🧪 Integrate Zizmor checks into GHA CI/CD 🌈

[webknjaz]

This linter guards against common insecure setups in GitHub Actions and Workflows. It is authored and maintained by a member of the PyPA, contributor to PyPI, former employee of the Trail Of Bits.

Ref: https://zizmor.sh

Summary by CodeRabbit

• Chores
  • Added a new CI job to the pipeline to standardize checks and linting across runs.
  • Configured the job with explicit permissions for updating security-related events to enable automated reporting.
  • The update reuses an existing, shared workflow definition to ensure consistent behavior and simplify maintenance.

[webknjaz]

cc @AlanCoding @thedoubl3j

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[AlanCoding]

Checks aren't working, try rebase

And I looked at the overview:

https://github.com/ansible/awx/security/code-scanning?query=pr%3A16268+is%3Aopen

and correct me if I'm wrong, but it seems to be the same as the SonarCloud output? Is that the intent? We already see these regularly. @chrismeyersfsu started addressing some of the issues, but seems to be a manual process, which makes no sense. I'm fine to get a patch for each of the issues, approve+merge or reject. Because I see no reason that can't be automated.... but I guess I don't see what this does that helps?

[webknjaz]

Checks aren't working, try rebase

This was because of GitHub's outage yesterday. Rebased now to re-trigger.

And I looked at the overview:

https://github.com/ansible/awx/security/code-scanning?query=pr%3A16268+is%3Aopen

and correct me if I'm wrong, but it seems to be the same as the SonarCloud output?

No idea, that page is 404 for me as I don't have access to see it.
FWIW, I don't have any evidence of SonarCloud being able to perform analysis of GHA patterns. Zizmor is a trailblaizer in many regards and it leads the way when it comes to securing the Python ecosystem projects. It's open source and is a de-facto standard tool used across many fundamental projects in the ecosystem, including CPython itself and most of the Ansible Community, PyPA and PyCA projects: https://docs.zizmor.sh/trophy-case/. It's really a no-brainer.

FTR, I've never seen SonarCloud assessing security and common issues with setting up GHA, nor have I seen it being configurable. It's a black box that does something but it was never useful to me. Maybe @woodruffw knows of a better comparison.

Is that the intent? We already see these regularly. @chrismeyersfsu started addressing some of the issues, but seems to be a manual process, which makes no sense. I'm fine to get a patch for each of the issues, approve+merge or reject. Because I see no reason that can't be automated.... but I guess I don't see what this does that helps?

This basically helps avoid using commonly known insecure practices in GH Actions+Workflows. And yes, it automates checking for typical mistakes. You aren't limited to seeing the reports in GH UI — it can be invoked locally, I just wanted to start w/ the integration that would surface new problems in PRs right away. It also has an auto-fixing mode where possible: https://docs.zizmor.sh/usage/#auto-fixing-results

Here's the list of rules in currently checks with well-written explanation for each: https://docs.zizmor.sh/audits/

[woodruffw]

FTR, I've never seen SonarCloud assessing security and common issues with setting up GHA, nor have I seen it being configurable. It's a black box that does something but it was never useful to me. Maybe @woodruffw knows of a better comparison.

Yeah, I'm not aware of a commercial product that has a similar footprint. I know a few commercial tools have begun to integrate or use zizmor internally though, so I suppose it isn't out of the question that SonarCloud does that for zizmor. But I wouldn't know for certain 🙂

(The closest equivalents I'm aware of are GitHub's own CodeQL, plus poutine from Boost Security. But I feel somewhat confident in saying that zizmor has the best coverage + actionability defaults of the major tools.)

[AlanCoding]

I see, it does seem different. Zizmor gives 138 items, SonarCloud gives 1,146, and when I dive in, some are qualitatively reporting the same thing (like unpinned github action reference) but word differently.

[webknjaz]

@AlanCoding they may be some overlap. However, I haven't seen SonarCloud explaining things well anyway. Plus I can't run it locally. I don't understand what's the problem with having a superrior tool integrated — it's non-blocking.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b9347e5f-cdaf-4938-8115-08953b5d7ef1

📥 Commits

Reviewing files that changed from the base of the PR and between 1a6c4bc and 2b40ade.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yml

---

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions job zizmor to the CI workflow with name: 🌈 zizmor, permissions: security-events: write, a yamllint line-length directive comment, and a uses reference to reuse an external workflow. No other workflow logic or steps changed.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/ci.yml	Adds a new zizmor job: sets name, grants security-events: write permission, includes # yamllint disable-line rule:line-length, and references an external reusable workflow via uses: zizmorcore/workflow/...@1e20adb0862e9....

