This release comes with one new audit (bot-conditions), plus a handful of bugfixes and analysis improvements to existing audits.
One bugfix in this release is also a slight behavior change: zizmor now emits SARIF outputs with absolute paths. This should not affect most users, but may make it slightly harder to share SARIF outputs between machines without fully reproducing exact file paths. If this affects you, please let us know!
New Features 🌈🔗
- New audit: bot-conditions detects spoofable uses of github.actor within dangerous triggers (#460)
Improvements 🌱🔗
- The unpinned-uses audit no longer flags local reusable workflows or actions as unpinned/unhashed (#439)
- The excessive-permissions audit has been refactored, and better captures both true positive and true negative cases (#441)
- The SARIF output mode (--format=sarif) now always returns absolute paths in its location information, rather than attempting to infer a (sometimes incorrect) repository-relative path (#453)
- zizmor now provides manylinux wheel builds for aarch64 (#457)
Bug Fixes 🐛🔗
- The template-injection audit no longer considers github.event.pull_request.base.sha dangerous (#445)
- The artipacked audit now correctly handles the strings 'true' and 'false' as their boolean counterparts (#448)
- Expressions that span multiple source lines are now parsed correctly (#461)
- Workflows that contain timeout-minutes: ${{ expr }} are now parsed correctly (#462)