Skip to content

ci: resolve zizmor findings in github action workflows#3103

Merged
mkulke merged 4 commits into
confidential-containers:mainfrom
siddu-os:zizmor-fix-podvm-mkosi-template-injection
Jun 5, 2026
Merged

ci: resolve zizmor findings in github action workflows#3103
mkulke merged 4 commits into
confidential-containers:mainfrom
siddu-os:zizmor-fix-podvm-mkosi-template-injection

Conversation

@siddu-os

@siddu-os siddu-os commented May 29, 2026

Copy link
Copy Markdown
Contributor

This PR fixes 7 template injection vulnerabilities across 2 workflow files identified by zizmor security scanner.

Problem:
The workflows were directly interpolating user-controlled inputs into shell commands without proper sanitization. This creates a security risk where malicious input containing shell metacharacters could potentially be used for command injection attacks.

Vulnerable Code Locations
podvm_mkosi.yaml (6 issues):
Line 174: image=${{ inputs.registry }}/podvm-generic-fedora - Direct interpolation in shell variable
Line 178: image=${image}-${{ inputs.arch }} - Direct interpolation in shell variable
Line 183: if [ -n "${{ inputs.image_tag }}" ] && [ "${{ inputs.image_tag }}" != "${tag}" ] - Direct interpolation in conditional (2 occurrences)
Line 184: oras push "${image}:${{ inputs.image_tag }}" - Direct interpolation in oras command
Line 221: echo "image=${{ inputs.registry }}/podvm-docker-image-${arch}:${tag}" - Direct interpolation in output variable

e2e_libvirt.yaml (1 issue):
Line 112: oras pull ${{ inputs.podvm_image }} - Direct interpolation in oras command

Solution
Following GitHub Actions security best practices, all template expressions have been moved to environment variables in the env: block. GitHub Actions automatically escapes environment variable values, preventing injection attacks.

Changes Made
podvm_mkosi.yaml:

Added env: block:
env:
REGISTRY: ${{ inputs.registry }}
ARCH: ${{ inputs.arch }}
IMAGE_TAG: ${{ inputs.image_tag }}

Replaced template expressions:
${{ inputs.registry }} → ${REGISTRY} (2 occurrences)
${{ inputs.arch }} → ${ARCH} (1 occurrence)
${{ inputs.image_tag }} → ${IMAGE_TAG} (3 occurrences)

e2e_libvirt.yaml:
Added env: block:
env:
PODVM_IMAGE: ${{ inputs.podvm_image }}

Replaced template expression:
${{ inputs.podvm_image }} → ${PODVM_IMAGE}

References
Zizmor Documentation: https://docs.zizmor.sh/audits/#template-injection

Security Impact
This change eliminates potential command injection vulnerabilities while maintaining the same functionality. The workflows will continue to work exactly as before, but with improved security posture.

@siddu-os
siddu-os requested a review from a team as a code owner May 29, 2026 09:29

@stevenhorsman stevenhorsman left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks

@stevenhorsman
stevenhorsman force-pushed the zizmor-fix-podvm-mkosi-template-injection branch from add9a37 to 05819f9 Compare June 1, 2026 07:34

@mkulke mkulke left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make sure that this is is enforced continuously by the CI?

@stevenhorsman

stevenhorsman commented Jun 1, 2026

Copy link
Copy Markdown
Member

Can we make sure that this is is enforced continuously by the CI?

Are you proposing that we set advanced-security: false in the workflow, so that issues found are printed in the console (and I think then the job fails), rather than being raised in the github security tab?

@mkulke

mkulke commented Jun 1, 2026

Copy link
Copy Markdown
Collaborator

Can we make sure that this is is enforced continuously by the CI?

Are you proposing that we set advanced-security: false in the workflow, so that issues found are printed in the console (and I think then the job fails), rather than being raised in the github security tab?

not sure, don't we have a zizmor workflow that processes all workflows? it feels a bit odd that we manually address individual problems, what if the next person refactors something and re-introduces a template injection?

