From b7302880d3b775377d54990f4aee81fd26de97d1 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 19 Nov 2024 10:00:10 -0600 Subject: [PATCH] PYTHON-4969 Add GitHub Actions scanner (#191) * PYTHON-4969 Add GitHub Actions scanner * address findings --- .github/workflows/codeql.yml | 1 + .github/workflows/dist.yml | 1 + .github/workflows/linters.yml | 4 ++++ .github/workflows/test-python.yml | 3 +++ .github/workflows/zizmor.yml | 32 +++++++++++++++++++++++++++++++ 5 files changed, 41 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 17dfc521..ed0b6996 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,6 +42,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: diff --git a/.github/workflows/dist.yml b/.github/workflows/dist.yml index 05784ec3..878f7839 100644 --- a/.github/workflows/dist.yml +++ b/.github/workflows/dist.yml @@ -22,6 +22,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index 75ed8fe5..dcf46d45 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -13,6 +13,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.10' @@ -29,6 +31,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: cache: 'pip' diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml index 6641f2fb..16bfb2e1 100644 --- a/.github/workflows/test-python.yml +++ b/.github/workflows/test-python.yml @@ -23,6 +23,8 @@ jobs: steps: - name: Checkout django-mongodb uses: actions/checkout@v4 + with: + persist-credentials: false - name: install the django-mongodb backend run: | pip3 install --upgrade pip @@ -33,6 +35,7 @@ jobs: repository: 'mongodb-forks/django' ref: 'mongodb-5.0.x' path: 'django_repo' + persist-credentials: false - name: Install system packages for Django's Python test dependencies run: | sudo apt-get update diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..0fbdbd6d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,32 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via Cargo + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Setup Rust + uses: actions-rust-lang/setup-rust-toolchain@v1 + - name: Get zizmor + run: cargo install zizmor + - name: Run zizmor + run: zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor