feat: another template injection sink #1385
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test output formats | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - labeled | |
| permissions: {} | |
| jobs: | |
| test-sarif-presentation: | |
| name: Test SARIF presentation | |
| runs-on: ubuntu-latest | |
| if: contains(github.event.pull_request.labels.*.name, 'test-sarif-presentation') | |
| permissions: | |
| pull-requests: write # for 'Leave comment' step | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | |
| - name: Run zizmor | |
| run: | | |
| cargo run -- --format sarif . > results.sarif | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3 | |
| with: | |
| sarif_file: results.sarif | |
| category: zizmor-test-sarif-presentation | |
| - name: Leave comment | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| URL: "https://github.com/zizmorcore/zizmor/security/code-scanning?query=pr%3A${{ github.event.pull_request.number }}+is%3Aopen+sort%3Acreated-desc" | |
| run: | | |
| gh pr comment "${PR_NUMBER}" \ | |
| --body ":robot: SARIF results: ${URL}" | |
| test-github-presentation: | |
| name: Test GitHub annotations presentation | |
| runs-on: ubuntu-latest | |
| if: contains(github.event.pull_request.labels.*.name, 'test-github-presentation') | |
| permissions: {} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | |
| - name: Run zizmor | |
| run: | | |
| # Normally we'd want a workflow to fail if the audit fails, | |
| # but we're only testing presentation here. | |
| cargo run \ | |
| -- \ | |
| --no-exit-codes \ | |
| --format github \ | |
| crates/zizmor/tests/integration/test-data/several-vulnerabilities.yml |