wordpress-develop icon indicating copy to clipboard operation
wordpress-develop copied to clipboard
verified publisher icon WordPress

Add more workflow file linting with Octoscan, Zizmor, and Poutine

Open johnbillion opened this issue 4 months ago • 2 comments

Previously:

  • https://github.com/WordPress/wordpress-develop/pull/8007
  • https://github.com/WordPress/gutenberg/pull/69126

This change:

  • Introduces Octoscan, Zizmor, and Poutine which are tools for linting workflow files for security weaknesses.
  • Fixes some issues in workflow files that were identified by these tools.

Code scanning alerts

These tools all report to GitHub Code Scanning by uploading SARIF reports via the github/codeql-action/upload-sarif action (these tools don't use CodeQL but GitHub groups its code scanning actions under the CodeQL name).

  • This makes the results available on the Security → Code Scanning screen for users with write permission on the repo.
  • Code scanning errors and warnings that are newly introduced in a PR will cause the code scanning to fail. The code scanning job itself won't fail, it will produce a separate "Code scanning results" workflow on the Checks screen which shows the failures, accompanied with an inline annotation on the affected file and line.
  • Existing issues (documented below) will remain in place until fixed or dismissed. They won't affect new PRs, so they behave like a baseline.
    • Note: It's unclear whether the dismissed issues in this branch will carry across to trunk when this gets committed. I suspect not because the PR won't get merged on GitHub. I'll handle it post merge if necessary.

Todo

Results

Some code scanning alerts remain after I dismissed the false positives and closed some non-critical warnings.

Errors

  • ❌ use of fundamentally insecure workflow trigger
    • Refers to the pull_request_target trigger.
    • We're aware that this trigger is fundamentally risky. Need to document it inline and then close the alerts.
  • ❌ Use of "downloadArtifact" in "actions/github-script" action.
    • Need to audit these to ensure the artifact contents are not treated as trusted.
  • ❌ Use of 'actions/checkout' with a custom ref
    • Need to audit these so we're clear on where the refs originate.
  • ❌ Write to $GITHUB_ENV and $GITHUB_OUTPUT in a bash script
    • These are only dangerous if the input is user-controlled. I've closed off all the false positives, the remaining needs to be reviewed.

Warnings

  • ⚠️ Obfuscated usage of GitHub Actions features
    • Refers to incorrect usage of ${{ true }} instead of true. No security concern but needs an audit.

johnbillion avatar Sep 05 '25 18:09 johnbillion