@stevenhorsman

Copy link
Copy Markdown
Member

Can we make sure that this is is enforced continuously by the CI?

Are you proposing that we set advanced-security: false in the workflow, so that issues found are printed in the console (and I think then the job fails), rather than being raised in the github security tab?

not sure, don't we have a zizmor workflow that processes all workflows? it feels a bit odd that we manually address individual problems, what if the next person refactors something and re-introduces a template injection?

We do have a zizmor workflow - as I said the default behaviour of it is to just report into https://github.com/confidential-containers/cloud-api-adaptor/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Azizmor, which hides things rather, so we could switch as I suggested to get a failure to show up on the CI job if there are issues. We will have quite a lot of failures there as we seem to have ~75 issues at the moment, but if it means we clean them up more, it would be a good thing.

@mkulke

mkulke commented Jun 1, 2026

Copy link
Copy Markdown
Collaborator

Can we make sure that this is is enforced continuously by the CI?

Are you proposing that we set advanced-security: false in the workflow, so that issues found are printed in the console (and I think then the job fails), rather than being raised in the github security tab?

not sure, don't we have a zizmor workflow that processes all workflows? it feels a bit odd that we manually address individual problems, what if the next person refactors something and re-introduces a template injection?

We do have a zizmor workflow - as I said the default behaviour of it is to just report into https://github.com/confidential-containers/cloud-api-adaptor/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Azizmor, which hides things rather, so we could switch as I suggested to get a failure to show up on the CI job if there are issues. We will have quite a lot of failures there as we seem to have ~75 issues at the moment, but if it means we clean them up more, it would be a good thing.

oof, I see. that would be more red ci, but yeah, I don't think it makes sense to keep openeing PRs for individual files. usually those are fixable quickly and we could assign an agent to the issue.

@stevenhorsman

Copy link
Copy Markdown
Member

Can we make sure that this is is enforced continuously by the CI?

Are you proposing that we set advanced-security: false in the workflow, so that issues found are printed in the console (and I think then the job fails), rather than being raised in the github security tab?

not sure, don't we have a zizmor workflow that processes all workflows? it feels a bit odd that we manually address individual problems, what if the next person refactors something and re-introduces a template injection?

We do have a zizmor workflow - as I said the default behaviour of it is to just report into https://github.com/confidential-containers/cloud-api-adaptor/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Azizmor, which hides things rather, so we could switch as I suggested to get a failure to show up on the CI job if there are issues. We will have quite a lot of failures there as we seem to have ~75 issues at the moment, but if it means we clean them up more, it would be a good thing.

oof, I see. that would be more red ci, but yeah, I don't think it makes sense to keep openeing PRs for individual files. usually those are fixable quickly and we could assign an agent to the issue.

Ok, so I guess the next step is to switch the zizmor reporting and see what shows up?

@stevenhorsman

Copy link
Copy Markdown
Member

#3119 shows the output of switching the reporting into the job, rather than github

@stevenhorsman

Copy link
Copy Markdown
Member

@siddu-os - do you think you can use Bob to fix all the resolve template injection issues in this PR please and then we can cut down on the number of PRs and reviews required as Magnus suggests?

@siddu-os

siddu-os commented Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

@siddu-os - do you think you can use Bob to fix all the resolve template injection issues in this PR please and then we can cut down on the number of PRs and reviews required as Magnus suggests?

Sure, @stevenhorsman. I'll coordinate with the team and make sure all the remaining zizmor template injection fixes are included in this PR rather than split across multiple PRs. Thank you.

