Skip to content

`zizmor-codeql.yml`

A reusable GitHub Actions workflow for running the Zizmor linter, and uploading the results to Github Actions.

Key Features

Config file: Optionally takes a Zizmor config file as argument. See Zizmor docs for more information.
Integration with GitHub Advanced Security (GHAS): Outputs to SERIF files which are uploaded to GitHub Advanced Security.

Prerequisites

Configure GitHub repository

Allowing select actions and reusable workflows to run
Whitelisted actions:
actions/Checkout
astral-sh/setup-uv
github/codeql-action/*
Required permissions for GITHUB_TOKEN:

  permissions:
    security-events: write
    actions: read
    contents: read

Usage

Add a GitHub Actions workflow file .github/workflows/code-scanning.yml in your repository, and add the following recommended configuration:

name: Code scanning

on:
  push:
    branches: [main]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [main]
  schedule:
    # Run every Thursday at midnight
    - cron: "0 0 * * 4"

permissions: {}

jobs:
  analyze-actions:
    name: Analyze GitHub Actions
    permissions:
      security-events: write
      actions: read
      contents: read
    uses: equinor/ops-actions/.github/workflows/zizmor-codeql.yml@main

Inputs

(Optional) `config_file`

Path to an optional config file as defined in the Zizmor docs. Defaults to null

Example config file

This example allows the mentioned actions groups to be pinned to reference (i.e. tag or release), while all other actions must be pinned to a full SHA hash:

rules:
  unpinned-uses:
    config:
      policies:
        actions/*: ref-pin
        github/codeql-action/*: ref-pin
        azure/*: ref-pin
        "*": hash-pin

Secrets

None