Zizmor Can Help You Secure GitHub Actions

Are you running the zizmor project on your GitHub Actions YAML?

Hey folks,

Are you running the zizmor security analysis tool on your GitHub Actions configuration?

I think it's critical nowadays.

GitHub Actions is vying to be the front runner for worst-vulnerabilities-of-the-year award. It's a crowded market this year. A security issue from a compromised GitHub Action is not a "maybe someday" problem: it's a major problem today.

zizmor is a static analysis tool for GitHub Actions security, named for an American dermatologist, Jonathan Zizmor. It can find common security issues in GitHub Actions CI/CD setups, such as template injection vulnerabilities, accidental credential persistence, excessive permissions and impostor commits.

Here is what we're doing with zizmor at Masterpoint:

  1. We're rolling it out across all of Masterpoint's repos.

  2. We're deploying it at one of the Fortune 500s we support and will be doing so for others.

  3. We pushed the good folks at Trunk (we use their OSS trunk-action) to support it. They acted quickly and started SHA pinning all of their actions and included zizmor in their toolchain.

Since this is a new rollout for us, we’re still considering how to handle any issues found in third-party actions we don't own. If you are using zizmor and have thoughts, please reply and let me know.

Here's our first zizmor PR on the terraform-spacelift-automation repo if you want to see what the integration looks like. It as merged in May. The decisions on this repo are a template for our other repositories.

This PR adds a new workflow that runs zizmor on every push to main and every pull request. It also fixes all the security and quality issues zizmor flagged across existing workflow files.

We're seeing zizmor as a requirement for our internal work going forward and suggesting the same to our clients who use GitHub Actions. Check it out yourself and let me know what you think!

May your GitHub Actions always be secure,

Matt @ Masterpoint

PS If you want to chat about zizmor or other ways to improve your CI/CD security posture, grab some time on my calendar here. If you’ve found this newsletter helpful, please forward it to a friend. Or if you want to share on your company slack, here’s the archive of all my newsletters.