | |
| | uses: actions-rs/audit-check@v1 | |
| = this step | |
| --> .github/workflows/audit.yml:35 | |
| | actions-rs/audit-check@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release.yml:1 | |
| | name: Publish | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/audit.yml:33 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/audit.yml:49 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:45 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:64 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:78 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:96 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:113 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:126 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:141 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:157 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:187 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/committed.yml:23 | |
| | name: Checkout Actions Repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/pre-commit.yml:25 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/release.yml:16 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/rust-next.yml:35 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/rust-next.yml:56 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/spelling.yml:22 | |
| | name: Checkout Actions Repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/template.yml:30 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:1 | |
| | name: Publish | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:47 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:48 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:66 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:67 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:80 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:81 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:98 | |
| | name: Install stable Rust | |
| = this step | |
| --> .github/workflows/ci.yml:99 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:102 | |
| | name: Install nightly Rust | |
| = this step | |
| --> .github/workflows/ci.yml:103 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:115 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:116 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:128 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:129 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:143 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:144 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:159 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:160 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:189 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:190 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust-next.yml:37 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/rust-next.yml:38 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust-next.yml:58 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/rust-next.yml:59 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/template.yml:38 | |
| | name: Fetch template | |
| = this step | |
| --> .github/workflows/template.yml:39 | |
| | "git remote add template ${{ env.TEMPLATE_URL }} && git fetch template ${{ env.TEMPLATE_BRANCH }}" | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/template.yml:39 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/template.yml:38 | |
| | name: Fetch template | |
| = this step | |
| --> .github/workflows/template.yml:39 | |
| | "git remote add template ${{ env.TEMPLATE_URL }} && git fetch template ${{ env.TEMPLATE_BRANCH }}" | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/template.yml:39 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/template.yml:40 | |
| | name: Merge template | |
| = this step | |
| --> .github/workflows/template.yml:41 | |
| | "git checkout -b template-update && git merge template/${{ env.TEMPLATE_BRANCH }} -m 'chore: Update from template'" | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/template.yml:41 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:24 | |
| | contents: none | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:14 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/template.yml:26 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/audit.yml:25 | |
| | security_audit | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/audit.yml:39 | |
| | cargo_deny | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:110 | |
| | lockfile | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/pre-commit.yml:20 | |
| | pre-commit | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/template.yml:23 | |
| | update | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:12 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy.yml:12 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Publish | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:8 | |
| | publish: | |
| = this job | |
| --> .github/workflows/deploy.yml:8 | |
| | publish: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Publish | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:24 | |
| | name: Push to gh-pages | |
| = this step | |
| --> .github/workflows/deploy.yml:30 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:27 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:24 | |
| | name: Push to gh-pages | |
| = this step | |
| --> .github/workflows/deploy.yml:34 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:27 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:14 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:31 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:16 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:17 | |
| | rust-lang/crates-io-auth-action@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:14 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:31 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/publish.yml:16 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | on: [push, pull_request] | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:6 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:6 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:26 | |
| | fmt: | |
| = this job | |
| --> .github/workflows/ci.yml:26 | |
| | fmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/publish.yml:1 | |
| | name: Publish to crates.io | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | on: [push, pull_request] | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | on: [push, pull_request] | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | name: Publish to crates.io | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:13 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/publish.yml:8 | |
| | publish | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/pages.yml:10 | |
| | pages: write | |
| = pages: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/pages.yml:11 | |
| | id-token: write | |
| = id-token: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pages.yml:25 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pages.yml:27 | |
| | actions/configure-pages@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pages.yml:30 | |
| | actions-rs/toolchain@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pages.yml:35 | |
| | actions/cache@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pages.yml:46 | |
| | actions/cache@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pages.yml:57 | |
| | actions/upload-pages-artifact@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pages.yml:68 | |
| | actions/deploy-pages@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/pages.yml:28 | |
| | name: Setup Rust toolchain | |
| = this step | |
| --> .github/workflows/pages.yml:30 | |
| | actions-rs/toolchain@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/pages.yml:24 | |
| | name: Checkout | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/pages.yml:10 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/pages.yml:11 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/pages.yml:21 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/pages.yml:59 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/zola.yml:13 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/zola.yml:24 | |
| | peaceiris/actions-gh-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/zola.yml:13 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/zola.yml:1 | |
| | name: github pages | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/zola.yml:10 | |
| | build_and_deploy: | |
| = this job | |
| --> .github/workflows/zola.yml:10 | |
| | build_and_deploy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/zola.yml:1 | |
| | name: github pages | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/zola.yml:10 | |
| | build_and_deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:14 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:18 | |
| | taiki-e/install-action@mdbook | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:20 | |
| | taiki-e/install-action@mdbook-linkcheck | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:23 | |
| | actions/upload-pages-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:42 | |
| | actions/deploy-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:14 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:10 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:10 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:34 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/ci.yml:35 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:12 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:18 | |
| | pages: write | |
| = pages: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:19 | |
| | id-token: write | |
| = id-token: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:32 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:34 | |
| | baptiste0928/cargo-install@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:40 | |
| | baptiste0928/cargo-install@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:46 | |
| | actions/configure-pages@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:50 | |
| | actions/upload-pages-artifact@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:64 | |
| | actions/deploy-pages@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/mdbook.yml:32 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/mdbook.yml:18 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/mdbook.yml:19 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/mdbook.yml:29 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/mdbook.yml:55 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:7 | |
| | test-cb: | |
| = this job | |
| --> .github/workflows/ci.yml:7 | |
| | test-cb: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:25 | |
| | test-gh: | |
| = this job | |
| --> .github/workflows/ci.yml:25 | |
| | test-gh: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:7 | |
| | test-cb | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:25 | |
| | test-gh | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:4 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:5 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:42 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:150 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:171 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:203 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:218 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:237 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:258 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:269 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:18 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:24 | |
| | release-plz/action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:41 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:47 | |
| | release-plz/action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:42 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:150 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:171 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:203 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:218 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:237 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:258 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:269 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/publish.yml:17 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/publish.yml:40 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:12 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:12 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:146 | |
| | windows_arm64: | |
| = this job | |
| --> .github/workflows/main.yml:146 | |
| | windows_arm64: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:161 | |
| | ios: | |
| = this job | |
| --> .github/workflows/main.yml:161 | |
| | ios: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:180 | |
| | docker: | |
| = this job | |
| --> .github/workflows/main.yml:180 | |
| | docker: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:214 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/main.yml:214 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:225 | |
| | build: | |
| = this job | |
| --> .github/workflows/main.yml:225 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:248 | |
| | msrv: | |
| = this job | |
| --> .github/workflows/main.yml:248 | |
| | msrv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:265 | |
| | miri: | |
| = this job | |
| --> .github/workflows/main.yml:265 | |
| | miri: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:12 | |
| | release-plz-release | |
| = this job | |
| --> .github/workflows/publish.yml:29 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:32 | |
| | release-plz-pr | |
| = this job | |
| --> .github/workflows/publish.yml:52 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | name: Release-plz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:45 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:46 | |
| | rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:46 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:45 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:46 | |
| | rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:46 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:174 | |
| | run: rustup target add ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/main.yml:174 | |
| | rustup target add ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:174 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:175 | |
| | name: Run tests | |
| = this step | |
| --> .github/workflows/main.yml:176 | |
| | cargo test ${{ contains(matrix.target, 'macabi') && '' || '--no-run' }} --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:176 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:175 | |
| | name: Run tests | |
| = this step | |
| --> .github/workflows/main.yml:176 | |
| | cargo test ${{ contains(matrix.target, 'macabi') && '' || '--no-run' }} --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:176 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:208 | |
| | run: rustup target add ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/main.yml:208 | |
| | rustup target add ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:208 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:212 | |
| | run: ./ci/run-docker.sh ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/main.yml:212 | |
| | ./ci/run-docker.sh ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:212 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:242 | |
| | run: rustup target add ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/main.yml:242 | |
| | rustup target add ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:242 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:245 | |
| | run: cargo build --target ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/main.yml:245 | |
| | cargo build --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:245 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:246 | |
| | run: cargo build --manifest-path crates/as-if-std/Cargo.toml --target ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/main.yml:246 | |
| | cargo build --manifest-path crates/as-if-std/Cargo.toml --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:246 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:4 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/publish.yml:5 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:24 | |
| | pages: write | |
| = pages: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:25 | |
| | id-token: write | |
| = id-token: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:38 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:39 | |
| | taiki-e/cache-cargo-install-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:43 | |
| | baptiste0928/cargo-install@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:50 | |
| | baptiste0928/cargo-install@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:57 | |
| | actions/configure-pages@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:61 | |
| | actions/upload-pages-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:76 | |
| | actions/deploy-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/mdbook.yml:38 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/mdbook.yml:24 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/mdbook.yml:25 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/mdbook.yml:35 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/mdbook.yml:66 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:16 | |
| | uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:30 | |
| | uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:36 | |
| | uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:57 | |
| | uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/snapshot_tests.yml:14 | |
| | uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:13 | |
| | lint: | |
| = this job | |
| --> .github/workflows/main.yml:13 | |
| | lint: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:27 | |
| | spelling: | |
| = this job | |
| --> .github/workflows/main.yml:27 | |
| | spelling: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:33 | |
| | build: | |
| = this job | |
| --> .github/workflows/main.yml:33 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:51 | |
| | pub_date: | |
| = this job | |
| --> .github/workflows/main.yml:51 | |
| | pub_date: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/snapshot_tests.yml:1 | |
| | name: Snapshot tests | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/snapshot_tests.yml:10 | |
| | snapshot-tests: | |
| = this job | |
| --> .github/workflows/snapshot_tests.yml:10 | |
| | snapshot-tests: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/snapshot_tests.yml:1 | |
| | name: Snapshot tests | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:18 | |
| | run: rustup override set ${{ env.RUST_VERSION }} | |
| = this step | |
| --> .github/workflows/main.yml:18 | |
| | rustup override set ${{ env.RUST_VERSION }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:18 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:38 | |
| | run: rustup override set ${{ env.RUST_VERSION }} | |
| = this step | |
| --> .github/workflows/main.yml:38 | |
| | rustup override set ${{ env.RUST_VERSION }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:38 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:59 | |
| | run: rustup override set ${{ env.RUST_VERSION }} | |
| = this step | |
| --> .github/workflows/main.yml:59 | |
| | rustup override set ${{ env.RUST_VERSION }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:59 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/snapshot_tests.yml:15 | |
| | run: rustup override set ${{ env.RUST_VERSION }} | |
| = this step | |
| --> .github/workflows/snapshot_tests.yml:15 | |
| | rustup override set ${{ env.RUST_VERSION }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/snapshot_tests.yml:15 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:70 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/main.yml:71 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:13 | |
| | lint | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:27 | |
| | spelling | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:33 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:64 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/snapshot_tests.yml:10 | |
| | snapshot-tests | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:12 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:47 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:66 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:12 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:47 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:66 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:8 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:8 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:43 | |
| | package_tests: | |
| = this job | |
| --> .github/workflows/main.yml:43 | |
| | package_tests: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:62 | |
| | lint: | |
| = this job | |
| --> .github/workflows/main.yml:62 | |
| | lint: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:34 | |
| | if: ${{ github.event_name == 'push' }} | |
| = this step | |
| --> .github/workflows/test.yml:36 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/test.yml:35 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:25 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/test.yml:24 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:1 | |
| | name: Test | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:11 | |
| | init: | |
| = this job | |
| --> .github/workflows/test.yml:11 | |
| | init: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:15 | |
| | sleep-60: | |
| = this job | |
| --> .github/workflows/test.yml:15 | |
| | sleep-60: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:20 | |
| | dynamic: | |
| = this job | |
| --> .github/workflows/test.yml:20 | |
| | dynamic: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/test.yml:1 | |
| | name: Test | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/test.yml:1 | |
| | name: Test | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/test.yml:1 | |
| | name: Test | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/test.yml:26 | |
| | if: ${{ github.event_name == 'pull_request' }} | |
| = this step | |
| --> .github/workflows/test.yml:28 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/test.yml:27 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/test.yml:11 | |
| | init | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/test.yml:15 | |
| | sleep-60 | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/test.yml:20 | |
| | dynamic | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:20 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:21 | |
| | EmbarkStudios/cargo-deny-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy-production.yml:18 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy-staging.yml:20 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:20 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:57 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:58 | |
| | docker/setup-buildx-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:60 | |
| | docker/build-push-action@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/audit.yml:19 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/audit.yml:1 | |
| | name: Security audit | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/audit.yml:16 | |
| | audit: | |
| = this job | |
| --> .github/workflows/audit.yml:16 | |
| | audit: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy-production.yml:1 | |
| | name: Deploy production | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy-staging.yml:1 | |
| | name: Deploy staging | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:1 | |
| | name: Test | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:12 | |
| | test: | |
| = this job | |
| --> .github/workflows/test.yml:12 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:52 | |
| | docker: | |
| = this job | |
| --> .github/workflows/test.yml:52 | |
| | docker: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/deploy-production.yml:17 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/deploy-staging.yml:19 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/test.yml:19 | |
| | name: Checkout sources | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/test.yml:56 | |
| | name: Checkout repo | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/audit.yml:1 | |
| | name: Security audit | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy-production.yml:11 | |
| | concurrency: production | |
| = job concurrency is missing cancel-in-progress | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy-staging.yml:13 | |
| | concurrency: staging | |
| = job concurrency is missing cancel-in-progress | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/test.yml:1 | |
| | name: Test | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/test.yml:1 | |
| | name: Test | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy-production.yml:14 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy-staging.yml:16 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/audit.yml:16 | |
| | audit | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:10 | |
| | actions/checkout@v4.1.1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:11 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:18 | |
| | actions/checkout@v4.1.1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:19 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:10 | |
| | uses: actions/checkout@v4.1.1 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:18 | |
| | uses: actions/checkout@v4.1.1 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | on: [push, pull_request] | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:6 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:6 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:14 | |
| | fmt: | |
| = this job | |
| --> .github/workflows/ci.yml:14 | |
| | fmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | on: [push, pull_request] | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | on: [push, pull_request] | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:11 | |
| | uses: dtolnay/rust-toolchain@stable | |
| = this step | |
| --> .github/workflows/ci.yml:11 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:19 | |
| | uses: dtolnay/rust-toolchain@stable | |
| = this step | |
| --> .github/workflows/ci.yml:19 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/calendar.yml:9 | |
| | pages: write | |
| = pages: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/calendar.yml:10 | |
| | id-token: write | |
| = id-token: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/calendar.yml:22 | |
| | actions/checkout@v4.1.1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/calendar.yml:24 | |
| | rust-lang/calendar-generation@main | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/calendar.yml:26 | |
| | actions/upload-pages-artifact@v3.0.0 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/calendar.yml:31 | |
| | actions/deploy-pages@v4.0.1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:10 | |
| | actions/checkout@v4.1.1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:11 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:25 | |
| | actions/checkout@v4.1.1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:26 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mr.yml:12 | |
| | actions/checkout@v4.1.1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mr.yml:14 | |
| | rust-lang/calendar-generation@main | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/calendar.yml:21 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:10 | |
| | uses: actions/checkout@v4.1.1 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:25 | |
| | uses: actions/checkout@v4.1.1 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/mr.yml:11 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | on: [push, pull_request] | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:6 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:6 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:21 | |
| | fmt: | |
| = this job | |
| --> .github/workflows/ci.yml:21 | |
| | fmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/mr.yml:1 | |
| | name: check calendars | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/mr.yml:7 | |
| | generate: | |
| = this job | |
| --> .github/workflows/mr.yml:7 | |
| | generate: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | on: [push, pull_request] | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | on: [push, pull_request] | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/mr.yml:1 | |
| | name: check calendars | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:11 | |
| | uses: dtolnay/rust-toolchain@stable | |
| = this step | |
| --> .github/workflows/ci.yml:11 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:26 | |
| | uses: dtolnay/rust-toolchain@stable | |
| = this step | |
| --> .github/workflows/ci.yml:26 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/calendar.yml:9 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/calendar.yml:10 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:19 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:21 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:24 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:40 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:42 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/docs.yml:16 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/docs.yml:29 | |
| | actions/upload-pages-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/docs.yml:48 | |
| | actions/deploy-pages@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:18 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:14 | |
| | publish | |
| = this job | |
| --> .github/workflows/publish.yml:23 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:18 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:39 | |
| | name: Checkout source | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/docs.yml:16 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/publish.yml:18 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/docs.yml:1 | |
| | name: Documentation Deploy | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/docs.yml:1 | |
| | name: Documentation Deploy | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | name: Publish | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:20 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:21 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:41 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:42 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/docs.yml:37 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/docs.yml:38 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/docs.yml:11 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/docs.yml:33 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 use-trusted-publishing: prefer trusted publishing for authentication | |
| severity: Informational, confidence: High | |
| --> .github/workflows/publish.yml:21 | |
| | name: Publish | |
| = this step | |
| --> .github/workflows/publish.yml:24 | |
| | run | |
| = this step | |
| --> .github/workflows/publish.yml:24 | |
| | cargo publish --no-verify | |
| = this command | |
| docs: https://docs.zizmor.sh/audits/#use-trusted-publishing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:24 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:25 | |
| | EmbarkStudios/cargo-deny-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/contrib.yml:23 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:61 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:80 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:88 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:95 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:103 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:114 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:188 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:254 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:261 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:268 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:281 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:291 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:319 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:320 | |
| | taiki-e/install-action@cargo-hack | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:328 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:330 | |
| | crate-ci/typos@v1.44.0 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:336 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:343 | |
| | actions/upload-artifact@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:28 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/audit.yml:24 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/contrib.yml:23 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:61 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:80 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:88 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:95 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:103 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:114 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:188 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:254 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:261 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:268 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:281 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:291 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:319 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:327 | |
| | name: Checkout Actions Repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:336 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/release.yml:27 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release.yml:5 | |
| | name: Release | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/audit.yml:1 | |
| | name: Security audit | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:195 | |
| | run: rustup update --no-self-update ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| = this step | |
| --> .github/workflows/main.yml:195 | |
| | rustup update --no-self-update ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:195 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:195 | |
| | run: rustup update --no-self-update ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| = this step | |
| --> .github/workflows/main.yml:195 | |
| | rustup update --no-self-update ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:195 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:196 | |
| | run: rustup target add ${{ matrix.other }} | |
| = this step | |
| --> .github/workflows/main.yml:196 | |
| | rustup target add ${{ matrix.other }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:196 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:39 | |
| | contents: none | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/audit.yml:16 | |
| | cargo_deny | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/contrib.yml:18 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:23 | |
| | conclusion | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:58 | |
| | rustfmt | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:85 | |
| | stale-label | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:92 | |
| | lint-docs | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:100 | |
| | lockfile | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:107 | |
| | check-version-bump | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:251 | |
| | schema | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:258 | |
| | resolver | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:265 | |
| | test_gitoxide | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:278 | |
| | build_std | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:288 | |
| | docs | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:316 | |
| | msrv | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/main.yml:50 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/main.yml:53 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:51 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/main.yml:50 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/main.yml:55 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:51 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:4 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:5 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:6 | |
| | id-token: write | |
| = id-token: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/release-pr.yml:4 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/release-pr.yml:5 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:160 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:217 | |
| | ilammy/msvc-dev-cmd@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:220 | |
| | taiki-e/install-action@cargo-nextest | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:224 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:242 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:250 | |
| | taiki-e/install-action@cargo-nextest | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:253 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:287 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:296 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:311 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:317 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:337 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:365 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:381 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:393 | |
| | taiki-e/install-action@cargo-nextest | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:394 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:414 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:423 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:431 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:437 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:447 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:453 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:460 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:462 | |
