github woodruffw/zizmor v1.4.0

latest release: v1.4.1
one day ago

This release comes with one new audit (unredacted-secrets), plus a handful of bugfixes and analysis improvements to existing audits. It also comes with improvements to SARIF presentation, ignore comments, as well as an official Docker image!

New Features 🌈🔗

Improvements 🌱🔗

  • SARIF outputs are now slightly more aligned with GitHub Code Scanning expectations (#528)
  • # zizmor: ignore[rule] comments can now have trailing explanations, e.g. # zizmor: ignore[rule] because reasons (#531)
  • The bot-conditions audit now detects github.triggering_actor as another spoofable actor check (#559)

Bug Fixes 🐛🔗

  • Fixed a bug where zizmor would fail to parse workflows with workflow_dispatch triggers that contained non-string inputs (#563)

Upcoming Changes 🚧🔗

  • The next minor release of zizmor will be built with Rust 2024. This should have no effect on most users, but may require users who build zizmor from source to update their Rust toolchain.

Don't miss a new zizmor release

NewReleases is sending notifications on new releases.