@siddu-os
siddu-os force-pushed the zizmor-fix-podvm-mkosi-template-injection branch from 5a57878 to 950a46a Compare June 2, 2026 06:46
@siddu-os siddu-os changed the title fix: zizmor issue: Resolve template injection vulnerabilities in podvm_mkosi.yaml fix: zizmor issue: Resolve template injection vulnerabilities in podvm_mkosi.yaml, csi_wrapper_images.yaml and e2e_libvirt.yaml Jun 2, 2026
@siddu-os
siddu-os requested review from mkulke and stevenhorsman June 2, 2026 07:17
@stevenhorsman

stevenhorsman commented Jun 2, 2026

Copy link
Copy Markdown
Member

What about the issues in webhook_image.yaml? Sorry - I missed that Rafsal's PR was merged that fixed that. I should have highlighted that csi-wrapper isn't important as it's being deleted in #3105.

Comment thread .github/workflows/csi_wrapper_images.yaml Fixed
@siddu-os

siddu-os commented Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

What about the issues in webhook_image.yaml? Sorry - I should have highlighted that csi-wrapper isn't important as it's being deleted in #3105

okay, let me remove - csi_wrapper_images.yaml changes and webhook_image.yaml issues are already fixed with the PR #3101 and PR is merged.

@siddu-os
siddu-os force-pushed the zizmor-fix-podvm-mkosi-template-injection branch from 950a46a to 4bfe153 Compare June 2, 2026 08:06
@siddu-os siddu-os changed the title fix: zizmor issue: Resolve template injection vulnerabilities in podvm_mkosi.yaml, csi_wrapper_images.yaml and e2e_libvirt.yaml fix: zizmor issue: Resolve template injection vulnerabilities in podvm_mkosi.yaml and e2e_libvirt.yaml Jun 2, 2026
@siddu-os
siddu-os force-pushed the zizmor-fix-podvm-mkosi-template-injection branch 3 times, most recently from 106b8b3 to b6cf221 Compare June 3, 2026 08:43
@mkulke mkulke changed the title fix: zizmor issue: Resolve template injection vulnerabilities in podvm_mkosi.yaml and e2e_libvirt.yaml ci: resolve zizmor findings in github action workflows Jun 3, 2026
@stevenhorsman

Copy link
Copy Markdown
Member

@siddu-os it looks like there are still multiple code injection via template expansion issues in the zizmor report. Can you take a look please

@siddu-os
siddu-os force-pushed the zizmor-fix-podvm-mkosi-template-injection branch 2 times, most recently from 810ac6f to b80123e Compare June 3, 2026 09:31
@mkulke

mkulke commented Jun 3, 2026

Copy link
Copy Markdown
Collaborator

this one might be tough to resolve.

Error: e2e_on_pull.yaml:8: use of fundamentally insecure workflow trigger: pull_request_target is almost always used insecurely

I think we need to scrutinize the workflows split them accordingly.

name: e2e tests

on:
  ...
  pull_request_target:
    types:
      # This workflow will be run if the pull request is labeled test_e2e_libvirt,
      # so adding 'labeled' to the list of activity types.
      #
      - opened
      - synchronize
      - reopened
      - labeled
    branches:
      - 'main'

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

permissions: {}

jobs:
  authorize:
    runs-on: ubuntu-24.04
    if: |
     contains(github.event.pull_request.labels.*.name, 'test_e2e_aws') ||
     contains(github.event.pull_request.labels.*.name, 'test_e2e_libvirt') ||
     contains(github.event.pull_request.labels.*.name, 'test_e2e_byom')
    steps:
      - run: "true"
  e2e:
    uses: ./.github/workflows/e2e_run_all.yaml
    needs: [authorize]
    ...

libvirt doesn't need any environment from the repo to run the tests. they should be able to launch on a fork. I think the same is true for byom, they don't need pull_request_target.

AWS will require secrets from the main repo, s390x will require special runners, so they would be in a group that have to use pull_request_target.

Currently AFAIU s390x e2e tests are also covered by the test_e2e_libvirt flag, I suggest adding a discrete label test_e2e_s390x.

