Zizmor
After learning about the compromise of kubernetes.el 1 through GitHub Actions, I decided to rethink my own continuous integration usage.
The security aspects eluded me but thankfully I discovered a tool called zizmor after several people endorsed it on the reddit thread discussing the kubernetes.el hack.
Running it on the GitHub Actions I use for building this site I get:
$ uvx zizmor .
🌈 zizmor v1.23.1
INFO audit: zizmor: 🌈 completed .\.github\workflows\build.yaml
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .\.github\workflows\build.yaml:18:9
|
18 | - name: Checkout code
| _________^
19 | | uses: actions/checkout@v4
| |_________________________________^ does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#artipacked
error[template-injection]: code injection via template expansion
--> .\.github\workflows\build.yaml:49:31
|
48 | run: |
| --- this run block
49 | git push origin ${{ github.ref_name }}
| ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection
error[unpinned-uses]: unpinned action reference
--> .\.github\workflows\build.yaml:19:15
|
19 | uses: actions/checkout@v4
| ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#unpinned-uses
6 findings (3 suppressed, 2 fixable): 0 informational, 0 low, 1 medium, 2 high
The output is clear and helpfully provides resources to learn more.
Two errors are automatically fixed with:
uvx zizmor . --fix=all
and the remaining version pinning error can be fixed with pinact.
Incidents such as this make me double down on my faith in minimising the number of external dependencies and inspire me to follow in the footsteps of Emacs Solo.
Footnotes:
This exploit is not novel at all but merely came up on my RSS feed at a time when I'm re-evaluating my GitHub Actions. For a more detailed explanation of a GitHub actions supply change attack see the thorough report by Omer Gil, Aviad Hahami, Asi Greenholts & Yaron Avital from Unit 42 on the tj-actions compromise.