| | obi1kenobi/cargo-semver-checks-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:21 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:25 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:27 | |
| | release-plz/action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/regenerate-target-info.yml:19 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/regenerate-target-info.yml:35 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/regenerate-windows-sys.yml:19 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/regenerate-windows-sys.yml:30 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release-pr.yml:21 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release-pr.yml:25 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release-pr.yml:27 | |
| | release-plz/action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test-rustc-targets.yml:18 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test-rustc-targets.yml:27 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:20 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:20 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:238 | |
| | test-linker-plugin-lto: | |
| = this job | |
| --> .github/workflows/main.yml:238 | |
| | test-linker-plugin-lto: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:263 | |
| | check-build-std: | |
| = this job | |
| --> .github/workflows/main.yml:263 | |
| | check-build-std: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:304 | |
| | check-wasm: | |
| = this job | |
| --> .github/workflows/main.yml:304 | |
| | check-wasm: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:325 | |
| | test-wasi: | |
| = this job | |
| --> .github/workflows/main.yml:325 | |
| | test-wasi: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:377 | |
| | cuda: | |
| = this job | |
| --> .github/workflows/main.yml:377 | |
| | cuda: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:404 | |
| | msrv: | |
| = this job | |
| --> .github/workflows/main.yml:404 | |
| | msrv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:427 | |
| | clippy: | |
| = this job | |
| --> .github/workflows/main.yml:427 | |
| | clippy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:443 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/main.yml:443 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:456 | |
| | semver-checks: | |
| = this job | |
| --> .github/workflows/main.yml:456 | |
| | semver-checks: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:467 | |
| | tests-pass: | |
| = this job | |
| --> .github/workflows/main.yml:467 | |
| | tests-pass: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/regenerate-target-info.yml:1 | |
| | name: Regenerate target info | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/regenerate-target-info.yml:14 | |
| | regenerate: | |
| = this job | |
| --> .github/workflows/regenerate-target-info.yml:14 | |
| | regenerate: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/regenerate-windows-sys.yml:1 | |
| | name: Regenerate windows sys bindings | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/regenerate-windows-sys.yml:14 | |
| | regenerate: | |
| = this job | |
| --> .github/workflows/regenerate-windows-sys.yml:14 | |
| | regenerate: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test-rustc-targets.yml:1 | |
| | name: Test nightly `rustc` targets and add issue comment if changed | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test-rustc-targets.yml:14 | |
| | rustc_target_test: | |
| = this job | |
| --> .github/workflows/test-rustc-targets.yml:14 | |
| | rustc_target_test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:160 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:242 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:287 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:311 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:337 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:381 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:414 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:431 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:447 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:459 | |
| | name: Checkout | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/publish.yml:20 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/regenerate-target-info.yml:19 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/regenerate-windows-sys.yml:19 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/release-pr.yml:20 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/test-rustc-targets.yml:18 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | name: Publish release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/regenerate-target-info.yml:1 | |
| | name: Regenerate target info | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/regenerate-windows-sys.yml:1 | |
| | name: Regenerate windows sys bindings | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/test-rustc-targets.yml:1 | |
| | name: Test nightly `rustc` targets and add issue comment if changed | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:24 | |
| | name: Install Rust toolchain | |
| = this step | |
| --> .github/workflows/publish.yml:25 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/release-pr.yml:24 | |
| | name: Install Rust toolchain | |
| = this step | |
| --> .github/workflows/release-pr.yml:25 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:163 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:166 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:164 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:163 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:166 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:164 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:163 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:167 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:164 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:206 | |
| | name: Set up Apple cross-compilation | |
| = this step | |
| --> .github/workflows/main.yml:214 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:208 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:225 | |
| | name: Compile tests but not run | |
| = this step | |
| --> .github/workflows/main.yml:228 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:227 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:225 | |
| | name: Compile tests but not run | |
| = this step | |
| --> .github/workflows/main.yml:228 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:227 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:229 | |
| | name: Compile and Run tests | |
| = this step | |
| --> .github/workflows/main.yml:232 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:231 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:229 | |
| | name: Compile and Run tests | |
| = this step | |
| --> .github/workflows/main.yml:232 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:231 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:229 | |
| | name: Compile and Run tests | |
| = this step | |
| --> .github/workflows/main.yml:233 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:231 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:229 | |
| | name: Compile and Run tests | |
| = this step | |
| --> .github/workflows/main.yml:233 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:231 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:297 | |
| | run: cargo test -Z build-std=std --no-run --workspace --target ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/main.yml:297 | |
| | cargo test -Z build-std=std --no-run --workspace --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:297 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:298 | |
| | run: cargo test -Z build-std=std --no-run --workspace --target ${{ matrix.target }} --release | |
| = this step | |
| --> .github/workflows/main.yml:298 | |
| | cargo test -Z build-std=std --no-run --workspace --target ${{ matrix.target }} --release | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:298 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:299 | |
| | run: cargo test -Z build-std=std --no-run --workspace --target ${{ matrix.target }} --features parallel | |
| = this step | |
| --> .github/workflows/main.yml:299 | |
| | cargo test -Z build-std=std --no-run --workspace --target ${{ matrix.target }} --features parallel | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:299 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:312 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:314 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:313 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:318 | |
| | run: cargo test --no-run --target ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/main.yml:318 | |
| | cargo test --no-run --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:318 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:319 | |
| | run: cargo test --no-run --target ${{ matrix.target }} --release | |
| = this step | |
| --> .github/workflows/main.yml:319 | |
| | cargo test --no-run --target ${{ matrix.target }} --release | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:319 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:320 | |
| | run: cargo test --no-run --target ${{ matrix.target }} --features parallel | |
| = this step | |
| --> .github/workflows/main.yml:320 | |
| | cargo test --no-run --target ${{ matrix.target }} --features parallel | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:320 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/regenerate-target-info.yml:23 | |
| | name: Generate branch name | |
| = this step | |
| --> .github/workflows/regenerate-target-info.yml:25 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/regenerate-target-info.yml:24 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/regenerate-windows-sys.yml:23 | |
| | name: Generate branch name | |
| = this step | |
| --> .github/workflows/regenerate-windows-sys.yml:25 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/regenerate-windows-sys.yml:24 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:4 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/publish.yml:5 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/release-pr.yml:4 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/release-pr.yml:5 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:456 | |
| | semver-checks | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/test-rustc-targets.yml:14 | |
| | rustc_target_test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yaml:4 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yaml:5 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yaml:16 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yaml:22 | |
| | MarcoIeni/release-plz-action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yaml:11 | |
| | release-plz | |
| = this job | |
| --> .github/workflows/publish.yaml:25 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yaml:23 | |
| | uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yaml:41 | |
| | uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/publish.yaml:15 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yaml:1 | |
| | name: Release-plz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:24 | |
| | name: Install Rust ${{ matrix.rust }} | |
| = this step | |
| --> .github/workflows/main.yaml:27 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yaml:25 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:24 | |
| | name: Install Rust ${{ matrix.rust }} | |
| = this step | |
| --> .github/workflows/main.yaml:28 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yaml:25 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:30 | |
| | name: Run tests | |
| = this step | |
| --> .github/workflows/main.yaml:34 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yaml:31 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yaml:4 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/publish.yaml:5 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:16 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:21 | |
| | actions-rs/toolchain@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:70 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:75 | |
| | actions-rs/toolchain@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:91 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:14 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:20 | |
| | actions-rs/toolchain@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:27 | |
| | actions-rs/install@v0.1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:33 | |
| | actions/setup-node@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:20 | |
| | name: Install Rust toolchain | |
| = this step | |
| --> .github/workflows/ci.yml:21 | |
| | actions-rs/toolchain@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:74 | |
| | name: Install Rust toolchain | |
| = this step | |
| --> .github/workflows/ci.yml:75 | |
| | actions-rs/toolchain@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:19 | |
| | name: Install Rust toolchain | |
| = this step | |
| --> .github/workflows/publish.yml:20 | |
| | actions-rs/toolchain@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:26 | |
| | name: Install cargo-workspaces | |
| = this step | |
| --> .github/workflows/publish.yml:27 | |
| | actions-rs/install@v0.1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:15 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:69 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:90 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/publish.yml:13 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:7 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:7 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:65 | |
| | fmt: | |
| = this job | |
| --> .github/workflows/ci.yml:65 | |
| | fmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:85 | |
| | mdbook-linkcheck: | |
| = this job | |
| --> .github/workflows/ci.yml:85 | |
| | mdbook-linkcheck: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:108 | |
| | conclusion: | |
| = this job | |
| --> .github/workflows/ci.yml:108 | |
| | conclusion: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/publish.yml:1 | |
| | name: Publish | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/publish.yml:8 | |
| | publish: | |
| = this job | |
| --> .github/workflows/publish.yml:8 | |
| | publish: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:7 | |
| | test | |
| = this job | |
| --> .github/workflows/ci.yml:62 | |
| | secrets.GITHUB_DEPLOY_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:8 | |
| | publish | |
| = this job | |
| --> .github/workflows/publish.yml:16 | |
| | secrets.PUBLISH_DEPLOY_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:8 | |
| | publish | |
| = this job | |
| --> .github/workflows/publish.yml:39 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | name: Publish | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:108 | |
| | conclusion | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:114 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/ci.yml:117 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:115 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:114 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/ci.yml:119 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:115 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 use-trusted-publishing: prefer trusted publishing for authentication | |
| severity: Informational, confidence: High | |
| --> .github/workflows/publish.yml:37 | |
| | name: Release | |
| = this step | |
| --> .github/workflows/publish.yml:41 | |
| | run | |
| = this step | |
| --> .github/workflows/publish.yml:68 | |
| | | | |
| = this command | |
| docs: https://docs.zizmor.sh/audits/#use-trusted-publishing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:15 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:28 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:35 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:55 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:60 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:66 | |
| | aws-actions/configure-aws-credentials@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:14 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:77 | |
| | finished: | |
| = this job | |
| --> .github/workflows/ci.yml:77 | |
| | finished: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:48 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:4 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:5 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:13 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:19 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:30 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:35 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:74 | |
| | actions/checkout@main | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:80 | |
| | taiki-e/install-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:83 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:103 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:109 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:121 | |
| | actions/checkout@main | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:133 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:137 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:147 | |
| | actions/checkout@main | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:156 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:18 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:24 | |
| | MarcoIeni/release-plz-action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:13 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:30 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:74 | |
| | uses: actions/checkout@main | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:103 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:121 | |
| | uses: actions/checkout@main | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:133 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:147 | |
| | uses: actions/checkout@main | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/publish.yml:17 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:9 | |
| | clippy: | |
| = this job | |
| --> .github/workflows/main.yml:9 | |
| | clippy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:22 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:22 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:40 | |
| | cross_compile_test: | |
| = this job | |
| --> .github/workflows/main.yml:40 | |
| | cross_compile_test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:93 | |
| | ios_cross_compile_test: | |
| = this job | |
| --> .github/workflows/main.yml:93 | |
| | ios_cross_compile_test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:117 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/main.yml:117 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:129 | |
| | doc: | |
| = this job | |
| --> .github/workflows/main.yml:129 | |
| | doc: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:140 | |
| | msrv: | |
| = this job | |
| --> .github/workflows/main.yml:140 | |
| | msrv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:159 | |
| | success: | |
| = this job | |
| --> .github/workflows/main.yml:159 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:13 | |
| | release-plz | |
| = this job | |
| --> .github/workflows/publish.yml:27 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | name: Release-plz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:31 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yml:33 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:32 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:31 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yml:34 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:32 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:75 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yml:79 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:76 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:84 | |
| | name: cross test | |
| = this step | |
| --> .github/workflows/main.yml:85 | |
| | cross test -vv --target ${{ matrix.platform.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:85 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:88 | |
| | name: cross build | |
| = this step | |
| --> .github/workflows/main.yml:89 | |
| | cross build -vv --target ${{ matrix.platform.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:89 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:104 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yml:108 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:105 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:110 | |
| | name: build | |
| = this step | |
| --> .github/workflows/main.yml:111 | |
| | cargo build -vv --target ${{ matrix.platform.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:111 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:4 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/publish.yml:5 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:159 | |
| | success | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/main.yml:175 | |
| | name: check if any dependency failed | |
| = this step | |
| --> .github/workflows/main.yml:176 | |
| | jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:176 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:12 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yaml:4 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yaml:5 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rustc-pull.yml:2 | |
| | name: rustc-pull | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yaml:1 | |
| | name: Release-plz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:233 | |
| | security-events: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yaml:4 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/publish.yaml:5 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/rustc-pull.yml:30 | |
| | contents: write | |
| = needs an explanatory comment | |
| --> .github/workflows/rustc-pull.yml:31 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yaml:409 | |
| | success | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy.yml:10 | |
| | name: Checkout repository code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:7 | |
| | deploy: | |
| = this job | |
| --> .github/workflows/deploy.yml:7 | |
| | deploy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy.yml:7 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_skill_tree.yml:12 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_skill_tree.yml:15 | |
| | peaceiris/actions-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_skill_tree.yml:21 | |
| | actions/cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_skill_tree.yml:37 | |
| | peaceiris/actions-gh-pages@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_skill_tree.yml:12 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_skill_tree.yml:1 | |
| | name: github pages | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_skill_tree.yml:9 | |
| | deploy: | |
| = this job | |
| --> .github/workflows/deploy_skill_tree.yml:9 | |
| | deploy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_skill_tree.yml:1 | |
| | name: github pages | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy_skill_tree.yml:9 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:10 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:29 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:54 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:72 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:83 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:99 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:108 | |
| | rust-lang/simpleinfra/github-actions/upload-docker-image@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pr.yml:9 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/pr.yml:24 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:6 | |
| | lint: | |
| = this job | |
| --> .github/workflows/ci.yml:6 | |
| | lint: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:21 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:21 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:47 | |
| | minicrater: | |
| = this job | |
| --> .github/workflows/ci.yml:47 | |
| | minicrater: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:68 | |
| | docker-build: | |
| = this job | |
| --> .github/workflows/ci.yml:68 | |
| | docker-build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:88 | |
| | docker-upload: | |
| = this job | |
| --> .github/workflows/ci.yml:88 | |
| | docker-upload: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:116 | |
| | conclusion: | |
| = this job | |
| --> .github/workflows/ci.yml:116 | |
| | conclusion: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/pr.yml:1 | |
| | name: PR build | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/pr.yml:5 | |
| | lint: | |
| = this job | |
| --> .github/workflows/pr.yml:5 | |
| | lint: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/pr.yml:20 | |
| | test: | |
| = this job | |
| --> .github/workflows/pr.yml:20 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/pr.yml:43 | |
| | conclusion: | |
| = this job | |
| --> .github/workflows/pr.yml:43 | |
| | conclusion: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:88 | |
| | docker-upload | |
| = this job | |
| --> .github/workflows/ci.yml:113 | |
| | secrets.aws_access_key_id | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:88 | |
| | docker-upload | |
| = this job | |
| --> .github/workflows/ci.yml:114 | |
| | secrets.aws_secret_access_key | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:10 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:29 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:54 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:72 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/pr.yml:9 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/pr.yml:24 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/pr.yml:1 | |
| | name: PR build | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/pr.yml:1 | |
| | name: PR build | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/pr.yml:1 | |
| | name: PR build | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:116 | |
| | conclusion | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/pr.yml:43 | |
| | conclusion | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:128 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/ci.yml:131 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:129 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:128 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/ci.yml:133 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:129 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/pr.yml:55 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/pr.yml:58 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/pr.yml:56 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/pr.yml:55 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/pr.yml:60 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/pr.yml:56 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:16 | |
| | packages: write | |
| = packages: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:24 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:43 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:46 | |
| | docker/login-action@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:55 | |
| | docker/metadata-action@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:61 | |
| | docker/build-push-action@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:23 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/main.yml:42 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:60 | |
| | name: Build and push | |
| = this step | |
| --> .github/workflows/main.yml:63 | |
| | ${{ matrix.image }}/ | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:61 | |
| | uses: docker/build-push-action@v7 | |
| = action accepts arbitrary code | |
| --> .github/workflows/main.yml:63 | |
| | context | |
| = via this input | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:16 | |
| | packages: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:14 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:26 | |
| | rust-lang/simpleinfra/github-actions/upload-docker-image@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:13 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:9 | |
| | ci: | |
| = this job | |
| --> .github/workflows/ci.yml:9 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:9 | |
| | ci | |
| = this job | |
| --> .github/workflows/ci.yml:33 | |
| | secrets.AWS_ACCESS_KEY_ID | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:9 | |
| | ci | |
| = this job | |
| --> .github/workflows/ci.yml:34 | |
| | secrets.AWS_SECRET_ACCESS_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/update-dl-url.yml:36 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/update-dl-url.yml:50 | |
| | name: Switch the download endpoint | |
| = this step | |
| --> .github/workflows/update-dl-url.yml:58 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/update-dl-url.yml:51 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/update-dl-url.yml:48 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/update-dl-url.yml:47 | |
| | name: Clone the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/update-dl-url.yml:13 | |
| | name: Update download URL | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/update-dl-url.yml:50 | |
| | name: Switch the download endpoint | |
| = this step | |
| --> .github/workflows/update-dl-url.yml:71 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/update-dl-url.yml:51 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/update-dl-url.yml:50 | |
| | name: Switch the download endpoint | |
| = this step | |
| --> .github/workflows/update-dl-url.yml:77 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/update-dl-url.yml:51 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/update-dl-url.yml:36 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/update-cdn-ip-ranges.yml:17 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/smoke-test.yml:16 | |
| | test | |
| = this job | |
| --> .github/workflows/smoke-test.yml:28 | |
| | secrets.STAGING_SMOKE_TEST_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/update-cdn-ip-ranges.yml:27 | |
| | run | |
| = this job | |
| --> .github/workflows/update-cdn-ip-ranges.yml:35 | |
| | secrets.WORKFLOWS_CRATES_IO_PRIVATE_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/update-cdn-ip-ranges.yml:53 | |
| | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:341 | |
| | security-events: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/update-cdn-ip-ranges.yml:17 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/smoke-test.yml:16 | |
| | test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/update-cdn-ip-ranges.yml:27 | |
| | run | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release.yml:1 | |
| | name: Release | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:1 | |
| | name: Release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:14 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/release.yml:9 | |
| | publish | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:18 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:23 | |
| | actions-rs/toolchain@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/main.yml:22 | |
| | name: Install rust toolchain | |
| = this step | |
| --> .github/workflows/main.yml:23 | |
| | actions-rs/toolchain@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:18 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:2 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:10 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:10 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:2 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:5 | |
| | packages: write | |
| = packages: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:48 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mirror_stable.yml:90 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mirror_stable.yml:95 | |
| | docker/login-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mirror_stable.yml:101 | |
| | docker/login-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:76 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:78 | |
| | docker/setup-qemu-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:80 | |
| | docker/setup-buildx-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:82 | |
| | docker/login-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:90 | |
| | docker/login-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:98 | |
| | docker/metadata-action@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:106 | |
| | docker/build-push-action@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:48 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/nightly.yml:75 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/mirror_stable.yml:1 | |
| | name: Mirror Stable Images to GHCR | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/mirror_stable.yml:10 | |
| | mirror | |
| = this job | |
| --> .github/workflows/mirror_stable.yml:98 | |
| | secrets.DOCKER_HUB_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/nightly.yml:18 | |
| | build | |
| = this job | |
| --> .github/workflows/nightly.yml:94 | |
| | secrets.DOCKER_HUB_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/mirror_stable.yml:1 | |
| | name: Mirror Stable Images to GHCR | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/nightly.yml:1 | |
| | name: Nightly Publish | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:50 | |
| | run: docker build -t rust:$RUST_VERSION-${{ matrix.name }} stable/${{ matrix.variant }} | |
| = this step | |
| --> .github/workflows/ci.yml:50 | |
| | docker build -t rust:$RUST_VERSION-${{ matrix.name }} stable/${{ matrix.variant }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:50 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:50 | |
| | run: docker build -t rust:$RUST_VERSION-${{ matrix.name }} stable/${{ matrix.variant }} | |
| = this step | |
| --> .github/workflows/ci.yml:50 | |
| | docker build -t rust:$RUST_VERSION-${{ matrix.name }} stable/${{ matrix.variant }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:50 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:51 | |
| | run: ~/official-images/test/run.sh rust:$RUST_VERSION-${{ matrix.name }} | |
| = this step | |
| --> .github/workflows/ci.yml:51 | |
| | ~/official-images/test/run.sh rust:$RUST_VERSION-${{ matrix.name }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:51 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/mirror_stable.yml:120 | |
| | name: Copy image to GHCR | |
| = this step | |
| --> .github/workflows/mirror_stable.yml:122 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/mirror_stable.yml:121 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/mirror_stable.yml:120 | |
| | name: Copy image to GHCR | |
| = this step | |
| --> .github/workflows/mirror_stable.yml:122 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/mirror_stable.yml:121 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/mirror_stable.yml:120 | |
| | name: Copy image to GHCR | |
| = this step | |
| --> .github/workflows/mirror_stable.yml:122 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/mirror_stable.yml:121 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/mirror_stable.yml:120 | |
| | name: Copy image to GHCR | |
| = this step | |
| --> .github/workflows/mirror_stable.yml:123 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/mirror_stable.yml:121 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/mirror_stable.yml:120 | |
| | name: Copy image to GHCR | |
| = this step | |
| --> .github/workflows/mirror_stable.yml:126 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/mirror_stable.yml:121 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/mirror_stable.yml:120 | |
| | name: Copy image to GHCR | |
| = this step | |
| --> .github/workflows/mirror_stable.yml:126 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/mirror_stable.yml:121 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/nightly.yml:105 | |
| | name: Build and push image | |
| = this step | |
| --> .github/workflows/nightly.yml:108 | |
| | ${{ matrix.context }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/nightly.yml:106 | |
| | uses: docker/build-push-action@v6 | |
| = action accepts arbitrary code | |
| --> .github/workflows/nightly.yml:108 | |
| | context | |
| = via this input | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/mirror_stable.yml:17 | |
| | packages: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/nightly.yml:5 | |
| | packages: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 dangerous-triggers: use of fundamentally insecure workflow trigger | |
| severity: High, confidence: Medium | |
| --> .github/workflows/commit-sqlx-changes.yml:1 | |
| | on: | |
| = pull_request_target is almost always used insecurely | |
| docs: https://docs.zizmor.sh/audits/#dangerous-triggers | |
| 🔴 dangerous-triggers: use of fundamentally insecure workflow trigger | |
| severity: High, confidence: Medium | |
| --> .github/workflows/tag-merged-pr.yml:1 | |
| | on: | |
| = pull_request_target is almost always used insecurely | |
| docs: https://docs.zizmor.sh/audits/#dangerous-triggers | |
| 🔴 dangerous-triggers: use of fundamentally insecure workflow trigger | |
| severity: High, confidence: Medium | |
| --> .github/workflows/tag-new-pr.yml:1 | |
| | on: | |
| = pull_request_target is almost always used insecurely | |
| docs: https://docs.zizmor.sh/audits/#dangerous-triggers | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:15 | |
| | issues: write | |
