Skip to content

Add GitHub Actions security scanning with CodeQL and zizmor#15114

Merged
josevalim merged 6 commits intoelixir-lang:mainfrom
maennchen:jm/ci-improvements
Feb 25, 2026
Merged

Add GitHub Actions security scanning with CodeQL and zizmor#15114
josevalim merged 6 commits intoelixir-lang:mainfrom
maennchen:jm/ci-improvements

Conversation

@maennchen
Copy link
Member

@maennchen maennchen commented Feb 25, 2026

Summary

This PR contains multiple commits:

  • Add CodeQL workflow for static analysis of GitHub Actions workflows
  • Add zizmor audit for detecting security vulnerabilities in CI/CD configuration
  • Fix security findings identified by zizmor:
    • Add persist-credentials: false to all actions/checkout usages
    • Replace template expansions with environment variables to prevent injection
    • Add Dependabot cooldown to delay updates of newly released packages
    • Suppress false-positive github-env warnings with inline ignores

Required Repository Settings

After merging, enable the following repository settings in "Rules" / "Rulesets":

Add "Require code scanning results" with the following tools:

  • CodeQL
  • zizmor

Set "Security Alerts" and "Alert" to "All":

Screenshot 2026-02-25 at 12 29 11

That way PR merges are blocked until all issues have been identified.

References

@maennchen
Prevent credential persistence in checkout actions
d720e16 
Add `persist-credentials: false` to all `actions/checkout` usages
to prevent Git credentials from being persisted in the repository
after checkout completes.

See: https://docs.zizmor.sh/audits/#artipacked
@maennchen
Prevent template injection in GitHub Actions workflows
4d9e490 
Use environment variables instead of direct template expansion
in shell run blocks to prevent potential code injection.

See: https://docs.zizmor.sh/audits/#template-injection
@maennchen
Add cooldown to Dependabot configuration
23bda39 
Delay automatic dependency updates to allow time for discovery of
regressions or supply-chain compromises in newly released versions.

See: https://docs.zizmor.sh/audits/#dependabot-cooldown
@maennchen
Suppress false-positive github-env warnings from zizmor
d371773 
The GITHUB_PATH and GITHUB_ENV writes are safe as they use only
workflow-controlled values, not attacker-controlled input.

See: https://docs.zizmor.sh/audits/#github-env
@maennchen
Add CodeQL workflow for GitHub Actions security analysis
9a9371f 
Run CodeQL static analysis on GitHub Actions workflows to detect
potential security vulnerabilities in CI/CD configuration.

Scheduled weekly and on pushes/PRs to main branch.
@maennchen
Add zizmor workflow audit to CodeQL workflow
3564b39 
Run zizmor static analysis on GitHub Actions workflows to detect
potential security vulnerabilities in CI/CD configuration.

See: https://docs.zizmor.sh/
@github-advanced-security
Copy link

github-advanced-security bot commented Feb 25, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@josevalim
Copy link
Member

josevalim commented Feb 25, 2026

@maennchen thank you, this is great! Shall I go ahead and merge it? Do you want me to rebase or squash it?

@maennchen
Copy link
Member Author

maennchen commented Feb 25, 2026

@josevalim Yes, this is ready to be merged :)

I have no opinion on rebase vs squash. I just did multiple commits to make the review simpler for you.

@josevalim josevalim merged commit af34af8 into elixir-lang:main Feb 25, 2026
17 checks passed
@josevalim
Copy link
Member

josevalim commented Feb 25, 2026

💚 💙 💜 💛 ❤️

@maennchen maennchen deleted the jm/ci-improvements branch February 25, 2026 12:00
@maennchen maennchen mentioned this pull request Feb 25, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maennchen @josevalim