drainpipe icon indicating copy to clipboard operation
drainpipe copied to clipboard
verified publisher icon Lullabot

Add static analysis for Github Action files

Open mrdavidburns opened this issue 1 year ago • 14 comments

Add security checks for Github Actions as action-validator is already integrated.

https://github.com/woodruffw/zizmor will add additional security checks. Let's add it in to the github:actions:lint task.

mrdavidburns avatar Feb 03 '25 15:02 mrdavidburns

@mrdavidburns Is it necessary to integrate the Zizmor plugin into drainpipe in the same way as was done for @action-validator?

The @action-validator package has been integrated in the github:actions:lint https://github.com/Lullabot/drainpipe/blob/87d3e9ea1fcd2e231b03bbb73da01bd09bfc23a4/tasks/github.yml#L4-L23 task to facilitate testing this functionality. Please follow the next steps.

  • Create a new Drupal project:
  • git clone https://git.drupalcode.org/project/drupal.git
  • cd drupal
  • ddev config --project-type drupal
  • ddev start
  • ddev composer install
  • ddev composer require drush/drush
  • ddev drush site:install -y
  • ddev launch

Then install drainpipe

  • composer config extra.drupal-scaffold.gitignore true
  • composer config --json extra.drupal-scaffold.allowed-packages "[\"lullabot/drainpipe\", \"lullabot/drainpipe-dev\"]"
  • composer require lullabot/drainpipe
  • composer require lullabot/drainpipe-dev --dev
  • ddev restart

It is necessary to create a workflows and actions directory as follows:

  • .github/workflows
  • .github/actions

You should create a file named example-workflow.yml within either the workflows or actions directory. The contents of this file could be as follows:

name: learn-github-actions
run-name: ${{ github.actor }} is learning GitHub Actions
on: [push]
jobs:
  check-bats-version:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm install -g bats
      - run: bats -v

To test the task, run the command:

ddev task github:actions:lint

In the absence of errors, the output will be devoid of content. However, should modifications be made to the file, for instance:

name: learn-github-actions
run-name: ${{ github.actor }} is learning GitHub Actions
on: [push]
jobs:
  check-bats-version:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm install -g bats
      - run

The output would be:

Fatal error validating .github/workflows/example-workflow.yml [github:actions:lint] Validation failed: ValidationState { [github:actions:lint] action_type: Some( [github:actions:lint] Workflow, [github:actions:lint] ), [github:actions:lint] file_path: Some( [github:actions:lint] ".github/workflows/example-workflow.yml", [github:actions:lint] ), [github:actions:lint] errors: [ [github:actions:lint] OneOf { [github:actions:lint] code: "one_of", [github:actions:lint] detail: None, [github:actions:lint] path: "/jobs/check-bats-version", [github:actions:lint] title: "OneOf conditions are not met", [github:actions:lint] states: [ [github:actions:lint] ValidationState { [github:actions:lint] action_type: None, [github:actions:lint] file_path: None, [github:actions:lint] errors: [ [github:actions:lint] OneOf { [github:actions:lint] code: "one_of", [github:actions:lint] detail: None, [github:actions:lint] path: "/jobs/check-bats-version/steps/3", [github:actions:lint] title: "OneOf conditions are not met", [github:actions:lint] states: [ [github:actions:lint] ValidationState { [github:actions:lint] action_type: None, [github:actions:lint] file_path: None, [github:actions:lint] errors: [ [github:actions:lint] WrongType { [github:actions:lint] code: "wrong_type", [github:actions:lint] detail: Some( [github:actions:lint] "The value must be object", [github:actions:lint] ), [github:actions:lint] path: "/jobs/check-bats-version/steps/3", [github:actions:lint] title: "Type of the value is wrong", [github:actions:lint] }, [github:actions:lint] ], [github:actions:lint] }, [github:actions:lint] ValidationState { [github:actions:lint] action_type: None, [github:actions:lint] file_path: None, [github:actions:lint] errors: [ [github:actions:lint] WrongType { [github:actions:lint] code: "wrong_type", [github:actions:lint] detail: Some( [github:actions:lint] "The value must be object", [github:actions:lint] ), [github:actions:lint] path: "/jobs/check-bats-version/steps/3", [github:actions:lint] title: "Type of the value is wrong", [github:actions:lint] }, [github:actions:lint] ], [github:actions:lint] }, [github:actions:lint] ], [github:actions:lint] }, [github:actions:lint] WrongType { [github:actions:lint] code: "wrong_type", [github:actions:lint] detail: Some( [github:actions:lint] "The value must be object", [github:actions:lint] ), [github:actions:lint] path: "/jobs/check-bats-version/steps/3", [github:actions:lint] title: "Type of the value is wrong", [github:actions:lint] }, [github:actions:lint] ], [github:actions:lint] }, [github:actions:lint] ValidationState { [github:actions:lint] action_type: None, [github:actions:lint] file_path: None, [github:actions:lint] errors: [ [github:actions:lint] Properties { [github:actions:lint] code: "properties", [github:actions:lint] detail: Some( [github:actions:lint] "Additional property 'runs-on' is not allowed", [github:actions:lint] ), [github:actions:lint] path: "/jobs/check-bats-version", [github:actions:lint] title: "Property conditions are not met", [github:actions:lint] }, [github:actions:lint] Properties { [github:actions:lint] code: "properties", [github:actions:lint] detail: Some( [github:actions:lint] "Additional property 'steps' is not allowed", [github:actions:lint] ), [github:actions:lint] path: "/jobs/check-bats-version", [github:actions:lint] title: "Property conditions are not met", [github:actions:lint] }, [github:actions:lint] Required { [github:actions:lint] code: "required", [github:actions:lint] detail: None, [github:actions:lint] path: "/jobs/check-bats-version/uses", [github:actions:lint] title: "This property is required", [github:actions:lint] }, [github:actions:lint] ], [github:actions:lint] }, [github:actions:lint] ], [github:actions:lint] }, [github:actions:lint] ], [github:actions:lint] }

elvism-lullabot avatar Feb 20 '25 19:02 elvism-lullabot

@elvism-lullabot Is there a pull request for this? Asking because this ticket is marked In Review.

mrdavidburns avatar Mar 18 '25 18:03 mrdavidburns

We discussed during our sync. This is already being done, as @elvism-lullabot has explained above.

mrdavidburns avatar Mar 18 '25 18:03 mrdavidburns

While actions-validator is there, let's add zizmor to do additional security checks on actions.

deviantintegral avatar Mar 18 '25 18:03 deviantintegral

I've tried integrating Zizmor in several different ways so far, but none have fully worked within GitHub Actions:

  • Using uv to run Zizmor via Cargo

  • Using the official Zizmor Docker image

I mount the repository and run the container directly docker run --rm -v $(pwd):/repo ghcr.io/zizmorcore/zizmor:1.9.0 /repo/.github/workflows /repo/.github/actions, this works fine locally and generates the expected results, but running it within a GitHub Action doesn't show any visible results. It works fine when run manually or locally, but I haven't been able to get consistent results using the GitHub Action.

Image

This likely requires further investigation, and I'm open to suggestions. cc: @mrdavidburns

alexis-saransig-lullabot avatar Jun 04 '25 16:06 alexis-saransig-lullabot

@alexis-saransig-lullabot Have you looked into this https://github.com/fabasoad/setup-zizmor-action?

mrdavidburns avatar Jun 04 '25 17:06 mrdavidburns

@alexis-saransig-lullabot Have you looked into this https://github.com/fabasoad/setup-zizmor-action?

No, I haven't. I'll try it when I'm back (finishing other project tickets). Thanks David.

alexis-saransig-lullabot avatar Jun 04 '25 18:06 alexis-saransig-lullabot

I'll continue with another attempt using @mrdavidburns suggestions.

elvism-lullabot avatar Jul 08 '25 17:07 elvism-lullabot

I added the testZizmor.yml to the GitHub workflows, and it ran successfully. However, github-advanced-security encountered an error here. Could you please review the error? The usage follows the instructions from the README in fabasoad/setup-zizmor-action.

elvism-lullabot avatar Jul 16 '25 18:07 elvism-lullabot

@mrdavidburns @deviantintegral You can find the list of code scanning results from the Zizmor action for this repository here. Most of them can be remediated following the recommendations here

elvism-lullabot avatar Jul 16 '25 20:07 elvism-lullabot

@elvism-lullabot Now that Zizmor identified the issues and we have a Github page to review those. Can you update the PR where the security check ran to include the recommendations to see what happens when the recomendations start getting implemented. You don't need to address them all, I'm just curious to see what happens when a known issue winds up getting fixed.

mrdavidburns avatar Jul 16 '25 21:07 mrdavidburns

@mrdavidburns I’ve resolved several Zizmor issues. You can see that the Zizmor alerts have been closed here

elvism-lullabot avatar Jul 31 '25 21:07 elvism-lullabot

We're noticing it's identifying some things that appear to be valid and others that are false positives. Next steps are to review the current state of those checks and coming up with a plan to address the things it identified.

What we need is a baseline config that removes as many false positives as we can find so if/when we add this feature to drainpipe it's not creating a lot of unnecessary noise for people that enable this feature.

mrdavidburns avatar Aug 07 '25 14:08 mrdavidburns

PR for this ticket appears to be ready for review again

elvism-lullabot avatar Aug 20 '25 14:08 elvism-lullabot