fix(reusable-zizmor): skip empty ZIZMOR_CONFIG variable #1102

zerok · 2025-07-03T11:37:08Z

zizmor out of the box supports the ZIZMOR_CONFIG environment variable with >= 1.8. Unfortunately, it even considers an empty variable and so we have to unset it explicitly in such a scenario.

github-actions · 2025-07-03T12:08:37Z

😢 zizmor failed with exit code 14.

Expand for full output

help[template-injection]: code injection via template expansion
  --> ./.github/workflows/test-get-vault-secrets.yaml:70:22
   |
69 |         run: |
   |         --- help: this run block
70 |           if [[ "${{ env.INSTANCE }}" != "${{ matrix.instance }}" ]]; then
   |                      ------------ help: may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
   --> ./actions/build-push-to-dockerhub/action.yaml:109:22
    |
107 |       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action accepts arbitrary code
108 |       with:
109 |         context: ${{ inputs.context }}
    |         ^^^^^^^      ^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |         |
    |         via this input
    |
    = note: audit confidence → High

help[template-injection]: code injection via template expansion
  --> ./actions/login-to-gcs/action.yaml:81:22
   |
80 |       run: |
   |       --- help: this run block
81 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
   |                      ---------------------------------- help: may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
  --> ./actions/login-to-gcs/action.yaml:82:22
   |
80 |       run: |
   |       --- help: this run block
81 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
82 |           rm -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
   |                      ---------------------------------- help: may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
  --> ./actions/login-to-gcs/action.yaml:85:62
   |
80 |       run: |
   |       --- help: this run block
81 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
...
84 |         else
85 |           echo "::warning::Credentials file not found at ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
   |                                                              ---------------------------------- help: may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
   --> ./actions/push-to-gar-docker/action.yaml:180:22
    |
177 |       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action accepts arbitrary code
178 |       id: build
179 |       with:
180 |         context: ${{ inputs.context }}
    |         ^^^^^^^      ^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |         |
    |         via this input
    |
    = note: audit confidence → High

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gar-docker/action.yaml:210:22
    |
209 |       run: |
    |       --- help: this run block
210 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
    |                      ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gar-docker/action.yaml:211:22
    |
209 |       run: |
    |       --- help: this run block
210 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
211 |           rm -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
    |                      ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gar-docker/action.yaml:214:62
    |
209 |       run: |
    |       --- help: this run block
210 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
...
213 |         else
214 |           echo "::warning::Credentials file not found at ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
    |                                                              ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gcs/action.yaml:123:22
    |
122 |       run: |
    |       --- help: this run block
123 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
    |                      ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gcs/action.yaml:124:22
    |
122 |       run: |
    |       --- help: this run block
123 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
124 |           rm -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
    |                      ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gcs/action.yaml:127:62
    |
122 |       run: |
    |       --- help: this run block
123 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
...
126 |         else
127 |           echo "::warning::Credentials file not found at ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
    |                                                              ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

65 findings (3 ignored, 50 suppressed, 10 fixable): 0 unknown, 0 informational, 10 low, 0 medium, 2 high

github-actions · 2025-07-03T12:08:51Z

😢 zizmor failed with exit code 14.

Expand for full output

help[template-injection]: code injection via template expansion
  --> ./.github/workflows/test-get-vault-secrets.yaml:70:22
   |
69 |         run: |
   |         --- help: this run block
70 |           if [[ "${{ env.INSTANCE }}" != "${{ matrix.instance }}" ]]; then
   |                      ------------ help: may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
   --> ./actions/build-push-to-dockerhub/action.yaml:109:22
    |
107 |       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action accepts arbitrary code
108 |       with:
109 |         context: ${{ inputs.context }}
    |         ^^^^^^^      ^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |         |
    |         via this input
    |
    = note: audit confidence → High

help[template-injection]: code injection via template expansion
  --> ./actions/login-to-gcs/action.yaml:81:22
   |
80 |       run: |
   |       --- help: this run block
81 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
   |                      ---------------------------------- help: may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
  --> ./actions/login-to-gcs/action.yaml:82:22
   |
80 |       run: |
   |       --- help: this run block
81 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
82 |           rm -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
   |                      ---------------------------------- help: may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
  --> ./actions/login-to-gcs/action.yaml:85:62
   |
80 |       run: |
   |       --- help: this run block
81 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
...
84 |         else
85 |           echo "::warning::Credentials file not found at ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
   |                                                              ---------------------------------- help: may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
   --> ./actions/push-to-gar-docker/action.yaml:180:22
    |
177 |       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
    |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action accepts arbitrary code
178 |       id: build
179 |       with:
180 |         context: ${{ inputs.context }}
    |         ^^^^^^^      ^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |         |
    |         via this input
    |
    = note: audit confidence → High

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gar-docker/action.yaml:210:22
    |
209 |       run: |
    |       --- help: this run block
210 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
    |                      ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gar-docker/action.yaml:211:22
    |
209 |       run: |
    |       --- help: this run block
210 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
211 |           rm -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
    |                      ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gar-docker/action.yaml:214:62
    |
209 |       run: |
    |       --- help: this run block
210 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
...
213 |         else
214 |           echo "::warning::Credentials file not found at ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
    |                                                              ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gcs/action.yaml:123:22
    |
122 |       run: |
    |       --- help: this run block
123 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
    |                      ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gcs/action.yaml:124:22
    |
122 |       run: |
    |       --- help: this run block
123 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
124 |           rm -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
    |                      ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

help[template-injection]: code injection via template expansion
   --> ./actions/push-to-gcs/action.yaml:127:62
    |
122 |       run: |
    |       --- help: this run block
123 |         if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
...
126 |         else
127 |           echo "::warning::Credentials file not found at ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
    |                                                              ---------------------------------- help: may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

66 findings (3 ignored, 51 suppressed, 10 fixable): 0 unknown, 0 informational, 10 low, 0 medium, 2 high

zerok · 2025-07-04T05:25:11Z

Closing in favor of #1101

zerok force-pushed the zerok/zizmor-config-fallback branch 6 times, most recently from eaadbd7 to 80eb143 Compare July 3, 2025 11:57

fix(reusable-zizmor): skip empty ZIZMOR_CONFIG variable

3426c2d

zerok force-pushed the zerok/zizmor-config-fallback branch from 80eb143 to 3426c2d Compare July 3, 2025 12:07

zerok marked this pull request as ready for review July 3, 2025 12:15

zerok requested a review from a team as a code owner July 3, 2025 12:15

zerok closed this Jul 4, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(reusable-zizmor): skip empty ZIZMOR_CONFIG variable #1102

fix(reusable-zizmor): skip empty ZIZMOR_CONFIG variable #1102

Uh oh!

zerok commented Jul 3, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Jul 3, 2025

Uh oh!

github-actions bot commented Jul 3, 2025

Uh oh!

zerok commented Jul 4, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

fix(reusable-zizmor): skip empty ZIZMOR_CONFIG variable #1102

fix(reusable-zizmor): skip empty ZIZMOR_CONFIG variable #1102

Uh oh!

Conversation

zerok commented Jul 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Jul 3, 2025

Uh oh!

github-actions bot commented Jul 3, 2025

Uh oh!

zerok commented Jul 4, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

zerok commented Jul 3, 2025 •

edited

Loading