| = issues: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/commit-sqlx-changes.yml:21 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/commit-sqlx-changes.yml:22 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/on-pr-review-approve.yml:7 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/on-pr-review-submit.yml:7 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/tag-merged-pr.yml:9 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/tag-new-pr.yml:9 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:23 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/audit.yml:28 | |
| | rustsec/audit-check@v2.0.0 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:21 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:23 | |
| | taiki-e/install-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:28 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:33 | |
| | docker/setup-buildx-action@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:48 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:50 | |
| | taiki-e/install-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:55 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:60 | |
| | docker/setup-buildx-action@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:72 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:75 | |
| | jlumbroso/free-disk-space@v1.3.1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:91 | |
| | docker/setup-buildx-action@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:93 | |
| | taiki-e/install-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:109 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:111 | |
| | taiki-e/install-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:116 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:128 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:130 | |
| | denoland/setup-deno@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:132 | |
| | taiki-e/install-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:142 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:146 | |
| | raven-actions/actionlint@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/commit-sqlx-changes.yml:31 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/commit-sqlx-changes.yml:42 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/commit-sqlx-changes.yml:78 | |
| | peter-evans/create-pull-request@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy-dev.yml:20 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:18 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/docker.yml:24 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/docker.yml:27 | |
| | docker/setup-buildx-action@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/docker.yml:30 | |
| | docker/build-push-action@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/on-pr-review-approve.yml:14 | |
| | actions-ecosystem/action-remove-labels@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/on-pr-review-submit.yml:14 | |
| | actions-ecosystem/action-add-labels@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/on-pr-review-submit.yml:17 | |
| | actions-ecosystem/action-remove-labels@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/tag-merged-pr.yml:16 | |
| | actions-ecosystem/action-add-labels@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/tag-merged-pr.yml:19 | |
| | actions-ecosystem/action-remove-labels@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/tag-new-pr.yml:15 | |
| | actions-ecosystem/action-add-labels@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/tag-new-pr.yml:18 | |
| | actions-ecosystem/action-remove-labels@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: High | |
| --> .github/workflows/audit.yml:16 | |
| | checks: write | |
| = checks: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:18 | |
| | sqlx: | |
| = this job | |
| --> .github/workflows/ci.yml:18 | |
| | sqlx: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:45 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:45 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:69 | |
| | GUI_test: | |
| = this job | |
| --> .github/workflows/ci.yml:69 | |
| | GUI_test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:104 | |
| | lint-rs: | |
| = this job | |
| --> .github/workflows/ci.yml:104 | |
| | lint-rs: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:124 | |
| | lint-js: | |
| = this job | |
| --> .github/workflows/ci.yml:124 | |
| | lint-js: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:138 | |
| | lint-actions: | |
| = this job | |
| --> .github/workflows/ci.yml:138 | |
| | lint-actions: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy-dev.yml:1 | |
| | name: Deploy Dev | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:3 | |
| | name: Deploy | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/docker.yml:1 | |
| | name: Docker | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/docker.yml:12 | |
| | docker: | |
| = this job | |
| --> .github/workflows/docker.yml:12 | |
| | docker: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/commit-sqlx-changes.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/on-pr-review-approve.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/on-pr-review-submit.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/tag-merged-pr.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/tag-new-pr.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/audit.yml:23 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:21 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:48 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:72 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:109 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:128 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:142 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/commit-sqlx-changes.yml:31 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/docker.yml:24 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/audit.yml:1 | |
| | name: Audit | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/commit-sqlx-changes.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy-dev.yml:13 | |
| | concurrency: staging | |
| = job concurrency is missing cancel-in-progress | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:12 | |
| | concurrency: production | |
| = job concurrency is missing cancel-in-progress | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/docker.yml:1 | |
| | name: Docker | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/on-pr-review-approve.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/on-pr-review-submit.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/tag-merged-pr.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/tag-new-pr.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/commit-sqlx-changes.yml:76 | |
| | name: Open pull request | |
| = this step | |
| --> .github/workflows/commit-sqlx-changes.yml:78 | |
| | peter-evans/create-pull-request@v8 | |
| = use `gh pr create` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/audit.yml:15 | |
| | issues: write | |
| = needs an explanatory comment | |
| --> .github/workflows/audit.yml:16 | |
| | checks: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/commit-sqlx-changes.yml:21 | |
| | contents: write | |
| = needs an explanatory comment | |
| --> .github/workflows/commit-sqlx-changes.yml:22 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy-dev.yml:16 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:14 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/on-pr-review-approve.yml:7 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/on-pr-review-submit.yml:7 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/tag-merged-pr.yml:9 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/tag-new-pr.yml:9 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/audit.yml:19 | |
| | security_audit | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:18 | |
| | sqlx | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:45 | |
| | test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:69 | |
| | GUI_test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/commit-sqlx-changes.yml:25 | |
| | commit-sqlx-changes | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/on-pr-review-approve.yml:10 | |
| | update-labels | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/on-pr-review-submit.yml:10 | |
| | update-labels | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/tag-merged-pr.yml:12 | |
| | update-labels | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/tag-new-pr.yml:12 | |
| | update-labels | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:12 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:14 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:14 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:10 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:10 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:45 | |
| | success: | |
| = this job | |
| --> .github/workflows/main.yml:45 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/main.yml:52 | |
| | run: jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = this step | |
| --> .github/workflows/main.yml:52 | |
| | jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:52 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:14 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:17 | |
| | peaceiris/actions-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:25 | |
| | peaceiris/actions-gh-pages@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:14 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | name: github pages | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:9 | |
| | deploy: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:9 | |
| | deploy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:9 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-julia.yml:14 | |
| | actions: write | |
| = actions: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-images: unpinned image references | |
| severity: High, confidence: Low | |
| --> .github/workflows/benchmark.yml:21 | |
| | image: ${{ (contains(matrix.os, 'linux') && 'ghcr.io/enzymead/reactant-docker-images@sha256:91e1edb7a7c869d5a70db06e417f22907be0e67ca86641d48adcea221fedc674' ) || '' }} | |
| = container image may be unpinned | |
| docs: https://docs.zizmor.sh/audits/#unpinned-images | |
| 🔴 unpinned-images: unpinned image references | |
| severity: High, confidence: Low | |
| --> .github/workflows/enzyme-mlir.yml:33 | |
| | image: ${{ (contains(matrix.os, 'linux') && 'ghcr.io/enzymead/reactant-docker-images@sha256:91e1edb7a7c869d5a70db06e417f22907be0e67ca86641d48adcea221fedc674' ) || '' }} | |
| = container image may be unpinned | |
| docs: https://docs.zizmor.sh/audits/#unpinned-images | |
| 🔴 unpinned-images: unpinned image references | |
| severity: High, confidence: Low | |
| --> .github/workflows/enzyme-rust.yml:31 | |
| | image: ${{ (contains(matrix.os, 'linux') && 'ghcr.io/enzymead/reactant-docker-images@sha256:91e1edb7a7c869d5a70db06e417f22907be0e67ca86641d48adcea221fedc674' ) || '' }} | |
| = container image may be unpinned | |
| docs: https://docs.zizmor.sh/audits/#unpinned-images | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bcload.yml:26 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/benchmark.yml:40 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ccpp.yml:40 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ccpp.yml:56 | |
| | ncipollo/release-action@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/doxygen.yml:12 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/doxygen.yml:14 | |
| | mattnotmitt/doxygen-action@v1.12.0 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/doxygen.yml:21 | |
| | actions/upload-pages-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/doxygen.yml:41 | |
| | actions/deploy-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:37 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:74 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:110 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-julia.yml:41 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-julia.yml:42 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-julia.yml:47 | |
| | julia-actions/setup-julia@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-julia.yml:51 | |
| | julia-actions/cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-julia.yml:63 | |
| | julia-actions/julia-buildpkg@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-julia.yml:77 | |
| | julia-actions/julia-runtest@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-mlir.yml:41 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-mlir.yml:45 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-mlir.yml:69 | |
| | actions/cache@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-rust.yml:50 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-rust.yml:52 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/enzyme-rust.yml:59 | |
| | actions/cache@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/format.yml:20 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/format.yml:21 | |
| | DoozyX/clang-format-lint-action@v0.20 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/fortran.yml:69 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/tagger.yml:13 | |
| | actions/create-github-app-token@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/tagger.yml:22 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/tagger.yml:27 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/tagger.yml:42 | |
| | peter-evans/create-pull-request@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bcload.yml:26 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/benchmark.yml:40 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ccpp.yml:40 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/doxygen.yml:12 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/enzyme-ci.yml:37 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/enzyme-ci.yml:74 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/enzyme-ci.yml:110 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/enzyme-julia.yml:41 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/enzyme-julia.yml:42 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/enzyme-mlir.yml:41 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/enzyme-mlir.yml:45 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/enzyme-rust.yml:50 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/enzyme-rust.yml:52 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/format.yml:20 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/fortran.yml:69 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/tagger.yml:22 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/tagger.yml:27 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bcload.yml:1 | |
| | name: Bitcode loading CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bcload.yml:6 | |
| | build: | |
| = this job | |
| --> .github/workflows/bcload.yml:6 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/benchmark.yml:1 | |
| | name: Benchmarking | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/benchmark.yml:17 | |
| | build: | |
| = this job | |
| --> .github/workflows/benchmark.yml:17 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ccpp.yml:1 | |
| | name: C/C++ CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ccpp.yml:19 | |
| | build: | |
| = this job | |
| --> .github/workflows/ccpp.yml:19 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/doxygen.yml:1 | |
| | name: Build and deploy Doxygen to Scripts | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/doxygen.yml:9 | |
| | build-docs: | |
| = this job | |
| --> .github/workflows/doxygen.yml:9 | |
| | build-docs: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/enzyme-ci.yml:1 | |
| | name: Enzyme CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/enzyme-ci.yml:17 | |
| | build-linux: | |
| = this job | |
| --> .github/workflows/enzyme-ci.yml:17 | |
| | build-linux: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/enzyme-ci.yml:56 | |
| | build-macos: | |
| = this job | |
| --> .github/workflows/enzyme-ci.yml:56 | |
| | build-macos: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/enzyme-ci.yml:93 | |
| | build-xcode: | |
| = this job | |
| --> .github/workflows/enzyme-ci.yml:93 | |
| | build-xcode: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/enzyme-mlir.yml:1 | |
| | name: MLIR | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/enzyme-mlir.yml:19 | |
| | build-linux: | |
| = this job | |
| --> .github/workflows/enzyme-mlir.yml:19 | |
| | build-linux: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/enzyme-rust.yml:1 | |
| | name: Enzyme Rust CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/enzyme-rust.yml:19 | |
| | rust-autodiff: | |
| = this job | |
| --> .github/workflows/enzyme-rust.yml:19 | |
| | rust-autodiff: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/format.yml:1 | |
| | name: Clang-Format | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/format.yml:15 | |
| | build: | |
| = this job | |
| --> .github/workflows/format.yml:15 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/fortran.yml:1 | |
| | name: Fortran | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/fortran.yml:39 | |
| | build-and-test-fortran: | |
| = this job | |
| --> .github/workflows/fortran.yml:39 | |
| | build-and-test-fortran: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/tagger.yml:1 | |
| | name: Tag CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/tagger.yml:9 | |
| | build: | |
| = this job | |
| --> .github/workflows/tagger.yml:9 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/tagger.yml:9 | |
| | build | |
| = this job | |
| --> .github/workflows/tagger.yml:16 | |
| | secrets.APP_ID | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/tagger.yml:9 | |
| | build | |
| = this job | |
| --> .github/workflows/tagger.yml:17 | |
| | secrets.APP_PRIVATE_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bcload.yml:1 | |
| | name: Bitcode loading CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/doxygen.yml:1 | |
| | name: Build and deploy Doxygen to Scripts | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/doxygen.yml:1 | |
| | name: Build and deploy Doxygen to Scripts | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/tagger.yml:1 | |
| | name: Tag CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:55 | |
| | name: Update Nightly Release | |
| = this step | |
| --> .github/workflows/ccpp.yml:56 | |
| | ncipollo/release-action@v1 | |
| = use `gh release` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/tagger.yml:40 | |
| | name: Create Pull Request | |
| = this step | |
| --> .github/workflows/tagger.yml:42 | |
| | peter-evans/create-pull-request@v7 | |
| = use `gh pr create` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bcload.yml:20 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/bcload.yml:23 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bcload.yml:21 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bcload.yml:20 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/bcload.yml:24 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bcload.yml:21 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bcload.yml:20 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/bcload.yml:24 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bcload.yml:21 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bcload.yml:20 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/bcload.yml:24 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bcload.yml:21 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bcload.yml:29 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/bcload.yml:32 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bcload.yml:30 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bcload.yml:29 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/bcload.yml:32 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bcload.yml:30 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/benchmark.yml:31 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/benchmark.yml:36 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/benchmark.yml:32 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/benchmark.yml:31 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/benchmark.yml:37 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/benchmark.yml:32 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/benchmark.yml:31 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/benchmark.yml:37 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/benchmark.yml:32 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/benchmark.yml:31 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/benchmark.yml:39 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/benchmark.yml:32 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/benchmark.yml:43 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/benchmark.yml:45 | |
| | cmake ../enzyme -DLLVM_EXTERNAL_LIT=`which lit` -DCMAKE_BUILD_TYPE=${{ matrix.build }} -DLLVM_DIR=/usr/lib/llvm-${{ matrix.llvm }}/lib/cmake/llvm -DENZYME_ENABLE_BENCHMARKS=On | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/benchmark.yml:45 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/benchmark.yml:43 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/benchmark.yml:45 | |
| | cmake ../enzyme -DLLVM_EXTERNAL_LIT=`which lit` -DCMAKE_BUILD_TYPE=${{ matrix.build }} -DLLVM_DIR=/usr/lib/llvm-${{ matrix.llvm }}/lib/cmake/llvm -DENZYME_ENABLE_BENCHMARKS=On | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/benchmark.yml:45 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/benchmark.yml:46 | |
| | name: make | |
| = this step | |
| --> .github/workflows/benchmark.yml:48 | |
| | make -j `nproc` LLVMEnzyme-${{ matrix.llvm }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/benchmark.yml:48 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:33 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/ccpp.yml:37 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:34 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:33 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/ccpp.yml:38 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:34 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:33 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/ccpp.yml:38 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:34 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:33 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/ccpp.yml:38 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:34 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:33 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/ccpp.yml:38 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:34 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:33 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/ccpp.yml:38 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:34 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:43 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/ccpp.yml:45 | |
| | cmake ../enzyme -DLLVM_EXTERNAL_LIT=`which lit` -DCMAKE_BUILD_TYPE=${{ matrix.build }} -DLLVM_DIR=/usr/lib/llvm-${{ matrix.llvm }}/lib/cmake/llvm | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:45 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:43 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/ccpp.yml:45 | |
| | cmake ../enzyme -DLLVM_EXTERNAL_LIT=`which lit` -DCMAKE_BUILD_TYPE=${{ matrix.build }} -DLLVM_DIR=/usr/lib/llvm-${{ matrix.llvm }}/lib/cmake/llvm | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:45 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:46 | |
| | name: make | |
| = this step | |
| --> .github/workflows/ccpp.yml:47 | |
| | cd build && make -j `nproc` LLVMEnzyme-${{ matrix.llvm }} ClangEnzyme-${{ matrix.llvm }} LLDEnzyme-${{ matrix.llvm }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:47 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:46 | |
| | name: make | |
| = this step | |
| --> .github/workflows/ccpp.yml:47 | |
| | cd build && make -j `nproc` LLVMEnzyme-${{ matrix.llvm }} ClangEnzyme-${{ matrix.llvm }} LLDEnzyme-${{ matrix.llvm }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:47 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ccpp.yml:46 | |
| | name: make | |
| = this step | |
| --> .github/workflows/ccpp.yml:47 | |
| | cd build && make -j `nproc` LLVMEnzyme-${{ matrix.llvm }} ClangEnzyme-${{ matrix.llvm }} LLDEnzyme-${{ matrix.llvm }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ccpp.yml:47 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:31 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/enzyme-ci.yml:34 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-ci.yml:32 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:31 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/enzyme-ci.yml:35 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-ci.yml:32 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:40 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/enzyme-ci.yml:42 | |
| | cmake ../enzyme -DCMAKE_BUILD_TYPE=${{ matrix.build }} -DLLVM_EXTERNAL_LIT=`which lit` -DLLVM_DIR=/usr/lib/llvm-${{ matrix.llvm }}/lib/cmake/llvm | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-ci.yml:42 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:40 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/enzyme-ci.yml:42 | |
| | cmake ../enzyme -DCMAKE_BUILD_TYPE=${{ matrix.build }} -DLLVM_EXTERNAL_LIT=`which lit` -DLLVM_DIR=/usr/lib/llvm-${{ matrix.llvm }}/lib/cmake/llvm | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-ci.yml:42 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:68 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/enzyme-ci.yml:72 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-ci.yml:69 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:77 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/enzyme-ci.yml:79 | |
| | cmake ../enzyme -DCMAKE_BUILD_TYPE=${{ matrix.build }} -DLLVM_EXTERNAL_LIT=`find /Users/runner/Library/Python/ -iname lit` -DLLVM_DIR=`brew --prefix llvm@${{ matrix.llvm }}`/lib/cmake/llvm | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-ci.yml:79 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:77 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/enzyme-ci.yml:79 | |
| | cmake ../enzyme -DCMAKE_BUILD_TYPE=${{ matrix.build }} -DLLVM_EXTERNAL_LIT=`find /Users/runner/Library/Python/ -iname lit` -DLLVM_DIR=`brew --prefix llvm@${{ matrix.llvm }}`/lib/cmake/llvm | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-ci.yml:79 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:105 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/enzyme-ci.yml:108 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-ci.yml:106 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:113 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/enzyme-ci.yml:116 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-ci.yml:115 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-ci.yml:113 | |
| | name: cmake | |
| = this step | |
| --> .github/workflows/enzyme-ci.yml:116 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-ci.yml:115 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-julia.yml:66 | |
| | name: "Set test arguments" | |
| = this step | |
| --> .github/workflows/enzyme-julia.yml:71 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-julia.yml:68 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-mlir.yml:74 | |
| | name: MLIR build | |
| = this step | |
| --> .github/workflows/enzyme-mlir.yml:78 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-mlir.yml:77 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-mlir.yml:84 | |
| | name: Enzyme build | |
| = this step | |
| --> .github/workflows/enzyme-mlir.yml:88 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-mlir.yml:86 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-mlir.yml:84 | |
| | name: Enzyme build | |
| = this step | |
| --> .github/workflows/enzyme-mlir.yml:88 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/enzyme-mlir.yml:86 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/fortran.yml:54 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/fortran.yml:57 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/fortran.yml:55 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/fortran.yml:54 | |
| | name: add llvm | |
| = this step | |
| --> .github/workflows/fortran.yml:58 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/fortran.yml:55 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/fortran.yml:60 | |
| | name: add intel tools | |
| = this step | |
| --> .github/workflows/fortran.yml:66 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/fortran.yml:61 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/fortran.yml:60 | |
| | name: add intel tools | |
| = this step | |
| --> .github/workflows/fortran.yml:66 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/fortran.yml:61 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/fortran.yml:60 | |
| | name: add intel tools | |
| = this step | |
| --> .github/workflows/fortran.yml:66 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/fortran.yml:61 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/fortran.yml:70 | |
| | name: generate build system | |
| = this step | |
| --> .github/workflows/fortran.yml:73 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/fortran.yml:71 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/fortran.yml:70 | |
| | name: generate build system | |
| = this step | |
| --> .github/workflows/fortran.yml:73 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/fortran.yml:71 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/fortran.yml:74 | |
| | name: build enzyme | |
| = this step | |
| --> .github/workflows/fortran.yml:76 | |
| | ninja LLVMEnzyme-${{ matrix.llvm }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/fortran.yml:76 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/enzyme-julia.yml:14 | |
| | actions: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/doxygen.yml:9 | |
| | build-docs | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/doxygen.yml:25 | |
| | deploy-docs | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/tagger.yml:51 | |
| | name: Check outputs | |
| = this step | |
| --> .github/workflows/tagger.yml:53 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/tagger.yml:52 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/tagger.yml:51 | |
| | name: Check outputs | |
| = this step | |
| --> .github/workflows/tagger.yml:54 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/tagger.yml:52 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:21 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:22 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:21 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:8 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:8 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:22 | |
| | uses: dtolnay/rust-toolchain@master | |
| = this step | |
| --> .github/workflows/ci.yml:22 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/cifuzz.yml:9 | |
| | google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/cifuzz.yml:15 | |
| | google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/cifuzz.yml:22 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:31 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:59 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:75 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:81 | |
| | rustsec/audit-check@v2.0.0 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:92 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:106 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:129 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:31 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:59 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:75 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:92 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:106 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:129 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/cifuzz.yml:1 | |
| | name: CIFuzz | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/cifuzz.yml:4 | |
| | Fuzzing: | |
| = this job | |
| --> .github/workflows/cifuzz.yml:4 | |
| | Fuzzing: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:5 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:5 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:55 | |
| | rustfmt_docs_clippy: | |
| = this job | |
| --> .github/workflows/main.yml:55 | |
| | rustfmt_docs_clippy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:71 | |
| | audit: | |
| = this job | |
| --> .github/workflows/main.yml:71 | |
| | audit: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:85 | |
| | wasm: | |
| = this job | |
| --> .github/workflows/main.yml:85 | |
| | wasm: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:97 | |
| | minimum: | |
| = this job | |
| --> .github/workflows/main.yml:97 | |
| | minimum: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:122 | |
| | minimum-build: | |
| = this job | |
| --> .github/workflows/main.yml:122 | |
| | minimum-build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/cifuzz.yml:1 | |
| | name: CIFuzz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:32 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:33 | |
| | rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:33 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:32 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:33 | |
| | rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:33 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:93 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yml:94 | |
| | rustup update stable && rustup default stable && rustup target add ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:94 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:95 | |
| | run: cargo build --target ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/main.yml:95 | |
| | cargo build --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:95 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/cifuzz.yml:4 | |
| | Fuzzing | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:21 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:24 | |
| | astral-sh/setup-uv@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:39 | |
| | actions/upload-pages-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:56 | |
| | actions/deploy-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:21 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:6 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:6 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:6 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:49 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/ci.yml:50 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:192 | |
| | run: | | |
| = this step | |
| --> .github/workflows/ci.yml:195 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:192 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:196 | |
| | run: | | |
| = this step | |
| --> .github/workflows/ci.yml:200 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:196 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:201 | |
| | run: | | |
| = this step | |
| --> .github/workflows/ci.yml:205 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:201 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:206 | |
| | run: | | |
| = this step | |
| --> .github/workflows/ci.yml:210 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:206 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:4 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:25 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:73 | |
| | laputansoft/github-tag-action@v4.6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:81 | |
| | svenstaro/upload-release-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:90 | |
| | svenstaro/upload-release-action@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:25 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:50 | |
| | name: Build Debian package | |
| = this step | |
| --> .github/workflows/main.yml:57 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:51 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:4 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:11 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:27 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:28 | |
| | actions-rs/toolchain@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:46 | |
| | actions/cache@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:52 | |
| | actions/cache@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:58 | |
| | actions/cache@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:28 | |
| | uses: actions-rs/toolchain@v1 | |
| = this step | |
| --> .github/workflows/ci.yml:28 | |
| | actions-rs/toolchain@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:27 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:3 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:17 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yaml:4 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yaml:5 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yaml:20 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yaml:23 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yaml:33 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yaml:39 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yaml:46 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yaml:53 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yaml:16 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yaml:22 | |
| | MarcoIeni/release-plz-action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yaml:20 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yaml:33 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yaml:46 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/publish.yaml:15 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yaml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yaml:9 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yaml:9 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yaml:29 | |
| | doc_fmt: | |
| = this job | |
| --> .github/workflows/main.yaml:29 | |
| | doc_fmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yaml:43 | |
| | msrv: | |
| = this job | |
| --> .github/workflows/main.yaml:43 | |
| | msrv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yaml:11 | |
