Skip to content

Add GitHub Actions security scanning with CodeQL and zizmor#1110

Merged
ericmj merged 5 commits into
hexpm:mainfrom
maennchen:jm/ci-improvements
Feb 25, 2026
Merged

Add GitHub Actions security scanning with CodeQL and zizmor#1110
ericmj merged 5 commits into
hexpm:mainfrom
maennchen:jm/ci-improvements

Conversation

@maennchen
Copy link
Copy Markdown
Contributor

@maennchen maennchen commented Feb 25, 2026

Summary

This PR contains multiple commits:

  • Add CodeQL workflow for static analysis of GitHub Actions workflows
  • Add zizmor audit for detecting security vulnerabilities in CI/CD configuration
    • Add Dependabot
  • Fix security findings identified by zizmor:
    • Add explicit permissions to CI workflow
    • Add persist-credentials: false to all actions/checkout usages
    • Pin GitHub Action Versions

Required Repository Settings

After merging, enable the following repository settings in "Rules" / "Rulesets":

Add "Require code scanning results" with the following tools:

  • CodeQL
  • zizmor

Set "Security Alerts" and "Alert" to "All":

Screenshot 2026-02-25 at 12 29 11

That way PR merges are blocked until all issues have been identified.

References

@maennchen
Add explicit permissions to CI workflow
ac78963 
Restrict workflow permissions to read-only content access following
GitHub security best practices.
@maennchen
Pin GitHub Actions to commit SHAs
240beea 
Replace mutable version tags with immutable commit hashes for
actions/checkout and erlef/setup-beam to prevent supply chain attacks.
@maennchen
Add Dependabot for GitHub Actions updates
334b898 
Configure weekly automated dependency updates for GitHub Actions
to keep pinned action versions current.
@maennchen
Disable credential persistence in checkout actions
c04b22e 
Prevent GitHub token from being stored in the local git config
to mitigate the artipacked vulnerability.

See: https://docs.zizmor.sh/audits/#artipacked
@maennchen
Add CodeQL and Zizmor security scanning workflows
5579961 
Add CodeQL for static analysis of GitHub Actions and Zizmor for
workflow security auditing. Runs on push, PR, and weekly schedule.
@maennchen maennchen mentioned this pull request Feb 25, 2026
Merged
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Feb 25, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@ericmj ericmj merged commit b12887d into hexpm:main Feb 25, 2026
12 checks passed
@maennchen maennchen deleted the jm/ci-improvements branch February 26, 2026 04:01
This was referenced Mar 3, 2026
Merged
Merged
This was referenced Mar 23, 2026
Merged
Merged
Merged
Merged
This was referenced Apr 3, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maennchen @github-advanced-security @ericmj