zizmorcore/zizmor v1.26.0

on GitHub

New Features 🌈🔗

• New audit: typosquat-uses detects uses: clauses that reference likely typoed actions (#1985)

  Many thanks to @andrew for proposing and implementing this improvement!

• New audit: unsound-ternary detects pseudo-ternary expressions that don't evaluate as expected (#2085)

  Many thanks to @terror for proposing and implementing this improvement!

• New audit: adhoc-packages detects run: steps that install packages in an ad-hoc manner (#2061)

  Many thanks to @connorshea for proposing and implementing this improvement!

Enhancements 🌱🔗

• The cache-poisoning audit now detects additional cache disablement heuristics (#2053)

• The known-vulnerable-actions audit is now configurable. See the configuration documentation for details (#2084)

• The excessive-permissions audit is now aware of the code-quality permission (#2088)

• The unpinned-uses audit's auto-fix now uses the fully qualified version tag (e.g. # v6.0.2) when fixing a major-version ref (e.g. @v6) (#2127)

Performance Improvements 🚄🔗

• Most online audits are significantly faster, thanks to more precise retry handling (#2036)
  Bug Fixes 🐛🔗

• Fixed a bug where zizmor's LSP would not recognize dependabot.yaml files in its default configuration (#2026)

  Many thanks to @fionn for implementing this fix!

• Fixed a bug where ref-version-mismatch would fail to fully match some version comments (#2040)

• Fixed a bug where dependabot-cooldown would fail to honor the user's configured days when performing autofixes (#2055)

• Steps and jobs gated by statically-false if: conditions (e.g. if: false, if: ${{ false }}) are now skipped during auditing, since they cannot execute (#2059, #2069)

• Fixed a bug where ref-version-mismatch would fail to identify some valid version comments (#2073)

• Fixed a bug where unpinned-images would incorrectly flag empty matrix expansions as unpinned container image references (#2102)

• Fixed a bug where unpinned-images would incorrectly flag some matrix expansions as unpinned (#2098)

• The SARIF (--format=sarif) and GitHub Annotations (--format=github) output formats now provide more correct/useful paths, particularly when the user provides a relative path as input to zizmor rather than zizmor . (#1748, #2095)

Changes ⚠️🔗

• The impostor-commit audit no longer suggests auto-fixes, to avoid incorrectly minimizing the amount of manual remediation work needed (#2054)

• The JSON and SARIF outputs no longer contain a misleading prefix key (#2095)