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: integrating Zizmor checks into GitHub Actions CI/CD, which matches the PR's core objective of adding a new Zizmor job to the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

454-460: Consider adding timeout-minutes to guard against runaway executions.

Every other job in this workflow caps execution time (60 min, 30 min, or 10 min). The zizmor job has no timeout-minutes, so if the reusable workflow hangs, it defaults to GitHub's 6-hour maximum and blocks the PR for that duration.

✏️ Proposed addition

  zizmor:
    name: 🌈 zizmor
+   timeout-minutes: 10
    permissions:
      security-events: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 454 - 460, The zizmor job lacks a
timeout-minutes setting which can allow the reusable workflow (uses:
zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@...) to run up to
GitHub's 6-hour default; add a timeout-minutes: 30 (or another appropriate cap
like 10/60 consistent with other jobs) directly under the zizmor job definition
so the job is aborted if it exceeds the expected runtime.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 454-460: The job-level permissions for the zizmor job currently
only set security-events: write, which will leave contents disabled and break
steps (like actions/checkout) inside the reusable workflow; update the zizmor
job's permissions block to include contents: read (e.g., add contents: read
alongside security-events: write) so the reusable workflow can perform
repository checkout/reads when it invokes actions/checkout inside the referenced
reusable workflow.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 454-460: The zizmor job lacks a timeout-minutes setting which can
allow the reusable workflow (uses:
zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@...) to run up to
GitHub's 6-hour default; add a timeout-minutes: 30 (or another appropriate cap
like 10/60 consistent with other jobs) directly under the zizmor job definition
so the job is aborted if it exceeds the expected runtime.

[pb82]

@webknjaz so does Zizmor only look at Github Actions? It found many issues in this PR, but it looks like only in the workflows folder.

[webknjaz]

@pb82 yes, it's heavily focused on GHA which is mostly the workflows dir. Some of the checks it implements are based on GitHub's security section of their blog, while others are William's original ideas (I think there's one that's a result of collaboration w/ me), AFAIK. But I'd say that its checks reach beyond GHA while still in that category, for example: https://docs.zizmor.sh/audits/#impostor-commit.

[woodruffw]

Confirming everything @webknjaz said 🙂

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/ci.yml (2)

454-460: Consider adding timeout-minutes to bound the job.

Every other job in this workflow sets an explicit timeout-minutes. Reusable workflow calls default to 360 minutes without one; a security-scanning job like this should finish in under a minute.

⏱️ Suggested addition

  zizmor:
    name: 🌈 zizmor
+   timeout-minutes: 10
    permissions:
      security-events: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 454 - 460, The zizmor job lacks an
explicit timeout-minutes setting; add a timeout-minutes (e.g., 5) to the zizmor
job definition so the reusable workflow call doesn't inherit the 360-minute
default—place timeout-minutes directly under the zizmor job stanza near
permissions/uses to bound the job runtime.

---

459-460: The pinned SHA 1e20adb0862e932363a4d85d68c92e5cc6fcb5d4 is legitimate and trustworthy. It's a recent commit (Feb 9, 2026) by Sviatoslav Sydorenko that updates dependencies, including the SARIF uploader to a non-deprecated API. No supply-chain concerns.

Consider adding timeout-minutes: 10 to the zizmor job; a security scan should complete quickly, and an explicit timeout prevents runaway jobs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 459 - 460, The pinned reusable
workflow SHA is fine; add an explicit job timeout to prevent runaway runs by
adding timeout-minutes: 10 to the zizmor job definition in the CI workflow (the
job with id/name "zizmor" that uses the reusable-zizmor.yml via the uses:
zizmorcore/... line); ensure the timeout-minutes key is placed at the same
indentation level as other top-level job fields (e.g., runs-on/uses/steps) so
the runner enforces a 10-minute timeout for that job.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 454-460: The zizmor job lacks an explicit timeout-minutes setting;
add a timeout-minutes (e.g., 5) to the zizmor job definition so the reusable
workflow call doesn't inherit the 360-minute default—place timeout-minutes
directly under the zizmor job stanza near permissions/uses to bound the job
runtime.
- Around line 459-460: The pinned reusable workflow SHA is fine; add an explicit
job timeout to prevent runaway runs by adding timeout-minutes: 10 to the zizmor
job definition in the CI workflow (the job with id/name "zizmor" that uses the
reusable-zizmor.yml via the uses: zizmorcore/... line); ensure the
timeout-minutes key is placed at the same indentation level as other top-level
job fields (e.g., runs-on/uses/steps) so the runner enforces a 10-minute timeout
for that job.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 9fb085e and 1a6c4bc.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[webknjaz]

@pb82 @AlanCoding in case you're curious what cind of exploits Zizmor is capable of catching: https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection.