Scope
CodeQL (S1) and SAST tools scan source code. They don't inspect the GitHub Actions YAML itself for workflow-level vulnerabilities: untrusted-input injection into run: blocks, missing or overly-permissive permissions: blocks, secrets leaking via expression-context expansion, third-party actions not pinned by SHA.
The deferred work is to run zizmor or actionlint (ideally both — they cover different rule sets) on every PR.
Acceptance criteria
pr.yaml (or a dedicated workflow-security.yaml) runs zizmor and actionlint on every PR.
- Findings are reported as PR annotations.
- A documented baseline of accepted suppressions (with reason per suppression) lives in
.zizmor.yml / actionlint.yaml.
- The check fails the PR if a new high-severity finding is introduced.
Notes
Scope
CodeQL (S1) and SAST tools scan source code. They don't inspect the GitHub Actions YAML itself for workflow-level vulnerabilities: untrusted-input injection into
run:blocks, missing or overly-permissivepermissions:blocks, secrets leaking via expression-context expansion, third-party actions not pinned by SHA.The deferred work is to run zizmor or actionlint (ideally both — they cover different rule sets) on every PR.
Acceptance criteria
pr.yaml(or a dedicatedworkflow-security.yaml) runszizmorandactionlinton every PR..zizmor.yml/actionlint.yaml.Notes