Trail of Bits Blog
Follow
We hardened zizmor's GitHub Actions static analyzer
A security study aimed to improve the GitHub Actions static analyzer, zizmor, to enhance CI security. The study addressed vulnerabilities where attackers exploit misconfigurations, like the Trivy compromise. The team built a test corpus of 41,253 workflows from open-source repositories to validate zizmor's capabilities. This test highlighted that anchor usage, while rare, is present in foundational projects. The analysis identified and fixed four anchor-handling bugs within zizmor. Additionally, the team addressed deserialization edge cases and expression evaluator bugs. The team aligned zizmor's expression evaluator with GitHub's tests. The testing approach involved downloading real workflows, running zizmor, and addressing failures. The team's work resulted in the filing of 20 issues and the merging of 15 pull requests. The study aimed to improve security for open-source projects using GitHub Actions. The improvements strengthen CI security and help prevent supply-chain attacks.