| | release-plz | |
| = this job | |
| --> .github/workflows/publish.yaml:25 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yaml:1 | |
| | name: Release-plz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:21 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yaml:22 | |
| | rustup update ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yaml:22 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yaml:21 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yaml:22 | |
| | rustup update ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yaml:22 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yaml:4 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/publish.yaml:5 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yaml:43 | |
| | msrv | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:32 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:71 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:80 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:101 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:127 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:148 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:155 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:162 | |
| | aws-actions/configure-aws-credentials@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:31 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:100 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 stale-action-refs: commit hash does not point to a Git tag | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:35 | |
| | hashicorp/setup-packer@76e3039aa951aa4e6efe7e6ee06bc9ceb072142d | |
| = this step | |
| docs: https://docs.zizmor.sh/audits/#stale-action-refs | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:144 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:23 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:30 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:46 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:30 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:30 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:46 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/publish.yml:30 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:7 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:7 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:42 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/main.yml:42 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:56 | |
| | success: | |
| = this job | |
| --> .github/workflows/main.yml:56 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:26 | |
| | publish | |
| = this job | |
| --> .github/workflows/publish.yml:36 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | name: Publish | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:33 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:34 | |
| | rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:34 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:33 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:34 | |
| | rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:34 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:23 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/main.yml:64 | |
| | run: jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = this step | |
| --> .github/workflows/main.yml:64 | |
| | jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:64 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:4 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:5 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:18 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:24 | |
| | MarcoIeni/release-plz-action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:35 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:49 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:64 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:77 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:77 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:15 | |
| | test: | |
| = this job | |
| --> .github/workflows/rust.yml:15 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:44 | |
| | clippy: | |
| = this job | |
| --> .github/workflows/rust.yml:44 | |
| | clippy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:59 | |
| | msrv: | |
| = this job | |
| --> .github/workflows/rust.yml:59 | |
| | msrv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:73 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/rust.yml:73 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:85 | |
| | success: | |
| = this job | |
| --> .github/workflows/rust.yml:85 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:13 | |
| | release-plz | |
| = this job | |
| --> .github/workflows/publish.yml:27 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/publish.yml:17 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/rust.yml:34 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/rust.yml:48 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/rust.yml:63 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | name: Release-plz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:37 | |
| | name: Update rust | |
| = this step | |
| --> .github/workflows/rust.yml:39 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:38 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:4 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/publish.yml:5 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:85 | |
| | success | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/rust.yml:98 | |
| | name: check if any dependency failed | |
| = this step | |
| --> .github/workflows/rust.yml:99 | |
| | jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:99 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release-plz.yml:19 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release-plz.yml:23 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release-plz.yml:25 | |
| | release-plz/action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release-plz.yml:45 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release-plz.yml:49 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release-plz.yml:51 | |
| | release-plz/action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:11 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:19 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:39 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:40 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:88 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:96 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:97 | |
| | dtolnay/rust-toolchain@nightly | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/release-plz.yml:18 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/release-plz.yml:44 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:11 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:19 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:39 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:88 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:96 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release-plz.yml:1 | |
| | name: Release-plz | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:8 | |
| | miri: | |
| = this job | |
| --> .github/workflows/rust.yml:8 | |
| | miri: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:16 | |
| | rustfmt_clippy: | |
| = this job | |
| --> .github/workflows/rust.yml:16 | |
| | rustfmt_clippy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:27 | |
| | basics: | |
| = this job | |
| --> .github/workflows/rust.yml:27 | |
| | basics: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:35 | |
| | test: | |
| = this job | |
| --> .github/workflows/rust.yml:35 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:84 | |
| | msrv: | |
| = this job | |
| --> .github/workflows/rust.yml:84 | |
| | msrv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:92 | |
| | dep_of_std: | |
| = this job | |
| --> .github/workflows/rust.yml:92 | |
| | dep_of_std: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:102 | |
| | conclusion: | |
| = this job | |
| --> .github/workflows/rust.yml:102 | |
| | conclusion: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/release-plz.yml:11 | |
| | release-plz-release | |
| = this job | |
| --> .github/workflows/release-plz.yml:30 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/release-plz.yml:33 | |
| | release-plz-pr | |
| = this job | |
| --> .github/workflows/release-plz.yml:56 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release-plz.yml:1 | |
| | name: Release-plz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/release-plz.yml:22 | |
| | name: Install Rust toolchain | |
| = this step | |
| --> .github/workflows/release-plz.yml:23 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/release-plz.yml:48 | |
| | name: Install Rust toolchain | |
| = this step | |
| --> .github/workflows/release-plz.yml:49 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:40 | |
| | uses: dtolnay/rust-toolchain@master | |
| = this step | |
| --> .github/workflows/rust.yml:40 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:97 | |
| | uses: dtolnay/rust-toolchain@nightly | |
| = this step | |
| --> .github/workflows/rust.yml:97 | |
| | dtolnay/rust-toolchain@nightly | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/release-plz.yml:16 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/release-plz.yml:38 | |
| | contents: write | |
| = needs an explanatory comment | |
| --> .github/workflows/release-plz.yml:39 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:8 | |
| | miri | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:16 | |
| | rustfmt_clippy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:27 | |
| | basics | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:35 | |
| | test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:84 | |
| | msrv | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:92 | |
| | dep_of_std | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:102 | |
| | conclusion | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/rust.yml:108 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/rust.yml:111 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:109 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/rust.yml:108 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/rust.yml:113 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:109 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:12 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:18 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:18 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:13 | |
| | build: | |
| = this job | |
| --> .github/workflows/rust.yml:13 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:13 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/json.yml:2 | |
| | name: JSON | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/json.yml:12 | |
| | style: | |
| = this job | |
| --> .github/workflows/json.yml:12 | |
| | style: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/markdown.yml:2 | |
| | name: Markdown | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/markdown.yml:12 | |
| | lint: | |
| = this job | |
| --> .github/workflows/markdown.yml:12 | |
| | lint: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/markdown.yml:25 | |
| | style: | |
| = this job | |
| --> .github/workflows/markdown.yml:25 | |
| | style: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:2 | |
| | name: Rust | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:18 | |
| | lint: | |
| = this job | |
| --> .github/workflows/rust.yml:18 | |
| | lint: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:40 | |
| | style: | |
| = this job | |
| --> .github/workflows/rust.yml:40 | |
| | style: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:54 | |
| | test: | |
| = this job | |
| --> .github/workflows/rust.yml:54 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/yaml.yml:2 | |
| | name: YAML | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/yaml.yml:12 | |
| | lint: | |
| = this job | |
| --> .github/workflows/yaml.yml:12 | |
| | lint: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/yaml.yml:23 | |
| | style: | |
| = this job | |
| --> .github/workflows/yaml.yml:23 | |
| | style: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/json.yml:17 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/markdown.yml:17 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/markdown.yml:30 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/rust.yml:26 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/rust.yml:48 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/rust.yml:62 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/yaml.yml:17 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/yaml.yml:28 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/json.yml:2 | |
| | name: JSON | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/markdown.yml:2 | |
| | name: Markdown | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/markdown.yml:2 | |
| | name: Markdown | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:2 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:2 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:2 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/yaml.yml:2 | |
| | name: YAML | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/yaml.yml:2 | |
| | name: YAML | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/json.yml:18 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/json.yml:21 | |
| | creyD/prettier_action@v4.3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/markdown.yml:18 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/markdown.yml:21 | |
| | nosborn/github-action-markdown-cli@v3.3.0 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/markdown.yml:31 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/markdown.yml:34 | |
| | creyD/prettier_action@v4.3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/yaml.yml:18 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/yaml.yml:21 | |
| | actionshub/yamllint@v1.8.2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/yaml.yml:29 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/yaml.yml:32 | |
| | creyD/prettier_action@v4.3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/json.yml:17 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/markdown.yml:17 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/markdown.yml:30 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/yaml.yml:17 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/yaml.yml:28 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/json.yml:2 | |
| | name: JSON | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/json.yml:12 | |
| | style: | |
| = this job | |
| --> .github/workflows/json.yml:12 | |
| | style: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/markdown.yml:2 | |
| | name: Markdown | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/markdown.yml:12 | |
| | lint: | |
| = this job | |
| --> .github/workflows/markdown.yml:12 | |
| | lint: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/markdown.yml:25 | |
| | style: | |
| = this job | |
| --> .github/workflows/markdown.yml:25 | |
| | style: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/yaml.yml:2 | |
| | name: YAML | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/yaml.yml:12 | |
| | lint: | |
| = this job | |
| --> .github/workflows/yaml.yml:12 | |
| | lint: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/yaml.yml:23 | |
| | style: | |
| = this job | |
| --> .github/workflows/yaml.yml:23 | |
| | style: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/json.yml:2 | |
| | name: JSON | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/markdown.yml:2 | |
| | name: Markdown | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/markdown.yml:2 | |
| | name: Markdown | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/yaml.yml:2 | |
| | name: YAML | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/yaml.yml:2 | |
| | name: YAML | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:12 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:16 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:23 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:51 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:56 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:73 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:82 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:102 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:107 | |
| | taiki-e/install-action@cargo-hack | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:108 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:10 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:16 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:51 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:73 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:82 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:102 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/publish.yml:10 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:8 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:8 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:46 | |
| | test_musl: | |
| = this job | |
| --> .github/workflows/main.yml:46 | |
| | test_musl: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:69 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/main.yml:69 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:78 | |
| | publish_docs: | |
| = this job | |
| --> .github/workflows/main.yml:78 | |
| | publish_docs: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:96 | |
| | msrv: | |
| = this job | |
| --> .github/workflows/main.yml:96 | |
| | msrv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/publish.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/publish.yml:7 | |
| | publish: | |
| = this job | |
| --> .github/workflows/publish.yml:7 | |
| | publish: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish.yml:7 | |
| | publish | |
| = this job | |
| --> .github/workflows/publish.yml:15 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:17 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:19 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:18 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:17 | |
| | name: Install Rust (rustup) | |
| = this step | |
| --> .github/workflows/main.yml:20 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:18 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:87 | |
| | name: Publish documentation | |
| = this step | |
| --> .github/workflows/main.yml:93 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:88 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:87 | |
| | name: Publish documentation | |
| = this step | |
| --> .github/workflows/main.yml:93 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:88 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:96 | |
| | msrv | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/publish.yml:7 | |
| | publish | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 use-trusted-publishing: prefer trusted publishing for authentication | |
| severity: Informational, confidence: High | |
| --> .github/workflows/publish.yml:11 | |
| | name: Publish to crates.io | |
| = this step | |
| --> .github/workflows/publish.yml:12 | |
| | run | |
| = this step | |
| --> .github/workflows/publish.yml:13 | |
| | | | |
| = this command | |
| docs: https://docs.zizmor.sh/audits/#use-trusted-publishing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:103 | |
| | name: Push changes to a branch | |
| = this step | |
| --> .github/workflows/rustc-pull.yml:106 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rustc-pull.yml:105 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:110 | |
| | name: Create pull request | |
| = this step | |
| --> .github/workflows/rustc-pull.yml:117 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rustc-pull.yml:115 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:110 | |
| | name: Create pull request | |
| = this step | |
| --> .github/workflows/rustc-pull.yml:120 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rustc-pull.yml:115 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:110 | |
| | name: Create pull request | |
| = this step | |
| --> .github/workflows/rustc-pull.yml:124 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rustc-pull.yml:115 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:143 | |
| | name: Compute message | |
| = this step | |
| --> .github/workflows/rustc-pull.yml:152 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rustc-pull.yml:147 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:143 | |
| | name: Compute message | |
| = this step | |
| --> .github/workflows/rustc-pull.yml:153 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rustc-pull.yml:147 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:60 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:67 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:97 | |
| | actions/create-github-app-token@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:135 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:137 | |
| | actions/create-github-app-token@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:10 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:12 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rustc-pull.yml:60 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rustc-pull.yml:135 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/test.yml:10 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rustc-pull.yml:1 | |
| | name: 'Josh Subtree Sync' | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rustc-pull.yml:129 | |
| | send-zulip-notification: | |
| = this job | |
| --> .github/workflows/rustc-pull.yml:129 | |
| | send-zulip-notification: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:6 | |
| | test: | |
| = this job | |
| --> .github/workflows/test.yml:6 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/test.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rustc-pull.yml:143 | |
| | name: Compute message | |
| = this step | |
| --> .github/workflows/rustc-pull.yml:149 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rustc-pull.yml:147 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rustc-pull.yml:143 | |
| | name: Compute message | |
| = this step | |
| --> .github/workflows/rustc-pull.yml:149 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rustc-pull.yml:147 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rustc-pull.yml:143 | |
| | name: Compute message | |
| = this step | |
| --> .github/workflows/rustc-pull.yml:149 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rustc-pull.yml:147 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/rustc-pull.yml:57 | |
| | contents: write | |
| = needs an explanatory comment | |
| --> .github/workflows/rustc-pull.yml:58 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rustc-pull.yml:50 | |
| | perform-pull | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rustc-pull.yml:129 | |
| | send-zulip-notification | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/rustc-pull.yml:143 | |
| | name: Compute message | |
| = this step | |
| --> .github/workflows/rustc-pull.yml:148 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rustc-pull.yml:147 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:12 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:30 | |
| | actions/upload-pages-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:49 | |
| | actions/deploy-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy book | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:9 | |
| | build: | |
| = this job | |
| --> .github/workflows/deploy.yml:9 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/deploy.yml:12 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy book | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:13 | |
| | name: Install mdbook | |
| = this step | |
| --> .github/workflows/deploy.yml:16 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:14 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:13 | |
| | name: Install mdbook | |
| = this step | |
| --> .github/workflows/deploy.yml:16 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:14 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:19 | |
| | name: Install mdbook-mermaid | |
| = this step | |
| --> .github/workflows/deploy.yml:22 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:20 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:19 | |
| | name: Install mdbook-mermaid | |
| = this step | |
| --> .github/workflows/deploy.yml:22 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:20 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:40 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/deploy.yml:41 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy.yml:9 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy.yml:33 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:6 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:7 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:35 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:49 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:51 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:78 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:83 | |
| | taiki-e/install-action@cargo-semver-checks | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:93 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:145 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:148 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:170 | |
| | actions/upload-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:241 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:244 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:266 | |
| | actions/upload-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:285 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:287 | |
| | vmactions/solaris-vm@v1.3.2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:304 | |
| | vmactions/netbsd-vm@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:330 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:340 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:348 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:351 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:20 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:26 | |
| | MarcoIeni/release-plz-action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yaml:330 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yaml:348 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:30 | |
| | style_check: | |
| = this job | |
| --> .github/workflows/ci.yaml:30 | |
| | style_check: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:41 | |
| | clippy: | |
| = this job | |
| --> .github/workflows/ci.yaml:41 | |
| | clippy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:58 | |
| | verify_build: | |
| = this job | |
| --> .github/workflows/ci.yaml:58 | |
| | verify_build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:117 | |
| | test_tier1: | |
| = this job | |
| --> .github/workflows/ci.yaml:117 | |
| | test_tier1: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:177 | |
| | test_tier2: | |
| = this job | |
| --> .github/workflows/ci.yaml:177 | |
| | test_tier2: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:273 | |
| | test_tier2_vm: | |
| = this job | |
| --> .github/workflows/ci.yaml:273 | |
| | test_tier2_vm: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:323 | |
| | ctest_msrv: | |
| = this job | |
| --> .github/workflows/ci.yaml:323 | |
| | ctest_msrv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:343 | |
| | docs: | |
| = this job | |
| --> .github/workflows/ci.yaml:343 | |
| | docs: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:356 | |
| | success: | |
| = this job | |
| --> .github/workflows/ci.yaml:356 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/release.yaml:15 | |
| | release-plz | |
| = this job | |
| --> .github/workflows/release.yaml:29 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:35 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:49 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:78 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:145 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:241 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:285 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/release.yaml:19 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:3 | |
| | name: Release-plz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:99 | |
| | name: Execute build check | |
| = this step | |
| --> .github/workflows/ci.yaml:102 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:100 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:99 | |
| | name: Execute build check | |
| = this step | |
| --> .github/workflows/ci.yaml:112 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:100 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:99 | |
| | name: Execute build check | |
| = this step | |
| --> .github/workflows/ci.yaml:113 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:100 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:152 | |
| | name: Add matrix env variables to the environment | |
| = this step | |
| --> .github/workflows/ci.yaml:155 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:154 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:159 | |
| | name: Run natively | |
| = this step | |
| --> .github/workflows/ci.yaml:161 | |
| | ./ci/run.sh ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:161 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:162 | |
| | name: Run in Docker | |
| = this step | |
| --> .github/workflows/ci.yaml:164 | |
| | ./ci/run-docker.sh ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:164 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:248 | |
| | name: Add matrix env variables to the environment | |
| = this step | |
| --> .github/workflows/ci.yaml:251 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:250 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:255 | |
| | name: Run natively | |
| = this step | |
| --> .github/workflows/ci.yaml:257 | |
| | ./ci/run.sh ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:257 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:258 | |
| | name: Run in Docker | |
| = this step | |
| --> .github/workflows/ci.yaml:260 | |
| | ./ci/run-docker.sh ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:260 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:6 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/release.yaml:7 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yaml:374 | |
| | name: check if any dependency failed | |
| = this step | |
| --> .github/workflows/ci.yaml:375 | |
| | jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:375 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:10 | |
| | install-cross: | |
| = this job | |
| --> .github/workflows/ci.yml:10 | |
| | install-cross: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:28 | |
| | windows: | |
| = this job | |
| --> .github/workflows/ci.yml:28 | |
| | windows: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:64 | |
| | macos: | |
| = this job | |
| --> .github/workflows/ci.yml:64 | |
| | macos: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:82 | |
| | cc: | |
| = this job | |
| --> .github/workflows/ci.yml:82 | |
| | cc: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:102 | |
| | package: | |
| = this job | |
| --> .github/workflows/ci.yml:102 | |
| | package: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:116 | |
| | linux: | |
| = this job | |
| --> .github/workflows/ci.yml:116 | |
| | linux: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:148 | |
| | minimal-versions: | |
| = this job | |
| --> .github/workflows/ci.yml:148 | |
| | minimal-versions: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 ref-version-mismatch: detects commit SHAs that don't match their version comment tags | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:40 | |
| | v2 | |
| = points to commit cafece8e6baf | |
| docs: https://docs.zizmor.sh/audits/#ref-version-mismatch | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:36 | |
| | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:69 | |
| | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:85 | |
| | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:105 | |
| | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:120 | |
| | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:151 | |
| | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 stale-action-refs: commit hash does not point to a Git tag | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:40 | |
| | msys2/setup-msys2@7efe20baefed56359985e327d329042cde2434ff | |
| = this step | |
| docs: https://docs.zizmor.sh/audits/#stale-action-refs | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:44 | |
| | run: ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/ci.yml:44 | |
| | ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:44 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:44 | |
| | run: ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/ci.yml:44 | |
| | ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:44 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:46 | |
| | run: ci/test.bash cargo ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/ci.yml:46 | |
| | ci/test.bash cargo ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:46 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:72 | |
| | run: ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/ci.yml:72 | |
| | ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:72 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:72 | |
| | run: ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/ci.yml:72 | |
| | ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:72 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:73 | |
| | run: ci/test.bash cargo ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/ci.yml:73 | |
| | ci/test.bash cargo ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:73 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:130 | |
| | run: ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/ci.yml:130 | |
| | ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:130 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:130 | |
| | run: ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/ci.yml:130 | |
| | ci/set_rust_version.bash ${{ matrix.channel }} ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:130 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:131 | |
| | run: ci/test.bash /tmp/cross ${{ matrix.target }} | |
| = this step | |
| --> .github/workflows/ci.yml:131 | |
| | ci/test.bash /tmp/cross ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:131 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:10 | |
| | install-cross | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:28 | |
| | windows | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:64 | |
| | macos | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:82 | |
| | cc | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:102 | |
| | package | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:116 | |
| | linux | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:148 | |
| | minimal-versions | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 use-trusted-publishing: prefer trusted publishing for authentication | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:113 | |
| | name: test packaging with release tool | |
| = this step | |
| --> .github/workflows/ci.yml:114 | |
| | run | |
| = this step | |
| --> .github/workflows/ci.yml:114 | |
| | cargo run -p maint -- publish | |
| = this command | |
| docs: https://docs.zizmor.sh/audits/#use-trusted-publishing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/CI.yml:17 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/CI.yml:18 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/CI.yml:32 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/CI.yml:33 | |
| | dtolnay/rust-toolchain@nightly | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/CI.yml:17 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/CI.yml:32 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/CI.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/CI.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/CI.yml:18 | |
| | uses: dtolnay/rust-toolchain@stable | |
| = this step | |
| --> .github/workflows/CI.yml:18 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/CI.yml:33 | |
| | uses: dtolnay/rust-toolchain@nightly | |
| = this step | |
| --> .github/workflows/CI.yml:33 | |
| | dtolnay/rust-toolchain@nightly | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/CI.yml:14 | |
| | stable-checks | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/CI.yml:29 | |
| | nightly-checks | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:37 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:38 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:41 | |
| | taiki-e/install-action@cargo-hack | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:50 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:51 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:63 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:64 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:74 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:75 | |
| | dtolnay/rust-toolchain@nightly | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:87 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:88 | |
| | dtolnay/rust-toolchain@nightly | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:100 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:101 | |
| | dtolnay/rust-toolchain@1.68.0 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:104 | |
| | taiki-e/install-action@cargo-hack | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:113 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:114 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:37 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:50 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:63 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:74 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:87 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:100 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:113 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:38 | |
| | uses: dtolnay/rust-toolchain@master | |
| = this step | |
| --> .github/workflows/main.yml:38 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:51 | |
| | uses: dtolnay/rust-toolchain@stable | |
| = this step | |
| --> .github/workflows/main.yml:51 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:64 | |
| | uses: dtolnay/rust-toolchain@stable | |
| = this step | |
| --> .github/workflows/main.yml:64 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:75 | |
| | uses: dtolnay/rust-toolchain@nightly | |
| = this step | |
| --> .github/workflows/main.yml:75 | |
| | dtolnay/rust-toolchain@nightly | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:88 | |
| | uses: dtolnay/rust-toolchain@nightly | |
| = this step | |
| --> .github/workflows/main.yml:88 | |
| | dtolnay/rust-toolchain@nightly | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:101 | |
| | uses: dtolnay/rust-toolchain@1.68.0 | |
| = this step | |
| --> .github/workflows/main.yml:101 | |
| | dtolnay/rust-toolchain@1.68.0 | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:114 | |
| | uses: dtolnay/rust-toolchain@stable | |
| = this step | |
| --> .github/workflows/main.yml:114 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:11 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:33 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:46 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:59 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:64 | |
| | rust-lang/crates-io-auth-action@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:47 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:58 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:68 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:77 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:81 | |
| | actions/setup-node@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:95 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:105 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:117 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/update-dependencies.yml:13 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy.yml:33 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy.yml:46 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy.yml:59 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:47 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:58 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:68 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:77 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:95 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:105 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:117 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/update-dependencies.yml:13 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:7 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:7 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:55 | |
| | aarch64-cross-builds: | |
| = this job | |
| --> .github/workflows/main.yml:55 | |
| | aarch64-cross-builds: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:64 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/main.yml:64 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:73 | |
| | gui: | |
| = this job | |
| --> .github/workflows/main.yml:73 | |
| | gui: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:92 | |
| | clippy: | |
| = this job | |
| --> .github/workflows/main.yml:92 | |
| | clippy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:101 | |
| | docs: | |
| = this job | |
| --> .github/workflows/main.yml:101 | |
| | docs: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:113 | |
| | check-version-bump: | |
| = this job | |
| --> .github/workflows/main.yml:113 | |
| | check-version-bump: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:132 | |
| | success: | |
| = this job | |
| --> .github/workflows/main.yml:132 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/update-dependencies.yml:1 | |
| | name: Update dependencies | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/update-dependencies.yml:8 | |
| | update: | |
| = this job | |
| --> .github/workflows/update-dependencies.yml:8 | |
| | update: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/update-dependencies.yml:1 | |
| | name: Update dependencies | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:34 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/deploy.yml:35 | |
| | ci/install-rust.sh stable ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:35 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:36 | |
| | name: Build asset | |
| = this step | |
| --> .github/workflows/deploy.yml:37 | |
| | ci/make-release-asset.sh ${{ matrix.os }} ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:37 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:36 | |
| | name: Build asset | |
| = this step | |
| --> .github/workflows/deploy.yml:37 | |
| | ci/make-release-asset.sh ${{ matrix.os }} ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:37 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:48 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yml:49 | |
| | bash ci/install-rust.sh ${{ matrix.rust }} ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:49 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:48 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yml:49 | |
| | bash ci/install-rust.sh ${{ matrix.rust }} ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:49 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:50 | |
| | name: Build and run tests | |
| = this step | |
| --> .github/workflows/main.yml:51 | |
| | cargo test --workspace --locked --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:51 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:52 | |
| | name: Test no default | |
| = this step | |
| --> .github/workflows/main.yml:53 | |
| | cargo test --workspace --no-default-features --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:53 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:11 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:56 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:55 | |
| | aarch64-cross-builds | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:92 | |
| | clippy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/main.yml:145 | |
| | run: jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = this step | |
| --> .github/workflows/main.yml:145 | |
| | jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:145 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:27 | |
| | name: Publish to crates.io | |
| = this step | |
| --> .github/workflows/publish.yml:31 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/publish.yml:30 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:27 | |
| | name: Publish to crates.io | |
| = this step | |
| --> .github/workflows/publish.yml:32 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/publish.yml:30 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:13 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:21 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:26 | |
| | rust-lang/crates-io-auth-action@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:20 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/nightly.yml:13 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/publish.yml:21 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:20 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/nightly.yml:2 | |
| | name: Check nightly compiler compatibility | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/nightly.yml:10 | |
| | check: | |
| = this job | |
| --> .github/workflows/nightly.yml:10 | |
| | check: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/publish.yml:1 | |
| | name: Publish | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:11 | |
| | build: | |
| = this job | |
| --> .github/workflows/rust.yml:11 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rust.yml:36 | |
| | success: | |
| = this job | |
| --> .github/workflows/rust.yml:36 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/nightly.yml:2 | |
| | name: Check nightly compiler compatibility | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:1 | |
| | name: Publish | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:1 | |
| | name: Rust | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:21 | |
| | name: Set up Rust toolchain | |
| = this step | |
| --> .github/workflows/rust.yml:23 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:22 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:21 | |
| | name: Set up Rust toolchain | |
| = this step | |
| --> .github/workflows/rust.yml:24 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:22 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:21 | |
| | name: Set up Rust toolchain | |
| = this step | |
| --> .github/workflows/rust.yml:27 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:22 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:28 | |
| | name: Build | |
| = this step | |
| --> .github/workflows/rust.yml:29 | |
| | cargo build --verbose --all ${{ matrix.check_cfg }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:29 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:30 | |
| | name: Run tests | |
| = this step | |
| --> .github/workflows/rust.yml:31 | |
| | cargo test --verbose --all ${{ matrix.check_cfg }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:31 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:19 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/nightly.yml:10 | |
| | check | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:11 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:36 | |
| | success | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/rust.yml:46 | |
| | name: check if any dependency failed | |
| = this step | |
| --> .github/workflows/rust.yml:47 | |
| | jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:47 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:13 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:22 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:31 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:40 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:49 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:85 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:13 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:22 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:31 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:40 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:49 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:85 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:10 | |
| | test-core: | |
| = this job | |
| --> .github/workflows/ci.yml:10 | |
| | test-core: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:19 | |
| | test-alloc: | |
| = this job | |
| --> .github/workflows/ci.yml:19 | |
| | test-alloc: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:28 | |
| | test-std: | |
| = this job | |
| --> .github/workflows/ci.yml:28 | |
| | test-std: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:37 | |
| | test-simd: | |
| = this job | |
| --> .github/workflows/ci.yml:37 | |
| | test-simd: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:46 | |
| | test-stdarch: | |
| = this job | |
| --> .github/workflows/ci.yml:46 | |
| | test-stdarch: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:58 | |
| | success: | |
| = this job | |
| --> .github/workflows/ci.yml:58 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:79 | |
| | cron-success-pr: | |
| = this job | |
| --> .github/workflows/ci.yml:79 | |
| | cron-success-pr: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:111 | |
| | cron-fail-notify: | |
| = this job | |
| --> .github/workflows/ci.yml:111 | |
| | cron-fail-notify: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:111 | |
| | cron-fail-notify | |
| = this job | |
| --> .github/workflows/ci.yml:122 | |
| | secrets.ZULIP_BOT_EMAIL | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:111 | |
| | cron-fail-notify | |
| = this job | |
| --> .github/workflows/ci.yml:123 | |
| | secrets.ZULIP_API_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:10 | |
| | test-core | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:19 | |
| | test-alloc | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:28 | |
| | test-std | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:37 | |
| | test-simd | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:46 | |
| | test-stdarch | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:69 | |
| | name: check if any dependency failed | |
| = this step | |
| --> .github/workflows/ci.yml:72 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:70 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:69 | |
| | name: check if any dependency failed | |
| = this step | |
| --> .github/workflows/ci.yml:74 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:70 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:61 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:108 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:124 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:128 | |
| | actions/cache@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:159 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:194 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:208 | |
| | actions/create-github-app-token@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/sysroots.yml:16 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/sysroots.yml:28 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/sysroots.yml:41 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:61 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:108 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:124 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:159 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:194 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/sysroots.yml:16 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:16 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:16 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:104 | |
| | style: | |
| = this job | |
| --> .github/workflows/ci.yml:104 | |
| | style: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:120 | |
| | bootstrap: | |
| = this job | |
| --> .github/workflows/ci.yml:120 | |
| | bootstrap: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:155 | |
| | coverage: | |
| = this job | |
| --> .github/workflows/ci.yml:155 | |
| | coverage: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:167 | |
| | conclusion: | |
| = this job | |
| --> .github/workflows/ci.yml:167 | |
| | conclusion: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:249 | |
| | cron-fail-notify: | |
| = this job | |
| --> .github/workflows/ci.yml:249 | |
| | cron-fail-notify: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/sysroots.yml:1 | |
| | name: Tier 2 sysroots | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/sysroots.yml:12 | |
| | sysroots: | |
| = this job | |
| --> .github/workflows/sysroots.yml:12 | |
| | sysroots: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/sysroots.yml:33 | |
| | sysroots-cron-fail-notify: | |
| = this job | |
| --> .github/workflows/sysroots.yml:33 | |
| | sysroots-cron-fail-notify: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:184 | |
| | cron-rustc-pull | |
| = this job | |
| --> .github/workflows/ci.yml:212 | |
| | secrets.APP_PRIVATE_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:249 | |
| | cron-fail-notify | |
| = this job | |
| --> .github/workflows/ci.yml:260 | |
| | secrets.ZULIP_BOT_EMAIL | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:249 | |
| | cron-fail-notify | |
| = this job | |
| --> .github/workflows/ci.yml:261 | |
| | secrets.ZULIP_API_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/sysroots.yml:33 | |
| | sysroots-cron-fail-notify | |
| = this job | |
| --> .github/workflows/sysroots.yml:49 | |
| | secrets.ZULIP_BOT_EMAIL | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/sysroots.yml:33 | |
| | sysroots-cron-fail-notify | |
| = this job | |
| --> .github/workflows/sysroots.yml:50 | |
| | secrets.ZULIP_API_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/sysroots.yml:1 | |
| | name: Tier 2 sysroots | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/sysroots.yml:1 | |
| | name: Tier 2 sysroots | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:62 | |
| | name: install multiarch | |
| = this step | |
| --> .github/workflows/ci.yml:68 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:64 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:62 | |
| | name: install multiarch | |
| = this step | |
| --> .github/workflows/ci.yml:74 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:64 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:84 | |
| | name: install gcc-cross | |
| = this step | |
| --> .github/workflows/ci.yml:87 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:86 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:84 | |
| | name: install gcc-cross | |
| = this step | |
| --> .github/workflows/ci.yml:89 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:86 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:84 | |
| | name: install gcc-cross | |
| = this step | |
| --> .github/workflows/ci.yml:89 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:86 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:84 | |
| | name: install gcc-cross | |
| = this step | |
| --> .github/workflows/ci.yml:90 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:86 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:84 | |
| | name: install gcc-cross | |
| = this step | |
| --> .github/workflows/ci.yml:91 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:86 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:189 | |
| | contents: write | |
| = needs an explanatory comment | |
| --> .github/workflows/ci.yml:191 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:167 | |
| | conclusion | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:177 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/ci.yml:180 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:178 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:177 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/ci.yml:182 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:178 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:16 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:34 | |
| | rust-lang/simpleinfra/github-actions/upload-docker-image@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:15 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:3 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:11 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:11 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/main.yml:11 | |
| | test | |
| = this job | |
| --> .github/workflows/main.yml:41 | |
| | secrets.AWS_ACCESS_KEY_ID | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/main.yml:11 | |
| | test | |
| = this job | |
| --> .github/workflows/main.yml:42 | |
| | secrets.AWS_SECRET_ACCESS_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:3 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:12 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:14 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:14 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:10 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:10 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:45 | |
| | success: | |
| = this job | |
| --> .github/workflows/main.yml:45 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/main.yml:52 | |
| | run: jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = this step | |
| --> .github/workflows/main.yml:52 | |
| | jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:52 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:53 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:91 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:106 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:126 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:53 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:91 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:106 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:126 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:16 | |
| | required-checks: | |
| = this job | |
| --> .github/workflows/ci.yml:16 | |
| | required-checks: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:28 | |
| | build: | |
| = this job | |
| --> .github/workflows/ci.yml:28 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:82 | |
| | benchmarks: | |
| = this job | |
| --> .github/workflows/ci.yml:82 | |
| | benchmarks: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:97 | |
| | test-with-sanitizer: | |
| = this job | |
| --> .github/workflows/ci.yml:97 | |
| | test-with-sanitizer: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:122 | |
| | test-big-endian: | |
| = this job | |
| --> .github/workflows/ci.yml:122 | |
| | test-big-endian: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 obfuscation: obfuscated usage of GitHub Actions features | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:60 | |
| | [matrix.os] | |
| = index expression is computed | |
| docs: https://docs.zizmor.sh/audits/#obfuscation | |
| 🟡 obfuscation: obfuscated usage of GitHub Actions features | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:64 | |
| | [matrix.os] | |
| = index expression is computed | |
| docs: https://docs.zizmor.sh/audits/#obfuscation | |
| 🟡 obfuscation: obfuscated usage of GitHub Actions features | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:66 | |
| | [matrix.os] | |
| = index expression is computed | |
| docs: https://docs.zizmor.sh/audits/#obfuscation | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:59 | |
| | name: Add target architecture | |
| = this step | |
| --> .github/workflows/ci.yml:60 | |
| | rustup target add ${{ matrix.arch }}-${{ fromJSON(env.target_map)[matrix.os] }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:60 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:63 | |
| | name: Run tests | |
| = this step | |
| --> .github/workflows/ci.yml:64 | |
| | cargo test --verbose --target ${{ matrix.arch }}-${{ fromJSON(env.target_map)[matrix.os] }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:64 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:65 | |
| | name: Run tests (no_simd) | |
| = this step | |
| --> .github/workflows/ci.yml:66 | |
| | cargo test --verbose --target ${{ matrix.arch }}-${{ fromJSON(env.target_map)[matrix.os] }} --features=no_simd | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:66 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:94 | |
| | name: Bench | |
| = this step | |
| --> .github/workflows/ci.yml:95 | |
| | RUSTFLAGS=-Ctarget-cpu=native cargo bench --verbose --features=${{ matrix.features }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:95 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:111 | |
| | name: Test with Address Sanitizer | |
| = this step | |
| --> .github/workflows/ci.yml:116 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:112 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:111 | |
| | name: Test with Address Sanitizer | |
| = this step | |
| --> .github/workflows/ci.yml:120 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:112 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:28 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:82 | |
| | benchmarks | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:97 | |
| | test-with-sanitizer | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:122 | |
| | test-big-endian | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:59 | |
| | name: Add target architecture | |
| = this step | |
| --> .github/workflows/ci.yml:60 | |
| | rustup target add ${{ matrix.arch }}-${{ fromJSON(env.target_map)[matrix.os] }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:60 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:63 | |
| | name: Run tests | |
| = this step | |
| --> .github/workflows/ci.yml:64 | |
| | cargo test --verbose --target ${{ matrix.arch }}-${{ fromJSON(env.target_map)[matrix.os] }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:64 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yml:65 | |
| | name: Run tests (no_simd) | |
| = this step | |
| --> .github/workflows/ci.yml:66 | |
| | cargo test --verbose --target ${{ matrix.arch }}-${{ fromJSON(env.target_map)[matrix.os] }} --features=no_simd | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:66 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/run-ci-script.yml:69 | |
| | name: Setup | |
| = this step | |
| --> .github/workflows/run-ci-script.yml:71 | |
| | ${{ inputs.setup_script }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/run-ci-script.yml:71 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/run-ci-script.yml:78 | |
| | name: Run CI Script | |
| = this step | |
| --> .github/workflows/run-ci-script.yml:80 | |
| | ${{ inputs.script }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/run-ci-script.yml:80 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/run-ci-script.yml:43 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/run-ci-script.yml:45 | |
| | actions/cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/run-ci-script.yml:51 | |
| | dtolnay/rust-toolchain@nightly | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/run-ci-script.yml:60 | |
| | actions/cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/run-ci-script.yml:42 | |
| | name: Checkout | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/benchmarks.yml:1 | |
| | name: benchmarks | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/benchmarks.yml:11 | |
| | x86_64-unknown-linux-gnu: | |
| = this job | |
| --> .github/workflows/benchmarks.yml:11 | |
| | x86_64-unknown-linux-gnu: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/benchmarks.yml:21 | |
| | x86_64-apple-darwin: | |
| = this job | |
| --> .github/workflows/benchmarks.yml:21 | |
| | x86_64-apple-darwin: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:11 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/ci.yml:11 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:15 | |
| | x86_64-unknown-linux-android: | |
| = this job | |
| --> .github/workflows/ci.yml:15 | |
| | x86_64-unknown-linux-android: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:21 | |
| | armv7-linux-androideabi: | |
| = this job | |
| --> .github/workflows/ci.yml:21 | |
| | armv7-linux-androideabi: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:27 | |
| | aarch64-unknown-linux-android-NEON: | |
| = this job | |
| --> .github/workflows/ci.yml:27 | |
| | aarch64-unknown-linux-android-NEON: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:34 | |
| | thumbv7neon-linux-androideabi: | |
| = this job | |
| --> .github/workflows/ci.yml:34 | |
| | thumbv7neon-linux-androideabi: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:40 | |
| | i586-unknown-linux-gnu: | |
| = this job | |
| --> .github/workflows/ci.yml:40 | |
| | i586-unknown-linux-gnu: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:47 | |
| | i586-unknown-linux-gnu-SSE: | |
| = this job | |
| --> .github/workflows/ci.yml:47 | |
| | i586-unknown-linux-gnu-SSE: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:54 | |
| | i586-unknown-linux-gnu-SSE2: | |
| = this job | |
| --> .github/workflows/ci.yml:54 | |
| | i586-unknown-linux-gnu-SSE2: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:61 | |
| | i686-unknown-linux-gnu: | |
| = this job | |
| --> .github/workflows/ci.yml:61 | |
| | i686-unknown-linux-gnu: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:68 | |
| | i686-unknown-linux-gnu-SSE4_2: | |
| = this job | |
| --> .github/workflows/ci.yml:68 | |
| | i686-unknown-linux-gnu-SSE4_2: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:75 | |
| | i686-unknown-linux-gnu-AVX2: | |
| = this job | |
| --> .github/workflows/ci.yml:75 | |
| | i686-unknown-linux-gnu-AVX2: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:82 | |
| | x86_64-unknown-linux-gnu: | |
| = this job | |
| --> .github/workflows/ci.yml:82 | |
| | x86_64-unknown-linux-gnu: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:88 | |
| | x86_64-unknown-linux-gnu-SSE4_2: | |
| = this job | |
| --> .github/workflows/ci.yml:88 | |
| | x86_64-unknown-linux-gnu-SSE4_2: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:95 | |
| | x86_64-unknown-linux-gnu-AVX2: | |
| = this job | |
| --> .github/workflows/ci.yml:95 | |
| | x86_64-unknown-linux-gnu-AVX2: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:102 | |
| | arm-unknown-linux-gnueabihf: | |
| = this job | |
| --> .github/workflows/ci.yml:102 | |
| | arm-unknown-linux-gnueabihf: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:108 | |
| | armv7-unknown-linux-gnueabihf: | |
| = this job | |
| --> .github/workflows/ci.yml:108 | |
| | armv7-unknown-linux-gnueabihf: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:114 | |
| | armv7-unknown-linux-gnueabihf-NEON: | |
| = this job | |
| --> .github/workflows/ci.yml:114 | |
| | armv7-unknown-linux-gnueabihf-NEON: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:121 | |
| | thumbv7neon-unknown-linux-gnueabihf: | |
| = this job | |
| --> .github/workflows/ci.yml:121 | |
| | thumbv7neon-unknown-linux-gnueabihf: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:127 | |
| | aarch64-unknown-linux-gnu-NEON: | |
| = this job | |
| --> .github/workflows/ci.yml:127 | |
| | aarch64-unknown-linux-gnu-NEON: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:134 | |
| | powerpc-unknown-linux-gnu: | |
| = this job | |
| --> .github/workflows/ci.yml:134 | |
| | powerpc-unknown-linux-gnu: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:140 | |
| | powerpc64-unknown-linux-gnu: | |
| = this job | |
| --> .github/workflows/ci.yml:140 | |
| | powerpc64-unknown-linux-gnu: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:146 | |
| | powerpc64le-unknown-linux-gnu: | |
| = this job | |
| --> .github/workflows/ci.yml:146 | |
| | powerpc64le-unknown-linux-gnu: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:152 | |
| | powerpc64le-unknown-linux-gnu-ALTIVEC: | |
| = this job | |
| --> .github/workflows/ci.yml:152 | |
| | powerpc64le-unknown-linux-gnu-ALTIVEC: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:159 | |
| | powerpc64le-unknown-linux-gnu-VSX: | |
| = this job | |
| --> .github/workflows/ci.yml:159 | |
| | powerpc64le-unknown-linux-gnu-VSX: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:166 | |
| | s390x-unknown-linux-gnu: | |
| = this job | |
| --> .github/workflows/ci.yml:166 | |
| | s390x-unknown-linux-gnu: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:172 | |
| | sparc64-unknown-linux-gnu: | |
| = this job | |
| --> .github/workflows/ci.yml:172 | |
| | sparc64-unknown-linux-gnu: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:178 | |
| | wasm32-unknown-unknown: | |
| = this job | |
| --> .github/workflows/ci.yml:178 | |
| | wasm32-unknown-unknown: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:184 | |
| | x86_64-apple-darwin-SSE4_2: | |
| = this job | |
| --> .github/workflows/ci.yml:184 | |
| | x86_64-apple-darwin-SSE4_2: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:193 | |
| | x86_64-apple-darwin-AVX: | |
| = this job | |
| --> .github/workflows/ci.yml:193 | |
| | x86_64-apple-darwin-AVX: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:202 | |
| | x86_64-apple-ios: | |
| = this job | |
| --> .github/workflows/ci.yml:202 | |
| | x86_64-apple-ios: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:210 | |
| | aarch64-apple-ios: | |
| = this job | |
| --> .github/workflows/ci.yml:210 | |
| | aarch64-apple-ios: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/docs.yml:1 | |
| | name: docs | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/docs.yml:9 | |
| | docs: | |
| = this job | |
| --> .github/workflows/docs.yml:9 | |
| | docs: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/run-ci-script.yml:1 | |
| | name: run-ci-script | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/run-ci-script.yml:39 | |
| | run-ci-script: | |
| = this job | |
| --> .github/workflows/run-ci-script.yml:39 | |
| | run-ci-script: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/run-ci-script.yml:50 | |
| | name: Install Toolchain | |
| = this step | |
| --> .github/workflows/run-ci-script.yml:51 | |
| | dtolnay/rust-toolchain@nightly | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/run-ci-script.yml:39 | |
| | run-ci-script | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:41 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:51 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:59 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:67 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:41 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:51 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:59 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:67 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:42 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:43 | |
| | rustup update ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:43 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:42 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:43 | |
| | rustup update ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:43 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:28 | |
| | test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:48 | |
| | clippy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:56 | |
| | rustfmt | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:64 | |
| | rustdoc | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:26 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:27 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:26 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:14 | |
| | build: | |
| = this job | |
| --> .github/workflows/ci.yml:14 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:27 | |
| | uses: dtolnay/rust-toolchain@master | |
| = this step | |
| --> .github/workflows/ci.yml:27 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:13 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:18 | |
| | actions-rs/toolchain@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:32 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:46 | |
| | actions/upload-pages-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:65 | |
| | actions/deploy-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:76 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:81 | |
| | actions-rs/toolchain@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:17 | |
| | name: Install rust beta toolchain | |
| = this step | |
| --> .github/workflows/ci.yml:18 | |
| | actions-rs/toolchain@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 archived-uses: action or reusable workflow from archived repository | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:80 | |
| | name: Install rust toolchain | |
| = this step | |
| --> .github/workflows/ci.yml:81 | |
| | actions-rs/toolchain@v1 | |
| = repository is archived | |
| docs: https://docs.zizmor.sh/audits/#archived-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:13 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:32 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:76 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:9 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/ci.yml:9 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:28 | |
| | book: | |
| = this job | |
| --> .github/workflows/ci.yml:28 | |
| | book: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:68 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:68 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:58 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/ci.yml:59 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/backend.yml:27 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/frontend.yml:23 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/frontend.yml:24 | |
| | actions/setup-node@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/frontend.yml:38 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/frontend.yml:39 | |
| | actions/setup-node@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/heroku.yml:23 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/js-lint.yml:35 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/js-lint.yml:36 | |
| | actions/setup-node@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/js-lint.yml:47 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/js-lint.yml:48 | |
| | actions/setup-node@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/py-lint.yml:24 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/py-lint.yml:25 | |
| | actions/setup-python@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/py-lint.yml:38 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/py-lint.yml:39 | |
| | actions/setup-python@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/py-lint.yml:52 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/py-lint.yml:53 | |
| | actions/setup-python@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/tag-admin.yml:25 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/tag-admin.yml:26 | |
| | actions/setup-node@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/backend.yml:27 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/frontend.yml:23 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/frontend.yml:38 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/heroku.yml:23 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/js-lint.yml:35 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/js-lint.yml:47 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/py-lint.yml:24 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/py-lint.yml:38 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/py-lint.yml:52 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/tag-admin.yml:25 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/backend.yml:1 | |
| | name: Backend | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/backend.yml:23 | |
| | test: | |
| = this job | |
| --> .github/workflows/backend.yml:23 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/frontend.yml:1 | |
| | name: Frontend | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/frontend.yml:19 | |
| | typescript: | |
| = this job | |
| --> .github/workflows/frontend.yml:19 | |
| | typescript: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/frontend.yml:35 | |
| | jest: | |
| = this job | |
| --> .github/workflows/frontend.yml:35 | |
| | jest: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/heroku.yml:1 | |
| | name: Heroku | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/heroku.yml:19 | |
| | app-json: | |
| = this job | |
| --> .github/workflows/heroku.yml:19 | |
| | app-json: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/js-lint.yml:1 | |
| | name: JavaScript linting | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/js-lint.yml:31 | |
| | eslint: | |
| = this job | |
| --> .github/workflows/js-lint.yml:31 | |
| | eslint: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/js-lint.yml:43 | |
| | prettier: | |
| = this job | |
| --> .github/workflows/js-lint.yml:43 | |
| | prettier: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/py-lint.yml:1 | |
| | name: Python linting | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/py-lint.yml:21 | |
| | flake8: | |
| = this job | |
| --> .github/workflows/py-lint.yml:21 | |
| | flake8: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/py-lint.yml:35 | |
| | black: | |
| = this job | |
| --> .github/workflows/py-lint.yml:35 | |
| | black: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/py-lint.yml:49 | |
| | pyupgrade: | |
| = this job | |
| --> .github/workflows/py-lint.yml:49 | |
| | pyupgrade: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/tag-admin.yml:1 | |
| | name: Non-frontend JavaScript | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/tag-admin.yml:21 | |
| | test: | |
| = this job | |
| --> .github/workflows/tag-admin.yml:21 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/backend.yml:1 | |
| | name: Backend | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/frontend.yml:1 | |
| | name: Frontend | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/frontend.yml:1 | |
| | name: Frontend | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/heroku.yml:1 | |
| | name: Heroku | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/js-lint.yml:1 | |
| | name: JavaScript linting | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/js-lint.yml:1 | |
| | name: JavaScript linting | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/py-lint.yml:1 | |
| | name: Python linting | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/py-lint.yml:1 | |
| | name: Python linting | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/py-lint.yml:1 | |
| | name: Python linting | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/tag-admin.yml:1 | |
| | name: Non-frontend JavaScript | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/frontend.yml:35 | |
| | jest | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/py-lint.yml:21 | |
| | flake8 | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/py-lint.yml:35 | |
| | black | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/py-lint.yml:49 | |
| | pyupgrade | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:20 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:50 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:82 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:137 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:165 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:210 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:250 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:253 | |
| | taiki-e/install-action@nextest | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/doc.yml:15 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/doc.yml:26 | |
| | peaceiris/actions-gh-pages@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:20 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:50 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:82 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:137 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:165 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:210 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:250 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/doc.yml:14 | |
| | name: Checkout Repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:15 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/ci.yml:15 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:24 | |
| | clippy: | |
| = this job | |
| --> .github/workflows/ci.yml:24 | |
| | clippy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:56 | |
| | x86-tests: | |
| = this job | |
| --> .github/workflows/ci.yml:56 | |
| | x86-tests: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:127 | |
| | macos-tests: | |
| = this job | |
| --> .github/workflows/ci.yml:127 | |
| | macos-tests: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:156 | |
| | wasm-tests: | |
| = this job | |
| --> .github/workflows/ci.yml:156 | |
| | wasm-tests: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:177 | |
| | cross-tests: | |
| = this job | |
| --> .github/workflows/ci.yml:177 | |
| | cross-tests: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:241 | |
| | miri: | |
| = this job | |
| --> .github/workflows/ci.yml:241 | |
| | miri: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/doc.yml:1 | |
| | name: Documentation | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/doc.yml:9 | |
| | release: | |
| = this job | |
| --> .github/workflows/doc.yml:9 | |
| | release: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/doc.yml:1 | |
| | name: Documentation | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:51 | |
| | name: Setup Rust | |
| = this step | |
| --> .github/workflows/ci.yml:52 | |
| | rustup target add ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:52 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:53 | |
| | name: Run Clippy | |
| = this step | |
| --> .github/workflows/ci.yml:54 | |
| | cargo clippy --all-targets --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:54 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:83 | |
| | name: Setup Rust | |
| = this step | |
| --> .github/workflows/ci.yml:84 | |
| | rustup target add ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:84 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:86 | |
| | name: Configure RUSTFLAGS | |
| = this step | |
| --> .github/workflows/ci.yml:89 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:88 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:86 | |
| | name: Configure RUSTFLAGS | |
| = this step | |
| --> .github/workflows/ci.yml:96 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:88 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:101 | |
| | name: Dump target configuration and support | |
| = this step | |
| --> .github/workflows/ci.yml:108 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:102 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:101 | |
| | name: Dump target configuration and support | |
| = this step | |
| --> .github/workflows/ci.yml:110 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:102 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:101 | |
| | name: Dump target configuration and support | |
| = this step | |
| --> .github/workflows/ci.yml:110 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:102 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:116 | |
| | name: Test (debug) | |
| = this step | |
| --> .github/workflows/ci.yml:117 | |
| | cargo test --verbose --target=${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:117 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:119 | |
| | name: Test (release) | |
| = this step | |
| --> .github/workflows/ci.yml:120 | |
| | cargo test --verbose --target=${{ matrix.target }} --release | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:120 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:122 | |
| | name: Generate docs | |
| = this step | |
| --> .github/workflows/ci.yml:123 | |
| | cargo doc --verbose --target=${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:123 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:138 | |
| | name: Setup Rust | |
| = this step | |
| --> .github/workflows/ci.yml:139 | |
| | rustup target add ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:139 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:145 | |
| | name: Test (debug) | |
| = this step | |
| --> .github/workflows/ci.yml:146 | |
| | cargo test --verbose --target=${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:146 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:148 | |
| | name: Test (release) | |
| = this step | |
| --> .github/workflows/ci.yml:149 | |
| | cargo test --verbose --target=${{ matrix.target }} --release | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:149 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:151 | |
| | name: Generate docs | |
| = this step | |
| --> .github/workflows/ci.yml:152 | |
| | cargo doc --verbose --target=${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:152 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:211 | |
| | name: Setup Rust | |
| = this step | |
| --> .github/workflows/ci.yml:212 | |
| | rustup target add ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:212 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:224 | |
| | name: Configure RUSTFLAGS | |
| = this step | |
| --> .github/workflows/ci.yml:227 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:226 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:224 | |
| | name: Configure RUSTFLAGS | |
| = this step | |
| --> .github/workflows/ci.yml:231 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:226 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:235 | |
| | name: Test (debug) | |
| = this step | |
| --> .github/workflows/ci.yml:236 | |
| | cross test --verbose --target=${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:236 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:238 | |
| | name: Test (release) | |
| = this step | |
| --> .github/workflows/ci.yml:239 | |
| | cross test --verbose --target=${{ matrix.target }} --release | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:239 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:255 | |
| | name: Test (Miri) (partition ${{ matrix.shard }}/4) | |
| = this step | |
| --> .github/workflows/ci.yml:257 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:256 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:241 | |
| | miri | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:18 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:12 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:12 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:12 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:12 | |
| | XAMPPRocky/deploy-mdbook@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:11 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = this job | |
| --> .github/workflows/deploy_mdbook.yml:7 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | on: | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/demo.yml:17 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:16 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:25 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:31 | |
| | JamesIves/github-pages-deploy-action@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/format.yml:14 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/format.yml:17 | |
| | dtolnay/rust-toolchain@nightly | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:18 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:19 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:30 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:31 | |
| | dtolnay/rust-toolchain@nightly | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/demo.yml:16 | |
| | name: Checkout | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/deploy_mdbook.yml:15 | |
| | name: Checkout | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/format.yml:13 | |
| | name: Checkout | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/nightly.yml:18 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/nightly.yml:30 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/demo.yml:2 | |
| | name: Run demo | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/demo.yml:13 | |
| | check_demo: | |
| = this job | |
| --> .github/workflows/demo.yml:13 | |
| | check_demo: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | name: Deploy Book | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/format.yml:2 | |
| | name: Format Check | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/format.yml:10 | |
| | format-check: | |
| = this job | |
| --> .github/workflows/format.yml:10 | |
| | format-check: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/nightly.yml:1 | |
| | name: Run compiler tests | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/nightly.yml:14 | |
| | msrv: | |
| = this job | |
| --> .github/workflows/nightly.yml:14 | |
| | msrv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/nightly.yml:26 | |
| | latest: | |
| = this job | |
| --> .github/workflows/nightly.yml:26 | |
| | latest: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/demo.yml:2 | |
| | name: Run demo | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:1 | |
| | name: Deploy Book | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/format.yml:2 | |
| | name: Format Check | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/nightly.yml:1 | |
| | name: Run compiler tests | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/nightly.yml:1 | |
| | name: Run compiler tests | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/format.yml:16 | |
| | name: Rust Toolchain | |
| = this step | |
| --> .github/workflows/format.yml:17 | |
| | dtolnay/rust-toolchain@nightly | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/nightly.yml:19 | |
| | uses: dtolnay/rust-toolchain@master | |
| = this step | |
| --> .github/workflows/nightly.yml:19 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/nightly.yml:31 | |
| | uses: dtolnay/rust-toolchain@nightly | |
| = this step | |
| --> .github/workflows/nightly.yml:31 | |
| | dtolnay/rust-toolchain@nightly | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy_mdbook.yml:13 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/demo.yml:13 | |
| | check_demo | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/format.yml:10 | |
| | format-check | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:15 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:42 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:70 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:80 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:98 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:107 | |
| | aws-actions/configure-aws-credentials@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:115 | |
| | aws-actions/amazon-ecr-login@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:14 | |
| | name: Clone the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:41 | |
| | name: Clone the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:69 | |
| | name: Clone the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:2 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:10 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:10 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:31 | |
| | local: | |
| = this job | |
| --> .github/workflows/ci.yml:31 | |
| | local: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:64 | |
| | docker: | |
| = this job | |
| --> .github/workflows/ci.yml:64 | |
| | docker: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:2 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:2 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:2 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:2 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:50 | |
| | name: Run the local release process for channel ${{ matrix.channel }} | |
| = this step | |
| --> .github/workflows/ci.yml:51 | |
| | ./run.sh ${{ matrix.channel }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:51 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:53 | |
| | name: Validate the generated signatures | |
| = this step | |
| --> .github/workflows/ci.yml:54 | |
| | docker compose exec -T local /src/local/check-signature.sh ${{ matrix.channel }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:54 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:56 | |
| | name: Remove the previously installed ${{ matrix.channel }} toolchain | |
| = this step | |
| --> .github/workflows/ci.yml:57 | |
| | rustup toolchain remove ${{ matrix.channel }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:57 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:59 | |
| | name: Install the ${{ matrix.channel }} toolchain from the local environment | |
| = this step | |
| --> .github/workflows/ci.yml:60 | |
| | rustup toolchain install ${{ matrix.channel }} --profile=minimal | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:60 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:91 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/dev-guide.yml:14 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/dev-guide.yml:31 | |
| | actions/upload-pages-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/dev-guide.yml:49 | |
| | actions/deploy-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:13 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:37 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:39 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:78 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:104 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:121 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:123 | |
| | actions/checkout@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:145 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:13 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:37 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:38 | |
| | name: Checkout rust-lang/rust | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:78 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:104 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:121 | |
| | uses: actions/checkout@master | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:122 | |
| | name: Checkout rust-lang/rust | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/dev-guide.yml:1 | |
| | name: Deploy dev-guide | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/dev-guide.yml:11 | |
| | build: | |
| = this job | |
| --> .github/workflows/dev-guide.yml:11 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:10 | |
| | code-tests: | |
| = this job | |
| --> .github/workflows/main.yml:10 | |
| | code-tests: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:34 | |
| | style-tests: | |
| = this job | |
| --> .github/workflows/main.yml:34 | |
| | style-tests: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:75 | |
| | mdbook-spec: | |
| = this job | |
| --> .github/workflows/main.yml:75 | |
| | mdbook-spec: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:100 | |
| | dev-guide: | |
| = this job | |
| --> .github/workflows/main.yml:100 | |
| | dev-guide: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:117 | |
| | preview: | |
| = this job | |
| --> .github/workflows/main.yml:117 | |
| | preview: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:156 | |
| | success: | |
| = this job | |
| --> .github/workflows/main.yml:156 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/dev-guide.yml:14 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/dev-guide.yml:1 | |
| | name: Deploy dev-guide | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/dev-guide.yml:1 | |
| | name: Deploy dev-guide | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/dev-guide.yml:16 | |
| | name: Install mdbook | |
| = this step | |
| --> .github/workflows/dev-guide.yml:19 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/dev-guide.yml:17 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/dev-guide.yml:16 | |
| | name: Install mdbook | |
| = this step | |
| --> .github/workflows/dev-guide.yml:19 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/dev-guide.yml:17 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:139 | |
| | name: Build the book | |
| = this step | |
| --> .github/workflows/main.yml:143 | |
| | mdbook build --dest-dir dist/preview-${{ github.event.pull_request.number }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:143 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/dev-guide.yml:39 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/dev-guide.yml:40 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/dev-guide.yml:11 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/dev-guide.yml:35 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:10 | |
| | code-tests | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:34 | |
| | style-tests | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:75 | |
| | mdbook-spec | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/main.yml:117 | |
| | preview | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/main.yml:167 | |
| | run: jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = this step | |
| --> .github/workflows/main.yml:167 | |
| | jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:167 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:58 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:60 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:110 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:145 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:147 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:165 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:167 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:184 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:186 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:197 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:199 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:210 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:212 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:223 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:225 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:238 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:240 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:255 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:257 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:57 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:109 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:144 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:164 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:183 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:196 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:209 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:222 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:237 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:254 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: ci | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:59 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:60 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:146 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:147 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:166 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:167 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:185 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:186 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:198 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:199 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:211 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:212 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:224 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:225 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:239 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:240 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:256 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:257 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:122 | |
| | name: Basic build | |
| = this step | |
| --> .github/workflows/ci.yml:123 | |
| | cross build --all --verbose --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:123 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:124 | |
| | name: Run subset of tests | |
| = this step | |
| --> .github/workflows/ci.yml:125 | |
| | cross test --verbose --test integration --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:125 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:126 | |
| | name: Run subset of regex-syntax tests | |
| = this step | |
| --> .github/workflows/ci.yml:127 | |
| | cross test --verbose -p regex-syntax --lib --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:127 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:128 | |
| | name: Run subset of regex-automata tests | |
| = this step | |
| --> .github/workflows/ci.yml:129 | |
| | cross test --verbose -p regex-automata --lib --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:129 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:130 | |
| | name: Run regex-lite tests | |
| = this step | |
| --> .github/workflows/ci.yml:131 | |
| | cross test --verbose -p regex-lite --lib --target ${{ matrix.target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:131 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:32 | |
| | test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:92 | |
| | cross | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:141 | |
| | msrv | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:159 | |
| | docsrs | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:180 | |
| | testfull-regex | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:193 | |
| | testfull-regex-automata | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:206 | |
| | testfull-regex-syntax | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:219 | |
| | testfull-regex-capi | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:234 | |
| | miri-regex-automata | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:251 | |
| | rustfmt | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:7 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:7 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:4 | |
| | build: | |
| = this job | |
| --> .github/workflows/ci.yml:4 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:8 | |
| | run: rustup default ${{ matrix.channel }} | |
| = this step | |
| --> .github/workflows/ci.yml:8 | |
| | rustup default ${{ matrix.channel }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:8 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:4 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:12 | |
| | build: | |
| = this job | |
| --> .github/workflows/deploy.yml:12 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/deploy.yml:15 | |
| | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:18 | |
| | name: Install mdbook | |
| = this step | |
| --> .github/workflows/deploy.yml:21 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:19 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:18 | |
| | name: Install mdbook | |
| = this step | |
| --> .github/workflows/deploy.yml:21 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:19 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:35 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/deploy.yml:36 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy.yml:12 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy.yml:31 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 cache-poisoning: runtime artifacts potentially vulnerable to a cache poisoning attack | |
| severity: High, confidence: Low | |
| --> .github/workflows/release.yaml:2 | |
| | on: | |
| = generally used when publishing artifacts generated at runtime | |
| --> .github/workflows/release.yaml:78 | |
| | uses: actions/setup-node@v6 | |
| = enables caching by default | |
| docs: https://docs.zizmor.sh/audits/#cache-poisoning | |
| 🔴 cache-poisoning: runtime artifacts potentially vulnerable to a cache poisoning attack | |
| severity: High, confidence: Low | |
| --> .github/workflows/release.yaml:2 | |
| | on: | |
| = generally used when publishing artifacts generated at runtime | |
| --> .github/workflows/release.yaml:204 | |
| | uses: actions/setup-node@v6 | |
| = enables caching by default | |
| docs: https://docs.zizmor.sh/audits/#cache-poisoning | |
| 🔴 unpinned-images: unpinned image references | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:160 | |
| | image: rust:alpine | |
| = container image is not pinned to a SHA256 hash | |
| docs: https://docs.zizmor.sh/audits/#unpinned-images | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/autopublish.yaml:19 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:33 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:48 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:91 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:116 | |
| | taiki-e/install-action@nextest | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:126 | |
| | taiki-e/install-action@cargo-machete | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:139 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:167 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:183 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:205 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:238 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:266 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:269 | |
| | actions/setup-node@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yaml:325 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/coverage.yaml:16 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/coverage.yaml:30 | |
| | taiki-e/install-action@cargo-llvm-cov | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/coverage.yaml:33 | |
| | taiki-e/install-action@nextest | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/fuzz.yml:30 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/gen-lints.yml:18 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:26 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:29 | |
| | actions/cache@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:42 | |
| | actions/cache@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:48 | |
| | actions/upload-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:69 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:72 | |
| | actions/cache@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:81 | |
| | actions/upload-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:92 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:95 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:100 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:105 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:110 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:115 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/metrics.yaml:120 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish-libs.yaml:17 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:73 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:78 | |
| | actions/setup-node@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:146 | |
| | actions/upload-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:169 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:192 | |
| | actions/upload-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:204 | |
| | actions/setup-node@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:215 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:222 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:226 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:230 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:234 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:238 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:242 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:246 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:250 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yaml:254 | |
| | actions/download-artifact@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:12 | |
| | rust-lang/josh-sync/.github/workflows/rustc-pull.yml@main | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rustdoc.yaml:22 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/autopublish.yaml:1 | |
| | name: autopublish | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/autopublish.yaml:13 | |
| | publish: | |
| = this job | |
| --> .github/workflows/autopublish.yaml:13 | |
| | publish: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:4 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:41 | |
| | proc-macro-srv: | |
| = this job | |
| --> .github/workflows/ci.yaml:41 | |
| | proc-macro-srv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:77 | |
| | rust: | |
| = this job | |
| --> .github/workflows/ci.yaml:77 | |
| | rust: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:131 | |
| | analysis-stats: | |
| = this job | |
| --> .github/workflows/ci.yaml:131 | |
| | analysis-stats: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:161 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/ci.yaml:161 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:177 | |
| | clippy: | |
| = this job | |
| --> .github/workflows/ci.yaml:177 | |
| | clippy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:199 | |
| | miri: | |
| = this job | |
| --> .github/workflows/ci.yaml:199 | |
| | miri: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:222 | |
| | rust-cross: | |
| = this job | |
| --> .github/workflows/ci.yaml:222 | |
| | rust-cross: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:253 | |
| | typescript: | |
| = this job | |
| --> .github/workflows/ci.yaml:253 | |
| | typescript: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:313 | |
| | typo-check: | |
| = this job | |
| --> .github/workflows/ci.yaml:313 | |
| | typo-check: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:332 | |
| | conclusion: | |
| = this job | |
| --> .github/workflows/ci.yaml:332 | |
| | conclusion: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yaml:362 | |
| | cancel-if-matrix-failed: | |
| = this job | |
| --> .github/workflows/ci.yaml:362 | |
| | cancel-if-matrix-failed: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/coverage.yaml:1 | |
| | name: Coverage | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/coverage.yaml:13 | |
| | coverage: | |
| = this job | |
| --> .github/workflows/coverage.yaml:13 | |
| | coverage: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/fuzz.yml:1 | |
| | name: Fuzz | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/fuzz.yml:21 | |
| | rust: | |
| = this job | |
| --> .github/workflows/fuzz.yml:21 | |
| | rust: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/gen-lints.yml:1 | |
| | name: Generate lints and feature flags | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/gen-lints.yml:13 | |
| | lints-gen: | |
| = this job | |
| --> .github/workflows/gen-lints.yml:13 | |
| | lints-gen: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/metrics.yaml:1 | |
| | name: metrics | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/metrics.yaml:14 | |
| | build_metrics: | |
| = this job | |
| --> .github/workflows/metrics.yaml:14 | |
| | build_metrics: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/metrics.yaml:54 | |
| | other_metrics: | |
| = this job | |
| --> .github/workflows/metrics.yaml:54 | |
| | other_metrics: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/metrics.yaml:87 | |
| | generate_final_metrics: | |
| = this job | |
| --> .github/workflows/metrics.yaml:87 | |
| | generate_final_metrics: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/publish-libs.yaml:1 | |
| | name: publish-libs | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/publish-libs.yaml:11 | |
| | publish-libs: | |
| = this job | |
| --> .github/workflows/publish-libs.yaml:11 | |
| | publish-libs: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release.yaml:1 | |
| | name: release | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release.yaml:24 | |
| | dist: | |
| = this job | |
| --> .github/workflows/release.yaml:24 | |
| | dist: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release.yaml:151 | |
| | dist-x86_64-unknown-linux-musl: | |
| = this job | |
| --> .github/workflows/release.yaml:151 | |
| | dist-x86_64-unknown-linux-musl: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release.yaml:197 | |
| | publish: | |
| = this job | |
| --> .github/workflows/release.yaml:197 | |
| | publish: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rustc-pull.yml:1 | |
| | name: rustc-pull | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rustc-pull.yml:10 | |
| | pull: | |
| = this job | |
| --> .github/workflows/rustc-pull.yml:10 | |
| | pull: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rustdoc.yaml:1 | |
| | name: rustdoc | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rustdoc.yaml:16 | |
| | rustdoc: | |
| = this job | |
| --> .github/workflows/rustdoc.yaml:16 | |
| | rustdoc: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/autopublish.yaml:13 | |
| | publish | |
| = this job | |
| --> .github/workflows/autopublish.yaml:35 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/coverage.yaml:13 | |
| | coverage | |
| = this job | |
| --> .github/workflows/coverage.yaml:43 | |
| | secrets.CODECOV_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/metrics.yaml:87 | |
| | generate_final_metrics | |
| = this job | |
| --> .github/workflows/metrics.yaml:127 | |
| | secrets.METRICS_DEPLOY_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/publish-libs.yaml:11 | |
| | publish-libs | |
| = this job | |
| --> .github/workflows/publish-libs.yaml:29 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/release.yaml:197 | |
| | publish | |
| = this job | |
| --> .github/workflows/release.yaml:274 | |
| | secrets.MARKETPLACE_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/release.yaml:197 | |
| | publish | |
| = this job | |
| --> .github/workflows/release.yaml:279 | |
| | secrets.OPENVSX_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/release.yaml:197 | |
| | publish | |
| = this job | |
| --> .github/workflows/release.yaml:285 | |
| | secrets.MARKETPLACE_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/release.yaml:197 | |
| | publish | |
| = this job | |
| --> .github/workflows/release.yaml:290 | |
| | secrets.OPENVSX_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/autopublish.yaml:18 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:33 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:47 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:90 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:138 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:166 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:182 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:204 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:237 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:265 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yaml:324 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/coverage.yaml:16 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/fuzz.yml:29 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/gen-lints.yml:17 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/metrics.yaml:25 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/metrics.yaml:68 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/metrics.yaml:91 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/publish-libs.yaml:16 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/release.yaml:72 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/release.yaml:168 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/release.yaml:214 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/rustdoc.yaml:21 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/autopublish.yaml:1 | |
| | name: autopublish | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/coverage.yaml:1 | |
| | name: Coverage | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/fuzz.yml:1 | |
| | name: Fuzz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/gen-lints.yml:1 | |
| | name: Generate lints and feature flags | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/metrics.yaml:1 | |
| | name: metrics | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/metrics.yaml:1 | |
| | name: metrics | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/metrics.yaml:1 | |
| | name: metrics | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish-libs.yaml:1 | |
| | name: publish-libs | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:1 | |
| | name: release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:1 | |
| | name: release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:1 | |
| | name: release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rustdoc.yaml:1 | |
| | name: rustdoc | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/gen-lints.yml:26 | |
| | name: Submit PR | |
| = this step | |
| --> .github/workflows/gen-lints.yml:27 | |
| | peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 | |
| = use `gh pr create` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:240 | |
| | name: Install Rust toolchain | |
| = this step | |
| --> .github/workflows/ci.yaml:243 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:241 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:248 | |
| | run: cargo check --target=${{ matrix.target }} --all-targets -p ide | |
| = this step | |
| --> .github/workflows/ci.yaml:248 | |
| | cargo check --target=${{ matrix.target }} --all-targets -p ide | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:248 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:250 | |
| | run: cargo check --target=${{ matrix.target }} --all-targets | |
| = this step | |
| --> .github/workflows/ci.yaml:250 | |
| | cargo check --target=${{ matrix.target }} --all-targets | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:250 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:367 | |
| | name: Cancel parallel jobs | |
| = this step | |
| --> .github/workflows/ci.yaml:376 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:368 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:367 | |
| | name: Cancel parallel jobs | |
| = this step | |
| --> .github/workflows/ci.yaml:378 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:368 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:367 | |
| | name: Cancel parallel jobs | |
| = this step | |
| --> .github/workflows/ci.yaml:378 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:368 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/metrics.yaml:77 | |
| | name: Collect metrics | |
| = this step | |
| --> .github/workflows/metrics.yaml:78 | |
| | cargo xtask metrics "${{ matrix.names }}" | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/metrics.yaml:78 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/metrics.yaml:124 | |
| | name: Combine json | |
| = this step | |
| --> .github/workflows/metrics.yaml:127 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/metrics.yaml:125 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:88 | |
| | name: Install Rust toolchain | |
| = this step | |
| --> .github/workflows/release.yaml:92 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:89 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:88 | |
| | name: Install Rust toolchain | |
| = this step | |
| --> .github/workflows/release.yaml:93 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:89 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:103 | |
| | name: Dist (plain) | |
| = this step | |
| --> .github/workflows/release.yaml:105 | |
| | cargo xtask dist --client-patch-version ${{ github.run_number }} ${{ matrix.pgo && format('--pgo {0}', matrix.pgo) || ''}} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:105 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:103 | |
| | name: Dist (plain) | |
| = this step | |
| --> .github/workflows/release.yaml:105 | |
| | cargo xtask dist --client-patch-version ${{ github.run_number }} ${{ matrix.pgo && format('--pgo {0}', matrix.pgo) || ''}} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:105 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:107 | |
| | name: Dist (using zigbuild) | |
| = this step | |
| --> .github/workflows/release.yaml:109 | |
| | RA_TARGET=${{ matrix.zig_target}} cargo xtask dist --client-patch-version ${{ github.run_number }} --zig ${{ matrix.pgo && format('--pgo {0}', matrix.pgo) || ''}} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:109 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:107 | |
| | name: Dist (using zigbuild) | |
| = this step | |
| --> .github/workflows/release.yaml:109 | |
| | RA_TARGET=${{ matrix.zig_target}} cargo xtask dist --client-patch-version ${{ github.run_number }} --zig ${{ matrix.pgo && format('--pgo {0}', matrix.pgo) || ''}} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:109 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:107 | |
| | name: Dist (using zigbuild) | |
| = this step | |
| --> .github/workflows/release.yaml:109 | |
| | RA_TARGET=${{ matrix.zig_target}} cargo xtask dist --client-patch-version ${{ github.run_number }} --zig ${{ matrix.pgo && format('--pgo {0}', matrix.pgo) || ''}} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:109 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:114 | |
| | name: Package Extension (release) | |
| = this step | |
| --> .github/workflows/release.yaml:116 | |
| | npx vsce package -o "../../dist/rust-analyzer-${{ matrix.code-target }}.vsix" --target ${{ matrix.code-target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:116 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:114 | |
| | name: Package Extension (release) | |
| = this step | |
| --> .github/workflows/release.yaml:116 | |
| | npx vsce package -o "../../dist/rust-analyzer-${{ matrix.code-target }}.vsix" --target ${{ matrix.code-target }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:116 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:119 | |
| | name: Package Extension (nightly) | |
| = this step | |
| --> .github/workflows/release.yaml:121 | |
| | npx vsce package -o "../../dist/rust-analyzer-${{ matrix.code-target }}.vsix" --target ${{ matrix.code-target }} --pre-release | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:121 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:119 | |
| | name: Package Extension (nightly) | |
| = this step | |
| --> .github/workflows/release.yaml:121 | |
| | npx vsce package -o "../../dist/rust-analyzer-${{ matrix.code-target }}.vsix" --target ${{ matrix.code-target }} --pre-release | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:121 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:135 | |
| | name: Run analysis-stats on rust-analyzer | |
| = this step | |
| --> .github/workflows/release.yaml:137 | |
| | target/${{ matrix.target }}/release/rust-analyzer analysis-stats . -q | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:137 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:139 | |
| | name: Run analysis-stats on rust std library | |
| = this step | |
| --> .github/workflows/release.yaml:143 | |
| | target/${{ matrix.target }}/release/rust-analyzer analysis-stats --with-deps --no-sysroot --no-test $(rustc --print sysroot)/lib/rustlib/src/rust/library/std -q | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:143 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:173 | |
| | name: Dist | |
| = this step | |
| --> .github/workflows/release.yaml:174 | |
| | cargo xtask dist --client-patch-version ${{ github.run_number }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:174 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:270 | |
| | name: Publish Extension (Code Marketplace, release) | |
| = this step | |
| --> .github/workflows/release.yaml:274 | |
| | npx vsce publish --pat ${{ secrets.MARKETPLACE_TOKEN }} --packagePath ../../dist/rust-analyzer-*.vsix | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:274 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:276 | |
| | name: Publish Extension (OpenVSX, release) | |
| = this step | |
| --> .github/workflows/release.yaml:279 | |
| | npx ovsx publish --pat ${{ secrets.OPENVSX_TOKEN }} --packagePath ../../dist/rust-analyzer-*.vsix | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:279 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:282 | |
| | name: Publish Extension (Code Marketplace, nightly) | |
| = this step | |
| --> .github/workflows/release.yaml:285 | |
| | npx vsce publish --pat ${{ secrets.MARKETPLACE_TOKEN }} --packagePath ../../dist/rust-analyzer-*.vsix --pre-release | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:285 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yaml:287 | |
| | name: Publish Extension (OpenVSX, nightly) | |
| = this step | |
| --> .github/workflows/release.yaml:290 | |
| | npx ovsx publish --pat ${{ secrets.OPENVSX_TOKEN }} --packagePath ../../dist/rust-analyzer-*.vsix | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yaml:290 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yaml:29 | |
| | pull-requests: read | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yaml:26 | |
| | changes | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yaml:131 | |
| | analysis-stats | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yaml:161 | |
| | rustfmt | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yaml:177 | |
| | clippy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yaml:199 | |
| | miri | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yaml:332 | |
| | conclusion | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yaml:362 | |
| | cancel-if-matrix-failed | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/coverage.yaml:13 | |
| | coverage | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/metrics.yaml:14 | |
| | build_metrics | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/metrics.yaml:54 | |
| | other_metrics | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/metrics.yaml:87 | |
| | generate_final_metrics | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rustdoc.yaml:16 | |
| | rustdoc | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yaml:355 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/ci.yaml:358 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:356 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yaml:355 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/ci.yaml:360 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:356 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/ci.yaml:367 | |
| | name: Cancel parallel jobs | |
| = this step | |
| --> .github/workflows/ci.yaml:369 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yaml:368 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 use-trusted-publishing: prefer trusted publishing for authentication | |
| severity: Informational, confidence: High | |
| --> .github/workflows/autopublish.yaml:33 | |
| | name: Publish Crates | |
| = this step | |
| --> .github/workflows/autopublish.yaml:38 | |
| | run | |
| = this step | |
| --> .github/workflows/autopublish.yaml:61 | |
| | | | |
| = this command | |
| docs: https://docs.zizmor.sh/audits/#use-trusted-publishing | |
| 🔵 use-trusted-publishing: prefer trusted publishing for authentication | |
| severity: Informational, confidence: High | |
| --> .github/workflows/publish-libs.yaml:27 | |
| | name: Publish Crates | |
| = this step | |
| --> .github/workflows/publish-libs.yaml:31 | |
| | run | |
| = this step | |
| --> .github/workflows/publish-libs.yaml:36 | |
| | | | |
| = this command | |
| docs: https://docs.zizmor.sh/audits/#use-trusted-publishing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 dangerous-triggers: use of fundamentally insecure workflow trigger | |
| severity: High, confidence: Medium | |
| --> .github/workflows/publish.yml:3 | |
| | on: | |
| = workflow_run is almost always used insecurely | |
| docs: https://docs.zizmor.sh/audits/#dangerous-triggers | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:18 | |
| | "contents": "write" | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/create-tag.yml:28 | |
| | name: Compute the commit | |
| = this step | |
| --> .github/workflows/create-tag.yml:30 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/create-tag.yml:29 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/create-tag.yml:28 | |
| | name: Compute the commit | |
| = this step | |
| --> .github/workflows/create-tag.yml:33 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/create-tag.yml:29 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:16 | |
| | name: Print workflow event name | |
| = this step | |
| --> .github/workflows/publish.yml:17 | |
| | echo "${{ github.event.workflow.name }}" | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/publish.yml:17 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:77 | |
| | id: plan | |
| = this step | |
| --> .github/workflows/release.yml:79 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yml:78 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:18 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:21 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:32 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:40 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:47 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:55 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:67 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:77 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:88 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:100 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:144 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:147 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:156 | |
| | KyleMayes/install-llvm-action@v2.0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:172 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bindgen.yml:185 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bump-version.yml:25 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bump-version.yml:28 | |
| | chainguard-dev/actions/setup-gitsign@main | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bump-version.yml:31 | |
| | taiki-e/install-action@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bump-version.yml:36 | |
| | taiki-e/install-action@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bump-version.yml:41 | |
| | actions/setup-node@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/bump-version.yml:60 | |
| | peter-evans/create-pull-request@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/create-tag.yml:24 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/create-tag.yml:38 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/create-tag.yml:45 | |
| | mathieudutour/github-tag-action@v6.2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy-book.yml:12 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy-book.yml:23 | |
| | JamesIves/github-pages-deploy-action@3.7.1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:19 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/publish.yml:21 | |
| | dtolnay/rust-toolchain@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:59 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:68 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:84 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:118 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:132 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:159 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:176 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:180 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:187 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:205 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:225 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:229 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:236 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:249 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:256 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:289 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bindgen.yml:18 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bindgen.yml:32 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bindgen.yml:40 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bindgen.yml:67 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bindgen.yml:77 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bindgen.yml:88 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bindgen.yml:100 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bindgen.yml:144 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bindgen.yml:172 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bindgen.yml:185 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/bump-version.yml:24 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/create-tag.yml:23 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/publish.yml:18 | |
| | name: Checkout sources | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/release.yml:59 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/release.yml:118 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/release.yml:176 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/release.yml:225 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/release.yml:289 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:15 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/bindgen.yml:15 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:29 | |
| | clippy: | |
| = this job | |
| --> .github/workflows/bindgen.yml:29 | |
| | clippy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:37 | |
| | msrv: | |
| = this job | |
| --> .github/workflows/bindgen.yml:37 | |
| | msrv: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:62 | |
| | minimal: | |
| = this job | |
| --> .github/workflows/bindgen.yml:62 | |
| | minimal: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:72 | |
| | docs: | |
| = this job | |
| --> .github/workflows/bindgen.yml:72 | |
| | docs: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:85 | |
| | quickchecking: | |
| = this job | |
| --> .github/workflows/bindgen.yml:85 | |
| | quickchecking: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:94 | |
| | test-expectations: | |
| = this job | |
| --> .github/workflows/bindgen.yml:94 | |
| | test-expectations: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:105 | |
| | test: | |
| = this job | |
| --> .github/workflows/bindgen.yml:105 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:169 | |
| | test-book: | |
| = this job | |
| --> .github/workflows/bindgen.yml:169 | |
| | test-book: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:182 | |
| | test-no-headers: | |
| = this job | |
| --> .github/workflows/bindgen.yml:182 | |
| | test-no-headers: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bindgen.yml:199 | |
| | success: | |
| = this job | |
| --> .github/workflows/bindgen.yml:199 | |
| | success: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/bump-version.yml:1 | |
| | name: Bump version for release | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/create-tag.yml:1 | |
| | name: Create tag for release | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/create-tag.yml:14 | |
| | create-tag: | |
| = this job | |
| --> .github/workflows/create-tag.yml:14 | |
| | create-tag: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy-book.yml:1 | |
| | name: Deploy book | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy-book.yml:9 | |
| | deploy-book: | |
| = this job | |
| --> .github/workflows/deploy-book.yml:9 | |
| | deploy-book: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/publish.yml:2 | |
| | name: Publish on crates.io | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/publish.yml:12 | |
| | cargo-publish: | |
| = this job | |
| --> .github/workflows/publish.yml:12 | |
| | cargo-publish: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 template-injection: code injection via template expansion | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release.yml:128 | |
| | name: Install dist | |
| = this step | |
| --> .github/workflows/release.yml:129 | |
| | ${{ matrix.install_dist.run }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yml:129 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟠 template-injection: code injection via template expansion | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release.yml:137 | |
| | name: Install dependencies | |
| = this step | |
| --> .github/workflows/release.yml:139 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yml:138 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟠 template-injection: code injection via template expansion | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/release.yml:140 | |
| | name: Build artifacts | |
| = this step | |
| --> .github/workflows/release.yml:143 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yml:141 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:1 | |
| | name: bindgen | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/bump-version.yml:1 | |
| | name: Bump version for release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/create-tag.yml:1 | |
| | name: Create tag for release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy-book.yml:1 | |
| | name: Deploy book | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:2 | |
| | name: Publish on crates.io | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:16 | |
| | name: Release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:16 | |
| | name: Release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:16 | |
| | name: Release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:16 | |
| | name: Release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:16 | |
| | name: Release | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:20 | |
| | name: Install nightly | |
| = this step | |
| --> .github/workflows/bindgen.yml:21 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:46 | |
| | name: Install msrv for lib | |
| = this step | |
| --> .github/workflows/bindgen.yml:47 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:54 | |
| | name: Install msrv for cli | |
| = this step | |
| --> .github/workflows/bindgen.yml:55 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:146 | |
| | name: Install stable | |
| = this step | |
| --> .github/workflows/bindgen.yml:147 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/bump-version.yml:59 | |
| | name: Create PR | |
| = this step | |
| --> .github/workflows/bump-version.yml:60 | |
| | peter-evans/create-pull-request@v5 | |
| = use `gh pr create` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/create-tag.yml:37 | |
| | name: Install rust toolchain | |
| = this step | |
| --> .github/workflows/create-tag.yml:38 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/publish.yml:20 | |
| | name: Install stable toolchain | |
| = this step | |
| --> .github/workflows/publish.yml:21 | |
| | dtolnay/rust-toolchain@master | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:150 | |
| | name: Install libtinfo | |
| = this step | |
| --> .github/workflows/bindgen.yml:153 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bindgen.yml:152 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:150 | |
| | name: Install libtinfo | |
| = this step | |
| --> .github/workflows/bindgen.yml:153 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bindgen.yml:152 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bindgen.yml:150 | |
| | name: Install libtinfo | |
| = this step | |
| --> .github/workflows/bindgen.yml:154 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bindgen.yml:152 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bump-version.yml:46 | |
| | name: Bump version | |
| = this step | |
| --> .github/workflows/bump-version.yml:48 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bump-version.yml:47 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/bump-version.yml:54 | |
| | name: Update changelog | |
| = this step | |
| --> .github/workflows/bump-version.yml:56 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bump-version.yml:55 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/create-tag.yml:28 | |
| | name: Compute the commit | |
| = this step | |
| --> .github/workflows/create-tag.yml:31 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/create-tag.yml:29 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/create-tag.yml:28 | |
| | name: Compute the commit | |
| = this step | |
| --> .github/workflows/create-tag.yml:31 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/create-tag.yml:29 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/bump-version.yml:18 | |
| | id-token: write | |
| = needs an explanatory comment | |
| --> .github/workflows/bump-version.yml:19 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/bump-version.yml:20 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:18 | |
| | "contents": "write" | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:15 | |
| | rustfmt | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:29 | |
| | clippy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:37 | |
| | msrv | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:62 | |
| | minimal | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:72 | |
| | docs | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:85 | |
| | quickchecking | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:94 | |
| | test-expectations | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:105 | |
| | test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:169 | |
| | test-book | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:182 | |
| | test-no-headers | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bindgen.yml:199 | |
| | success | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/bump-version.yml:16 | |
| | bump-version | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/create-tag.yml:14 | |
| | create-tag | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy-book.yml:9 | |
| | deploy-book | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/publish.yml:12 | |
| | cargo-publish | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/release.yml:49 | |
| | plan | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/release.yml:167 | |
| | build-global-artifacts | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/release.yml:212 | |
| | host | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/release.yml:277 | |
| | announce | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/bindgen.yml:51 | |
| | name: Test lib with msrv | |
| = this step | |
| --> .github/workflows/bindgen.yml:52 | |
| | cargo +${{ steps.metadata.outputs.rust-version }} test --package bindgen | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bindgen.yml:52 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/bindgen.yml:59 | |
| | name: Test cli with msrv | |
| = this step | |
| --> .github/workflows/bindgen.yml:60 | |
| | cargo +${{ steps.metadata.outputs.rust-version }} build --package bindgen-cli | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bindgen.yml:60 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/bindgen.yml:208 | |
| | name: check if any dependency failed | |
| = this step | |
| --> .github/workflows/bindgen.yml:209 | |
| | jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}' | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/bindgen.yml:209 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/release.yml:140 | |
| | name: Build artifacts | |
| = this step | |
| --> .github/workflows/release.yml:143 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yml:141 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/release.yml:192 | |
| | id: cargo-dist | |
| = this step | |
| --> .github/workflows/release.yml:195 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yml:194 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/release.yml:241 | |
| | id: host | |
| = this step | |
| --> .github/workflows/release.yml:244 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yml:243 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/release.yml:265 | |
| | name: Create GitHub Release | |
| = this step | |
| --> .github/workflows/release.yml:275 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/release.yml:271 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 use-trusted-publishing: prefer trusted publishing for authentication | |
| severity: Informational, confidence: High | |
| --> .github/workflows/publish.yml:24 | |
| | name: Publish bindgen (lib) | |
| = this step | |
| --> .github/workflows/publish.yml:25 | |
| | run | |
| = this step | |
| --> .github/workflows/publish.yml:25 | |
| | cargo publish --package bindgen --token ${CARGO_REGISTRY_TOKEN} | |
| = this command | |
| docs: https://docs.zizmor.sh/audits/#use-trusted-publishing | |
| 🔵 use-trusted-publishing: prefer trusted publishing for authentication | |
| severity: Informational, confidence: High | |
| --> .github/workflows/publish.yml:26 | |
| | name: Publish bindgen-cli | |
| = this step | |
| --> .github/workflows/publish.yml:27 | |
| | run | |
| = this step | |
| --> .github/workflows/publish.yml:27 | |
| | cargo publish --package bindgen-cli --token ${CARGO_REGISTRY_TOKEN} | |
| = this command | |
| docs: https://docs.zizmor.sh/audits/#use-trusted-publishing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rbe.yml:14 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rbe.yml:76 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rbe.yml:14 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rbe.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rbe.yml:10 | |
| | test: | |
| = this job | |
| --> .github/workflows/rbe.yml:10 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/rbe.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rbe.yml:56 | |
| | name: Build all translations | |
| = this step | |
| --> .github/workflows/rbe.yml:58 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rbe.yml:57 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rbe.yml:68 | |
| | name: Check all translations for broken links | |
| = this step | |
| --> .github/workflows/rbe.yml:70 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rbe.yml:69 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 cache-poisoning: runtime artifacts potentially vulnerable to a cache poisoning attack | |
| severity: High, confidence: Low | |
| --> .github/workflows/deploy.yml:3 | |
| | on: | |
| = generally used when publishing artifacts generated at runtime | |
| --> .github/workflows/deploy.yml:67 | |
| | uses: Swatinem/rust-cache@v2 | |
| = enables caching by default | |
| docs: https://docs.zizmor.sh/audits/#cache-poisoning | |
| 🔴 dangerous-triggers: use of fundamentally insecure workflow trigger | |
| severity: High, confidence: Medium | |
| --> .github/workflows/lintcheck_summary.yml:15 | |
| | on: | |
| = workflow_run is almost always used insecurely | |
| docs: https://docs.zizmor.sh/audits/#dangerous-triggers | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck_summary.yml:22 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 template-injection: code injection via template expansion | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck_summary.yml:93 | |
| | name: Create/update comment | |
| = this step | |
| --> .github/workflows/lintcheck_summary.yml:102 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/lintcheck_summary.yml:94 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/clippy_dev.yml:19 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/clippy_mq.yml:37 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/clippy_mq.yml:97 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/clippy_mq.yml:115 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/clippy_mq.yml:138 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/clippy_mq.yml:171 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/clippy_mq.yml:182 | |
| | actions/download-artifact@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/clippy_pr.yml:27 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:28 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:34 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:67 | |
| | Swatinem/rust-cache@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:27 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:47 | |
| | actions/cache@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:62 | |
| | actions/cache@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:72 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:83 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:90 | |
| | actions/cache@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:103 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:116 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:122 | |
| | actions/cache/restore@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:129 | |
| | actions/download-artifact@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:143 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck.yml:149 | |
| | actions/upload-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck_summary.yml:30 | |
| | actions/download-artifact@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/lintcheck_summary.yml:38 | |
| | actions/github-script@v8 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/remark.yml:17 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/remark.yml:23 | |
| | actions/setup-node@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_changelog.yml:1 | |
| | name: Clippy changelog check | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_changelog.yml:15 | |
| | changelog: | |
| = this job | |
| --> .github/workflows/clippy_changelog.yml:15 | |
| | changelog: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_changelog.yml:34 | |
| | conclusion_changelog: | |
| = this job | |
| --> .github/workflows/clippy_changelog.yml:34 | |
| | conclusion_changelog: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_dev.yml:1 | |
| | name: Clippy Dev Test | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_dev.yml:13 | |
| | clippy_dev: | |
| = this job | |
| --> .github/workflows/clippy_dev.yml:13 | |
| | clippy_dev: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_dev.yml:44 | |
| | conclusion_dev: | |
| = this job | |
| --> .github/workflows/clippy_dev.yml:44 | |
| | conclusion_dev: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_mq.yml:1 | |
| | name: Clippy Test (merge queue) | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_mq.yml:18 | |
| | base: | |
| = this job | |
| --> .github/workflows/clippy_mq.yml:18 | |
| | base: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_mq.yml:91 | |
| | metadata_collection: | |
| = this job | |
| --> .github/workflows/clippy_mq.yml:91 | |
| | metadata_collection: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_mq.yml:109 | |
| | integration_build: | |
| = this job | |
| --> .github/workflows/clippy_mq.yml:109 | |
| | integration_build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_mq.yml:143 | |
| | integration: | |
| = this job | |
| --> .github/workflows/clippy_mq.yml:143 | |
| | integration: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_mq.yml:198 | |
| | conclusion: | |
| = this job | |
| --> .github/workflows/clippy_mq.yml:198 | |
| | conclusion: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_pr.yml:1 | |
| | name: Clippy Test | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_pr.yml:20 | |
| | base: | |
| = this job | |
| --> .github/workflows/clippy_pr.yml:20 | |
| | base: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/clippy_pr.yml:67 | |
| | conclusion: | |
| = this job | |
| --> .github/workflows/clippy_pr.yml:67 | |
| | conclusion: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:21 | |
| | deploy: | |
| = this job | |
| --> .github/workflows/deploy.yml:21 | |
| | deploy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/lintcheck.yml:1 | |
| | name: Lintcheck | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/lintcheck.yml:22 | |
| | base: | |
| = this job | |
| --> .github/workflows/lintcheck.yml:22 | |
| | base: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/lintcheck.yml:78 | |
| | head: | |
| = this job | |
| --> .github/workflows/lintcheck.yml:78 | |
| | head: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/lintcheck.yml:109 | |
| | diff: | |
| = this job | |
| --> .github/workflows/lintcheck.yml:109 | |
| | diff: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/remark.yml:1 | |
| | name: Remark | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/remark.yml:11 | |
| | remark: | |
| = this job | |
| --> .github/workflows/remark.yml:11 | |
| | remark: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/remark.yml:50 | |
| | conclusion_remark: | |
| = this job | |
| --> .github/workflows/remark.yml:50 | |
| | conclusion_remark: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/deploy.yml:21 | |
| | deploy | |
| = this job | |
| --> .github/workflows/deploy.yml:77 | |
| | secrets.DEPLOY_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/clippy_dev.yml:1 | |
| | name: Clippy Dev Test | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/clippy_dev.yml:1 | |
| | name: Clippy Dev Test | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/clippy_mq.yml:1 | |
| | name: Clippy Test (merge queue) | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/clippy_mq.yml:1 | |
| | name: Clippy Test (merge queue) | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/clippy_mq.yml:1 | |
| | name: Clippy Test (merge queue) | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/clippy_mq.yml:1 | |
| | name: Clippy Test (merge queue) | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/clippy_mq.yml:1 | |
| | name: Clippy Test (merge queue) | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/lintcheck_summary.yml:1 | |
| | name: Lintcheck summary | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/remark.yml:1 | |
| | name: Remark | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/remark.yml:1 | |
| | name: Remark | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/clippy_mq.yml:48 | |
| | name: Install toolchain | |
| = this step | |
| --> .github/workflows/clippy_mq.yml:50 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/clippy_mq.yml:49 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:74 | |
| | name: Deploy | |
| = this step | |
| --> .github/workflows/deploy.yml:77 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/deploy.yml:75 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/lintcheck.yml:40 | |
| | name: Checkout current lintcheck | |
| = this step | |
| --> .github/workflows/lintcheck.yml:43 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/lintcheck.yml:41 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/lintcheck.yml:56 | |
| | name: Create cache key | |
| = this step | |
| --> .github/workflows/lintcheck.yml:58 | |
| | echo "key=lintcheck-base-${{ hashfiles('lintcheck/**') }}-$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/lintcheck.yml:58 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/lintcheck.yml:131 | |
| | name: Store PR number | |
| = this step | |
| --> .github/workflows/lintcheck.yml:132 | |
| | echo ${{ github.event.pull_request.number }} > pr.txt | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/lintcheck.yml:132 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/lintcheck_summary.yml:22 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_changelog.yml:15 | |
| | changelog | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_changelog.yml:34 | |
| | conclusion_changelog | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_dev.yml:13 | |
| | clippy_dev | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_dev.yml:44 | |
| | conclusion_dev | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_mq.yml:18 | |
| | base | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_mq.yml:91 | |
| | metadata_collection | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_mq.yml:109 | |
| | integration_build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_mq.yml:143 | |
| | integration | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_mq.yml:198 | |
| | conclusion | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_pr.yml:20 | |
| | base | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/clippy_pr.yml:67 | |
| | conclusion | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy.yml:21 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/lintcheck.yml:22 | |
| | base | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/lintcheck.yml:78 | |
| | head | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/lintcheck.yml:109 | |
| | diff | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/lintcheck_summary.yml:25 | |
| | download | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/remark.yml:11 | |
| | remark | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/remark.yml:50 | |
| | conclusion_remark | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/clippy_changelog.yml:46 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/clippy_changelog.yml:49 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/clippy_changelog.yml:47 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/clippy_changelog.yml:46 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/clippy_changelog.yml:51 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/clippy_changelog.yml:47 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/clippy_dev.yml:56 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/clippy_dev.yml:59 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/clippy_dev.yml:57 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/clippy_dev.yml:56 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/clippy_dev.yml:61 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/clippy_dev.yml:57 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/clippy_mq.yml:210 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/clippy_mq.yml:213 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/clippy_mq.yml:211 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/clippy_mq.yml:210 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/clippy_mq.yml:215 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/clippy_mq.yml:211 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/clippy_pr.yml:79 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/clippy_pr.yml:82 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/clippy_pr.yml:80 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/clippy_pr.yml:79 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/clippy_pr.yml:84 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/clippy_pr.yml:80 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/remark.yml:62 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/remark.yml:65 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/remark.yml:63 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 template-injection: code injection via template expansion | |
| severity: Informational, confidence: Low | |
| --> .github/workflows/remark.yml:62 | |
| | name: Conclusion | |
| = this step | |
| --> .github/workflows/remark.yml:67 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/remark.yml:63 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/integration-tests.yml:25 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/integration-tests.yml:51 | |
| | actions/upload-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/integration-tests.yml:66 | |
| | actions/download-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/integration-tests.yml:71 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/integration-tests.yml:25 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/integration-tests.yml:71 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/integration-tests.yml:1 | |
| | name: integration-tests | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/integration-tests.yml:16 | |
| | build-linux: | |
| = this job | |
| --> .github/workflows/integration-tests.yml:16 | |
| | build-linux: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/integration-tests.yml:56 | |
| | build-windows: | |
| = this job | |
| --> .github/workflows/integration-tests.yml:56 | |
| | build-windows: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/integration-tests.yml:1 | |
| | name: integration-tests | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/integration-tests.yml:1 | |
| | name: integration-tests | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/integration-tests.yml:16 | |
| | build-linux | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/integration-tests.yml:56 | |
| | build-windows | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:25 | |
| | actions/checkout@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:32 | |
| | SublimeText/UnitTesting/actions/setup@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:35 | |
| | SublimeText/UnitTesting/actions/run-syntax-tests@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:36 | |
| | SublimeText/UnitTesting/actions/run-tests@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/docs.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:25 | |
| | uses: actions/checkout@v1 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/docs.yml:11 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:12 | |
| | tests: | |
| = this job | |
| --> .github/workflows/ci.yml:12 | |
| | tests: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/docs.yml:1 | |
| | name: Docs Deploy | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/docs.yml:8 | |
| | deploy: | |
| = this job | |
| --> .github/workflows/docs.yml:8 | |
| | deploy: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/docs.yml:1 | |
| | name: Docs Deploy | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:26 | |
| | run: bash ci/install-rust.sh ${{ matrix.rust }} | |
| = this step | |
| --> .github/workflows/ci.yml:26 | |
| | bash ci/install-rust.sh ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:26 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:12 | |
| | tests | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/docs.yml:8 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:16 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:22 | |
| | actions/upload-pages-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/deploy.yml:41 | |
| | actions/deploy-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:14 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/test.yml:14 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy To GitHub Pages | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/deploy.yml:10 | |
| | build: | |
| = this job | |
| --> .github/workflows/deploy.yml:10 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:1 | |
| | name: Test | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:6 | |
| | test: | |
| = this job | |
| --> .github/workflows/test.yml:6 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/deploy.yml:16 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy To GitHub Pages | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:1 | |
| | name: Deploy To GitHub Pages | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/test.yml:1 | |
| | name: Test | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/deploy.yml:31 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/deploy.yml:32 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy.yml:10 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/deploy.yml:26 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:11 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:28 | |
| | rust-lang/simpleinfra/github-actions/upload-docker-image@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:10 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:5 | |
| | ci: | |
| = this job | |
| --> .github/workflows/main.yml:5 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/main.yml:5 | |
| | ci | |
| = this job | |
| --> .github/workflows/main.yml:35 | |
| | secrets.AWS_ACCESS_KEY_ID | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/main.yml:5 | |
| | ci | |
| = this job | |
| --> .github/workflows/main.yml:36 | |
| | secrets.AWS_SECRET_ACCESS_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:44 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:45 | |
| | jcs090218/setup-emacs@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:48 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:51 | |
| | emacs-eask/setup-eask@master | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:15 | |
| | test: | |
| = this job | |
| --> .github/workflows/test.yml:15 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/test.yml:44 | |
| | uses: actions/checkout@v6 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/test.yml:48 | |
| | uses: dtolnay/rust-toolchain@stable | |
| = this step | |
| --> .github/workflows/test.yml:48 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/test.yml:15 | |
| | test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 dangerous-triggers: use of fundamentally insecure workflow trigger | |
| severity: High, confidence: Medium | |
| --> .github/workflows/ci.yml:4 | |
| | 'on': | |
| = pull_request_target is almost always used insecurely | |
| docs: https://docs.zizmor.sh/audits/#dangerous-triggers | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:31 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:35 | |
| | docker/setup-buildx-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:37 | |
| | docker/login-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:53 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:57 | |
| | dtolnay/rust-toolchain@stable | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:69 | |
| | actions/upload-artifact@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:82 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:86 | |
| | actions/setup-node@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:95 | |
| | pnpm/action-setup@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:104 | |
| | actions/cache@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:120 | |
| | actions/upload-artifact@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:137 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:143 | |
| | ruby/setup-ruby@v1 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:147 | |
| | actions/cache@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:165 | |
| | actions/download-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:170 | |
| | actions/download-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:192 | |
| | actions/upload-artifact@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:207 | |
| | actions/download-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:212 | |
| | actions/download-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:217 | |
| | aws-actions/configure-aws-credentials@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:227 | |
| | aws-actions/configure-aws-credentials@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:253 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:257 | |
| | docker/setup-buildx-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:259 | |
| | docker/login-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:265 | |
| | docker/login-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/cron.yml:28 | |
| | actions/checkout@v6 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/cron.yml:30 | |
| | docker/setup-buildx-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/cron.yml:32 | |
| | docker/login-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/cron.yml:38 | |
| | docker/login-action@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:3 | |
| | name: Validate everything | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:16 | |
| | build_compiler_images: | |
| = this job | |
| --> .github/workflows/ci.yml:16 | |
| | build_compiler_images: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:47 | |
| | build_backend: | |
| = this job | |
| --> .github/workflows/ci.yml:47 | |
| | build_backend: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:76 | |
| | build_frontend: | |
| = this job | |
| --> .github/workflows/ci.yml:76 | |
| | build_frontend: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:124 | |
| | run_integration_tests: | |
| = this job | |
| --> .github/workflows/ci.yml:124 | |
| | run_integration_tests: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:236 | |
| | release_docker_artifacts: | |
| = this job | |
| --> .github/workflows/ci.yml:236 | |
| | release_docker_artifacts: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/cron.yml:3 | |
| | name: Scheduled rebuild | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/cron.yml:13 | |
| | build_compiler_images: | |
| = this job | |
| --> .github/workflows/cron.yml:13 | |
| | build_compiler_images: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:16 | |
| | build_compiler_images | |
| = this job | |
| --> .github/workflows/ci.yml:41 | |
| | secrets.GH_CONTAINER_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:124 | |
| | run_integration_tests | |
| = this job | |
| --> .github/workflows/ci.yml:185 | |
| | secrets.PLAYGROUND_GITHUB_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:196 | |
| | release_artifacts | |
| = this job | |
| --> .github/workflows/ci.yml:220 | |
| | secrets.AWS_SECRET_ACCESS_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:236 | |
| | release_docker_artifacts | |
| = this job | |
| --> .github/workflows/ci.yml:263 | |
| | secrets.GH_CONTAINER_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/ci.yml:236 | |
| | release_docker_artifacts | |
| = this job | |
| --> .github/workflows/ci.yml:268 | |
| | secrets.DOCKER_HUB_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/cron.yml:13 | |
| | build_compiler_images | |
| = this job | |
| --> .github/workflows/cron.yml:36 | |
| | secrets.GH_CONTAINER_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/cron.yml:13 | |
| | build_compiler_images | |
| = this job | |
| --> .github/workflows/cron.yml:41 | |
| | secrets.DOCKER_HUB_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:30 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:52 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:81 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:136 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/ci.yml:252 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Low, confidence: Low | |
| --> .github/workflows/cron.yml:27 | |
| | name: Checkout code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:3 | |
| | name: Validate everything | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:3 | |
| | name: Validate everything | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:3 | |
| | name: Validate everything | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:3 | |
| | name: Validate everything | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:3 | |
| | name: Validate everything | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:3 | |
| | name: Validate everything | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/cron.yml:3 | |
| | name: Scheduled rebuild | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 superfluous-actions: action functionality is already included by the runner | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:56 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/ci.yml:57 | |
| | dtolnay/rust-toolchain@stable | |
| = use `rustup` and/or `cargo` in a script step | |
| docs: https://docs.zizmor.sh/audits/#superfluous-actions | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:157 | |
| | name: Pull images | |
| = this step | |
| --> .github/workflows/ci.yml:158 | |
| | echo ghcr.io/integer32llc/rust-playground-ci-rust-{stable,beta,nightly}:${{ github.run_id }} | xargs -n1 docker pull --platform linux/amd64 | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:158 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:159 | |
| | name: Rename images | |
| = this step | |
| --> .github/workflows/ci.yml:162 | |
| | |- | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:160 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:204 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:22 | |
| | pages: write | |
| = pages: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:23 | |
| | id-token: write | |
| = id-token: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/check.yml:18 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/check.yml:19 | |
| | extractions/setup-just@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/compile.yml:18 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:39 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:46 | |
| | extractions/setup-just@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:49 | |
| | actions/configure-pages@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:55 | |
| | actions/upload-pages-artifact@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/mdbook.yml:69 | |
| | actions/deploy-pages@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/check.yml:18 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/compile.yml:18 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/mdbook.yml:39 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/check.yml:1 | |
| | name: Validate markdown | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/check.yml:13 | |
| | build: | |
| = this job | |
| --> .github/workflows/check.yml:13 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/compile.yml:1 | |
| | name: Compile Rust code | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/compile.yml:13 | |
| | build: | |
| = this job | |
| --> .github/workflows/compile.yml:13 | |
| | build: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/check.yml:1 | |
| | name: Validate markdown | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/compile.yml:1 | |
| | name: Compile Rust code | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/mdbook.yml:22 | |
| | pages: write | |
| = needs an explanatory comment | |
| --> .github/workflows/mdbook.yml:23 | |
| | id-token: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/check.yml:13 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/compile.yml:13 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/mdbook.yml:33 | |
| | build | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/mdbook.yml:60 | |
| | deploy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/test.yml:16 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/updater.yml:14 | |
| | actions/checkout@v3 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/test.yml:16 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/updater.yml:14 | |
| | uses: actions/checkout@v3 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:3 | |
| | name: Test | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/test.yml:11 | |
| | test: | |
| = this job | |
| --> .github/workflows/test.yml:11 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/updater.yml:3 | |
| | name: Updater | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/updater.yml:9 | |
| | github: | |
| = this job | |
| --> .github/workflows/updater.yml:9 | |
| | github: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/updater.yml:9 | |
| | github | |
| = this job | |
| --> .github/workflows/updater.yml:28 | |
| | secrets.HIGHFIVE_GH_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/updater.yml:9 | |
| | github | |
| = this job | |
| --> .github/workflows/updater.yml:29 | |
| | secrets.DEPLOY_KEY | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/test.yml:3 | |
| | name: Test | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/updater.yml:3 | |
| | name: Updater | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:23 | |
| | packages: write | |
| = packages: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:55 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:120 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:257 | |
| | actions/upload-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:318 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/dependencies.yml:54 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/dependencies.yml:69 | |
| | actions/upload-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/dependencies.yml:78 | |
| | actions/upload-artifact@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/dependencies.yml:94 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/dependencies.yml:97 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/dependencies.yml:101 | |
| | actions/download-artifact@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ghcr.yml:32 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/post-merge.yml:18 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:54 | |
| | name: Checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:119 | |
| | name: checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:317 | |
| | name: checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/dependencies.yml:53 | |
| | name: checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/dependencies.yml:93 | |
| | name: checkout the source code | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/post-merge.yml:18 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ghcr.yml:15 | |
| | name: GHCR image mirroring | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/post-merge.yml:4 | |
| | name: Post merge analysis | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/dependencies.yml:4 | |
| | name: Bump dependencies in Cargo.lock | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/dependencies.yml:4 | |
| | name: Bump dependencies in Cargo.lock | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/dependencies.yml:4 | |
| | name: Bump dependencies in Cargo.lock | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ghcr.yml:15 | |
| | name: GHCR image mirroring | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/post-merge.yml:4 | |
| | name: Post merge analysis | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ghcr.yml:36 | |
| | name: Log in to registry | |
| = this step | |
| --> .github/workflows/ghcr.yml:37 | |
| | echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ghcr.yml:37 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ghcr.yml:36 | |
| | name: Log in to registry | |
| = this step | |
| --> .github/workflows/ghcr.yml:37 | |
| | echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ghcr.yml:37 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ghcr.yml:52 | |
| | name: Mirror DockerHub | |
| = this step | |
| --> .github/workflows/ghcr.yml:76 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ghcr.yml:53 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/post-merge.yml:24 | |
| | name: Perform analysis and send PR | |
| = this step | |
| --> .github/workflows/post-merge.yml:36 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/post-merge.yml:27 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/post-merge.yml:24 | |
| | name: Perform analysis and send PR | |
| = this step | |
| --> .github/workflows/post-merge.yml:38 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/post-merge.yml:27 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/post-merge.yml:24 | |
| | name: Perform analysis and send PR | |
| = this step | |
| --> .github/workflows/post-merge.yml:38 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/post-merge.yml:27 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/post-merge.yml:24 | |
| | name: Perform analysis and send PR | |
| = this step | |
| --> .github/workflows/post-merge.yml:49 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/post-merge.yml:27 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:23 | |
| | packages: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/dependencies.yml:90 | |
| | contents: write | |
| = needs an explanatory comment | |
| --> .github/workflows/dependencies.yml:91 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/ghcr.yml:30 | |
| | packages: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/post-merge.yml:16 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/post-merge.yml:12 | |
| | analysis | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:6 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:6 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | on: push | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:3 | |
| | test: | |
| = this job | |
| --> .github/workflows/ci.yml:3 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 anonymous-definition: workflow or action definition without a name | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | on: push | |
| = this workflow | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | on: push | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:3 | |
| | test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:4 | |
| | pull-requests: write | |
| = pull-requests: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:5 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:12 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:24 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:35 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/main.yml:44 | |
| | actions/checkout@v2 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:18 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/release.yml:24 | |
| | MarcoIeni/release-plz-action@v0.5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:12 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:24 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:35 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/main.yml:44 | |
| | uses: actions/checkout@v2 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/release.yml:17 | |
| | name: Checkout repository | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:5 | |
| | test: | |
| = this job | |
| --> .github/workflows/main.yml:5 | |
| | test: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:20 | |
| | fuzz_targets: | |
| = this job | |
| --> .github/workflows/main.yml:20 | |
| | fuzz_targets: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:31 | |
| | rustfmt: | |
| = this job | |
| --> .github/workflows/main.yml:31 | |
| | rustfmt: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/main.yml:40 | |
| | publish_docs: | |
| = this job | |
| --> .github/workflows/main.yml:40 | |
| | publish_docs: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 secrets-outside-env: secrets referenced without a dedicated environment | |
| severity: Medium, confidence: High | |
| --> .github/workflows/release.yml:13 | |
| | release-plz | |
| = this job | |
| --> .github/workflows/release.yml:27 | |
| | secrets.CARGO_REGISTRY_TOKEN | |
| = secret is accessed outside of a dedicated environment | |
| docs: https://docs.zizmor.sh/audits/#secrets-outside-env | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:1 | |
| | name: Release-plz | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:13 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yml:14 | |
| | rustup update ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:14 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:13 | |
| | name: Install Rust | |
| = this step | |
| --> .github/workflows/main.yml:14 | |
| | rustup update ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:14 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:49 | |
| | name: Publish documentation | |
| = this step | |
| --> .github/workflows/main.yml:55 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:50 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/main.yml:49 | |
| | name: Publish documentation | |
| = this step | |
| --> .github/workflows/main.yml:55 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/main.yml:50 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 undocumented-permissions: permissions without explanatory comments | |
| severity: Low, confidence: High | |
| --> .github/workflows/release.yml:4 | |
| | pull-requests: write | |
| = needs an explanatory comment | |
| --> .github/workflows/release.yml:5 | |
| | contents: write | |
| = needs an explanatory comment | |
| docs: https://docs.zizmor.sh/audits/#undocumented-permissions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:25 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:32 | |
| | actions/cache@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:41 | |
| | actions/cache/restore@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:67 | |
| | actions/cache/save@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/date-check.yml:18 | |
| | actions/checkout@v5 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/date-check.yml:28 | |
| | actions/github-script@v7 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rustc-pull.yml:12 | |
| | rust-lang/josh-sync/.github/workflows/rustc-pull.yml@main | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/ci.yml:25 | |
| | uses: actions/checkout@v5 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/date-check.yml:17 | |
| | name: Checkout repo | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/ci.yml:13 | |
| | ci: | |
| = this job | |
| --> .github/workflows/ci.yml:13 | |
| | ci: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/date-check.yml:1 | |
| | name: Date-Check | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/date-check.yml:12 | |
| | date-check: | |
| = this job | |
| --> .github/workflows/date-check.yml:12 | |
| | date-check: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rustc-pull.yml:1 | |
| | name: rustc-pull | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟠 excessive-permissions: overly broad permissions | |
| severity: Medium, confidence: Medium | |
| --> .github/workflows/rustc-pull.yml:10 | |
| | pull: | |
| = this job | |
| --> .github/workflows/rustc-pull.yml:10 | |
| | pull: | |
| = default permissions used due to no permissions: block | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:1 | |
| | name: CI | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 concurrency-limits: insufficient job-level concurrency limits | |
| severity: Low, confidence: High | |
| --> .github/workflows/date-check.yml:1 | |
| | name: Date-Check | |
| = missing concurrency setting | |
| docs: https://docs.zizmor.sh/audits/#concurrency-limits | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:54 | |
| | name: Install Dependencies | |
| = this step | |
| --> .github/workflows/ci.yml:57 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:56 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:54 | |
| | name: Install Dependencies | |
| = this step | |
| --> .github/workflows/ci.yml:58 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:56 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:54 | |
| | name: Install Dependencies | |
| = this step | |
| --> .github/workflows/ci.yml:59 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:56 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:72 | |
| | name: Deploy to gh-pages | |
| = this step | |
| --> .github/workflows/ci.yml:75 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:74 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:72 | |
| | name: Deploy to gh-pages | |
| = this step | |
| --> .github/workflows/ci.yml:76 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:74 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:72 | |
| | name: Deploy to gh-pages | |
| = this step | |
| --> .github/workflows/ci.yml:77 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:74 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/ci.yml:72 | |
| | name: Deploy to gh-pages | |
| = this step | |
| --> .github/workflows/ci.yml:84 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/ci.yml:74 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/ci.yml:13 | |
| | ci | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/date-check.yml:12 | |
| | date-check | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:25 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:43 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:55 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:62 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🔴 unpinned-uses: unpinned action reference | |
| severity: High, confidence: High | |
| --> .github/workflows/rust.yml:70 | |
| | actions/checkout@v4 | |
| = action is not pinned to a hash (required by blanket policy) | |
| docs: https://docs.zizmor.sh/audits/#unpinned-uses | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:25 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:43 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:55 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:62 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟠 artipacked: credential persistence through GitHub Actions artifacts | |
| severity: Medium, confidence: Low | |
| --> .github/workflows/rust.yml:70 | |
| | uses: actions/checkout@v4 | |
| = does not set persist-credentials: false | |
| docs: https://docs.zizmor.sh/audits/#artipacked | |
| 🟡 template-injection: code injection via template expansion | |
| severity: Low, confidence: High | |
| --> .github/workflows/rust.yml:46 | |
| | run: | | |
| = this step | |
| --> .github/workflows/rust.yml:47 | |
| | | | |
| = may expand into attacker-controllable code | |
| --> .github/workflows/rust.yml:46 | |
| | run | |
| = this run block | |
| docs: https://docs.zizmor.sh/audits/#template-injection | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:18 | |
| | test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:31 | |
| | cross-test | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:52 | |
| | fmt | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:59 | |
| | docs | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition | |
| 🔵 anonymous-definition: workflow or action definition without a name | |
| severity: Informational, confidence: High | |
| --> .github/workflows/rust.yml:67 | |
| | clippy | |
| = this job | |
| docs: https://docs.zizmor.sh/audits/#anonymous-definition |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔴 excessive-permissions: overly broad permissions | |
| severity: High, confidence: High | |
| --> .github/workflows/nightly.yml:8 | |
| | contents: write | |
| = contents: write is overly broad at the workflow level | |
| docs: https://docs.zizmor.sh/audits/#excessive-permissions | |
| 🔴 unpinned-images: unpinned image references | |
| severity: High, confidence: High | |
| --> .github/workflows/ci.yml:19 | |
| | image: postgres:16-alpine | |
| = container image is not pinned to a SHA2 |
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
View raw
(Sorry about that, but we can’t show files that are this big right now.)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment