Skip to content

Add zizmor security scanner#3117

Open
stephenfin wants to merge 2 commits into
kubernetes:masterfrom
shiftstack:add-zizmor
Open

Add zizmor security scanner#3117
stephenfin wants to merge 2 commits into
kubernetes:masterfrom
shiftstack:add-zizmor

Conversation

@stephenfin
Copy link
Copy Markdown
Member

@stephenfin stephenfin commented May 19, 2026

What this PR does / why we need it:

Run zizmor on pushes to master and pull requests that modify workflow files. Results are uploaded as SARIF to GitHub's security-events API for code scanning integration.

Which issue this PR fixes(if applicable):

(none)

Special notes for reviewers:

This was previously done for Gophercloud in gophercloud/gophercloud#3659

Release note:

NONE

@k8s-ci-robot k8s-ci-robot added the release-note-none Denotes a PR that doesn't merit a release note. label May 19, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 19, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign zetaab for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from kayrus and zetaab May 19, 2026 16:57
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 19, 2026
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 19, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

stephenfin added 2 commits May 19, 2026 18:06
@stephenfin
Fix issues highlighted by zizmor
fd9c332 
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
@stephenfin
Add zizmor security scanner
c19c42b 
Run zizmor on pushes to master and pull requests that modify workflow
files. Results are uploaded as SARIF to GitHub's security-events API for
code scanning integration.

Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kayrus kayrus Awaiting requested review from kayrus

@zetaab zetaab Awaiting requested review from zetaab

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stephenfin @k8s-ci-robot @github-advanced-security