Feature: allow filename wildcard in config file #435
Comments
|
Hi @Chocobo1, thanks for filing a feature request. I'm currently hesitant to support blanket ignores of a rule for all files: I intentionally left that out of the original configuration feature set, because I think it makes it too easy to suppress future findings unintentionally. There are two alternatives:
Assuming (1) is still unacceptable, could you give (2) a try and see if it works for your case? |
FYI, we intend to use zizmor as a step in a CI workflow and the output (check results) is intended to be read a human directly. JSON or SARIF isn't good for this purpose.
Just to be clear, this feature request wouldn't suppress future findings, it only disable specified rules. One might thought that all rules are there for the user's safety. While the intention is good, IMO it risk the program becoming a police which unnecessary infulence things. |
I'm not sure I follow: if you use SARIF, you can then upload the filtered SARIF to GitHub for human presentation -- there's an example of that in the docs: https://woodruffw.github.io/zizmor/usage/#use-in-github-actions If you use JSON, you can always adapt the filtered JSON to a human format like Markdown (e.g. in a step summary via
Right, but for all files, including new ones. That's the concerning part: if a user has
This is a tool I develop in my free time for people to use if they want to. I don't like being compared to a police state, especially since you don't have to use my tool! With that being said, you shouldn't be seeing that finding at all unless you're running with |
Thank you! I wasn't aware of this integration path. I suppose this is a viable path for me.
Apologies, didn't mean to offend anyone. Also, I appreciate this project. Github has blogged good security practices but there were no tool verify it until now.
This is the part I find overprotective for the user. Which is why the police state concept pop into my head. You don't seem to trust the user enough and expect them to be careless. For the user perspective, it could be insulting. Or maybe you could consider adding a command line switch to allow wildcards? Just throwing out random ideas...
Thanks for the concern. I'm not currently but I intend to. I would like to see all warnings and learn the implications. After that I can decide whether to suppress the rule or not. (the suppression would be global, not just individual workflow files) |
Yes, this is what I'd recommend -- a significant number of users are already integrating via SARIF, and the format is stable/standardized so you should be able to write a filter that won't need to be changed over time.
Right, the goal is not to prevent someone who's determined to pave their own path. It's to avoid exposing footguns. There's no perfect way to do this, but the theory is that the more manual step of having to write a I think this is especially important now that a lot of people are using generative AI to mash out massive amounts of unreviewed code. (I apologize if you find this insulting -- it's not meant to demean users, but to establish a boundary between "
This is a possibility -- I've been thinking about adding an This is worth discussing in a follow up Discussion thread, however, if this is something you're more broadly interested in 🙂
That's understandable, but FWIW I'd recommend reading the docs on the different personas if you haven't already: https://woodruffw.github.io/zizmor/usage/#using-personas In particular, the |
|
There no real need to jq > into markdown when This was the pr I created that's related to this thread. So this workflow outputs to the standout output, the github summary in a markdown codebox as well as capturing the exit code. With no processing needed and is readable enough. - name: Check GitHub Action workflows
shell: bash {0}
run: |
pip install zizmor
zizmor="$(zizmor . --gh-token "${{ github.token }}")"
exit_code="$?"
printf '%s\n' "$zizmor"
printf '%b\n' "\`\`\`" >> $GITHUB_STEP_SUMMARY
printf '%s\n' "$zizmor" >> $GITHUB_STEP_SUMMARY
printf '%b' "\`\`\`" >> $GITHUB_STEP_SUMMARY
exit "$exit_code"What would make sense in this situation is that if there was a blanket ignore, you could show these suppressed warnings but not as errors, as they would be with personas. You just want to be aware of them. Like a persona but they don't cause exit codes of non 0 of you have a blanket ignore, just puts them in special suppression category that by default is always shown? I think that's really what it comes down to, not hiding this info from future tests by a blanket ignore whilst not causing an exit code of greater than 0. |
|
Maybe combined with a unique exit code just for these globally supressed errors. |
Pre-submission checks
What's the problem this feature will solve?
I would like to disable/ignore one or more rules completely but the closest mechanism seems to be config files.
For example I have this
zizmor.yml:This is invalid config file at the time of writing. And this is the associated error:
rules.unpinned-uses.ignore: invalid workflow filename: * at line 4 column 7.I would like to suppress the rule
unpinned-usescompletely, i.e. I wish the*could be allowed and it would match all files. I'm aware that I could manually list all filenames here but it is cumbersome and it would break easily in the long run.Describe the solution you'd like
Allow wildcard (or regex) matching in every
rules.<id>.ignoreelement. For example the following would be allowed:*.yaml,*.Additional context
I'm using zizmor as an auxiliary/external checker. I would prefer it not get into the workflow files itself, that means suppressing rules via inline comment is not acceptable.
The text was updated successfully, but these errors were encountered: