New Features 🌈🔗
-
New audit: undocumented-permissions detects explicit permission grants that lack an explanatory comment (#1131)
Many thanks to @johnbillion for proposing and implementing this audit!
Enhancements 🌱🔗
-
zizmor's configuration discovery behavior has been significantly refactored, making it easier to audit multiple independent inputs with their own configuration files (#1094)
For most users, this change should cause no compatibility issues. For example, the following commands will continue to load the same configuration files as before:
zizmor . zizmor .github/For other users, the behavior will change, but in a way that's intended to correct a long-standing bug with configuration discovery. In particular, the following commands will now behave differently:
# OLD: would discover config in $CWD # NEW: will discover two different configs, one in each of the repos zizmor ./repoA ./repoBSeparately from these changes, zizmor continues to support
--config <path>andZIZMOR_CONFIGwith the exact same behavior as before.See Configuration - Discovery for a detailed explanation of the new behavior.
-
Audit rules can now be disabled entirely in zizmor's configuration. See rules..disable for details (#1132)
-
The obfuscation audit now supports auto-fixes for many findings (#1088)
Bug Fixes 🐛🔗
-
zizmor now correctly honors
--strict-collectionwhen collecting from remote inputs. This also means that the default collection strictness has changed for remote inputs to match all other inputs (#1122) -
Fixed a bug where zizmor would crash on certain UTF-8 inputs lacking an explicit final newline due to a bug in the annotate-snippets crate (#1136)