ci: resolve zizmor findings in github action workflows#3103
Conversation
add9a37 to
05819f9
Compare
mkulke
left a comment
There was a problem hiding this comment.
Can we make sure that this is is enforced continuously by the CI?
Are you proposing that we set |
not sure, don't we have a zizmor workflow that processes all workflows? it feels a bit odd that we manually address individual problems, what if the next person refactors something and re-introduces a template injection? |
We do have a zizmor workflow - as I said the default behaviour of it is to just report into https://github.com/confidential-containers/cloud-api-adaptor/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Azizmor, which hides things rather, so we could switch as I suggested to get a failure to show up on the CI job if there are issues. We will have quite a lot of failures there as we seem to have ~75 issues at the moment, but if it means we clean them up more, it would be a good thing. |
oof, I see. that would be more red ci, but yeah, I don't think it makes sense to keep openeing PRs for individual files. usually those are fixable quickly and we could assign an agent to the issue. |
Ok, so I guess the next step is to switch the zizmor reporting and see what shows up? |
|
#3119 shows the output of switching the reporting into the job, rather than github |
|
@siddu-os - do you think you can use Bob to fix all the resolve template injection issues in this PR please and then we can cut down on the number of PRs and reviews required as Magnus suggests? |
Sure, @stevenhorsman. I'll coordinate with the team and make sure all the remaining zizmor template injection fixes are included in this PR rather than split across multiple PRs. Thank you. |
5a57878 to
950a46a
Compare
|
|
950a46a to
4bfe153
Compare
106b8b3 to
b6cf221
Compare
|
@siddu-os it looks like there are still multiple |
810ac6f to
b80123e
Compare
|
this one might be tough to resolve. I think we need to scrutinize the workflows split them accordingly. libvirt doesn't need any environment from the repo to run the tests. they should be able to launch on a fork. I think the same is true for byom, they don't need pull_request_target. AWS will require secrets from the main repo, s390x will require special runners, so they would be in a group that have to use pull_request_target. Currently AFAIU s390x e2e tests are also covered by the test_e2e_libvirt flag, I suggest adding a discrete label |
b80123e to
6a29f76
Compare
There was a problem hiding this comment.
LGTM as long is it doesn't clash with other changes. I think it will be blocked by #3130 which fixes the govulncheck issue though. Thanks
|
@siddu-os: needs a rebase, if you feel the pull_request_target error is too complex to fix for you we can leave that error unresolved and address it in a separate PR. but it would be good to address all other warnings and notices that zizmor currently flags |
Move inputs.podvm_image to PODVM_IMAGE environment variable to prevent code injection. Also add quotes around PODVM_IMAGE variable to fix shellcheck SC2086. Remove template expansion from line 188 to prevent code injection. Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Move template expressions to environment variables to prevent code injection. Changes: - inputs.registry → REGISTRY (line 170) - inputs.arch → ARCH (line 174) - inputs.image_tag → IMAGE_TAG (lines 179, 180) Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Fix template injection in three more workflows: - azure-e2e-test.yml:159 - Move matrix.parameters.jitter to JITTER env var - build.yaml:57 - Move matrix.type to BUILD_TYPE env var - test-images.yaml:60 - Move matrix.targets to MATRIX_TARGET env var These changes prevent code injection via template expansion by moving untrusted inputs to environment variables instead of inline expansion. Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
6a29f76 to
40800b9
Compare
stevenhorsman
left a comment
There was a problem hiding this comment.
Thanks for all the changes, but we need the job names to match the ids for backwards compatibility
| run: make docker-build | ||
|
|
||
| webhook: | ||
| name: Build webhook |
There was a problem hiding this comment.
Can you update the names to match the ids please so webhook in this case, otherwise the test pre-req and required tests will break.
There was a problem hiding this comment.
All zizmor warnings and notices are now addressed with job names matching their IDs.
Thanks for the review.
Fix workflow security issues identified by zizmor scan: 1. Added job names to 7 workflows (Notices) - actionlint.yaml: run-actionlint job - build.yaml: webhook and cloud-provider jobs - e2e_on_pull.yaml: authorize job - e2e_run_all.yaml: libvirt_e2e_arch_prep job - podvm_smoketest.yaml: build and test jobs - test-images.yaml: list-dockerfiles job 2. Added concurrency limits to 4 workflows (Warnings) - podvm_mkosi.yaml - podvm_smoketest.yaml - scorecard.yaml - test-images.yaml 3. Added explanatory comments for permissions in 13 instances (Warnings) - daily-e2e-tests.yaml - e2e_on_pull.yaml - e2e_run_all.yaml (4 instances) - lib-codeql.yaml - lint.yaml - podvm_publish.yaml - publish_images_on_push.yaml (2 instances) - release.yaml (2 instances) - scorecard.yaml - test-images.yaml - webhook_image.yaml 4. Fixed secrets environment issue (Warning) - test-images.yaml: Added production environment for secret access These changes improve workflow security and clarity without affecting functionality. Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
fdfe81e to
02a28c2
Compare
I agree this should be addressed separately. All other zizmor findings are now resolved - Thanks a lot for the review. |
This PR fixes 7 template injection vulnerabilities across 2 workflow files identified by zizmor security scanner.
Problem:
The workflows were directly interpolating user-controlled inputs into shell commands without proper sanitization. This creates a security risk where malicious input containing shell metacharacters could potentially be used for command injection attacks.
Vulnerable Code Locations
podvm_mkosi.yaml (6 issues):
Line 174: image=${{ inputs.registry }}/podvm-generic-fedora - Direct interpolation in shell variable
Line 178: image=${image}-${{ inputs.arch }} - Direct interpolation in shell variable
Line 183: if [ -n "${{ inputs.image_tag }}" ] && [ "${{ inputs.image_tag }}" != "${tag}" ] - Direct interpolation in conditional (2 occurrences)
Line 184: oras push "${image}:${{ inputs.image_tag }}" - Direct interpolation in oras command
Line 221: echo "image=${{ inputs.registry }}/podvm-docker-image-${arch}:${tag}" - Direct interpolation in output variable
e2e_libvirt.yaml (1 issue):
Line 112: oras pull ${{ inputs.podvm_image }} - Direct interpolation in oras command
Solution
Following GitHub Actions security best practices, all template expressions have been moved to environment variables in the env: block. GitHub Actions automatically escapes environment variable values, preventing injection attacks.
Changes Made
podvm_mkosi.yaml:
Added env: block:
env:
REGISTRY: ${{ inputs.registry }}
ARCH: ${{ inputs.arch }}
IMAGE_TAG: ${{ inputs.image_tag }}
Replaced template expressions:
${{ inputs.registry }} → ${REGISTRY} (2 occurrences)
${{ inputs.arch }} → ${ARCH} (1 occurrence)
${{ inputs.image_tag }} → ${IMAGE_TAG} (3 occurrences)
e2e_libvirt.yaml:
Added env: block:
env:
PODVM_IMAGE: ${{ inputs.podvm_image }}
Replaced template expression:
${{ inputs.podvm_image }} → ${PODVM_IMAGE}
References
Zizmor Documentation: https://docs.zizmor.sh/audits/#template-injection
Security Impact
This change eliminates potential command injection vulnerabilities while maintaining the same functionality. The workflows will continue to work exactly as before, but with improved security posture.