@siddu-os
siddu-os force-pushed the zizmor-fix-podvm-mkosi-template-injection branch from b80123e to 6a29f76 Compare June 3, 2026 10:27

@stevenhorsman stevenhorsman left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as long is it doesn't clash with other changes. I think it will be blocked by #3130 which fixes the govulncheck issue though. Thanks

@mkulke

mkulke commented Jun 3, 2026

Copy link
Copy Markdown
Collaborator

@siddu-os: needs a rebase, if you feel the pull_request_target error is too complex to fix for you we can leave that error unresolved and address it in a separate PR. but it would be good to address all other warnings and notices that zizmor currently flags

siddu-os added 3 commits June 4, 2026 23:03
Move inputs.podvm_image to PODVM_IMAGE environment variable to prevent code injection.
Also add quotes around PODVM_IMAGE variable to fix shellcheck SC2086.
Remove template expansion from line 188 to prevent code injection.

Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Move template expressions to environment variables to prevent code injection.

Changes:
- inputs.registry → REGISTRY (line 170)
- inputs.arch → ARCH (line 174)
- inputs.image_tag → IMAGE_TAG (lines 179, 180)

Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Fix template injection in three more workflows:
- azure-e2e-test.yml:159 - Move matrix.parameters.jitter to JITTER env var
- build.yaml:57 - Move matrix.type to BUILD_TYPE env var
- test-images.yaml:60 - Move matrix.targets to MATRIX_TARGET env var

These changes prevent code injection via template expansion by moving
untrusted inputs to environment variables instead of inline expansion.

Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
@siddu-os
siddu-os force-pushed the zizmor-fix-podvm-mkosi-template-injection branch from 6a29f76 to 40800b9 Compare June 4, 2026 17:34

@stevenhorsman stevenhorsman left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all the changes, but we need the job names to match the ids for backwards compatibility

Comment thread .github/workflows/build.yaml Outdated
run: make docker-build

webhook:
name: Build webhook

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update the names to match the ids please so webhook in this case, otherwise the test pre-req and required tests will break.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All zizmor warnings and notices are now addressed with job names matching their IDs.
Thanks for the review.

Fix workflow security issues identified by zizmor scan:

1. Added job names to 7 workflows (Notices)
   - actionlint.yaml: run-actionlint job
   - build.yaml: webhook and cloud-provider jobs
   - e2e_on_pull.yaml: authorize job
   - e2e_run_all.yaml: libvirt_e2e_arch_prep job
   - podvm_smoketest.yaml: build and test jobs
   - test-images.yaml: list-dockerfiles job

2. Added concurrency limits to 4 workflows (Warnings)
   - podvm_mkosi.yaml
   - podvm_smoketest.yaml
   - scorecard.yaml
   - test-images.yaml

3. Added explanatory comments for permissions in 13 instances (Warnings)
   - daily-e2e-tests.yaml
   - e2e_on_pull.yaml
   - e2e_run_all.yaml (4 instances)
   - lib-codeql.yaml
   - lint.yaml
   - podvm_publish.yaml
   - publish_images_on_push.yaml (2 instances)
   - release.yaml (2 instances)
   - scorecard.yaml
   - test-images.yaml
   - webhook_image.yaml

4. Fixed secrets environment issue (Warning)
   - test-images.yaml: Added production environment for secret access

These changes improve workflow security and clarity without affecting
functionality.

Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
@siddu-os
siddu-os force-pushed the zizmor-fix-podvm-mkosi-template-injection branch from fdfe81e to 02a28c2 Compare June 5, 2026 05:06
@siddu-os

siddu-os commented Jun 5, 2026

Copy link
Copy Markdown
Contributor Author

needs a rebase, if you feel the pull_request_target error is too complex to fix for you we can leave that error unresolved and address it in a separate PR. but it would be good to address all other warnings and notices that zizmor currently flags

I agree this should be addressed separately. All other zizmor findings are now resolved - Thanks a lot for the review.

@mkulke
mkulke merged commit fe51cb1 into confidential-containers:main Jun 5, 2026
22 of 23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants