home.social

#zizmor — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #zizmor, aggregated by home.social.

  1. Matthew Martin @[email protected] ·

    Finished scanning all the github projects in my venv for #zizmor vulnerabilities now scanning all the venv on my entire computer.

    One vulnerability anywhere and I figure my machine is pwned

    #zizmor
  2. Matthew Martin @[email protected] ·

    People got the message about #pwnRequest and have updated their code... sort of.

    `pull_request_target: # zizmor: ignore[dangerous-triggers]`

    #zizmor

    I don't know, the security model is all maximum surprise, maybe it isn't possible to repro cache poisoning for reasons (maybe some other job needs caching)

    github.com/fastapi/typer/pull/

    #pwnrequest #zizmor
  3. Matthew Martin @[email protected] ·

    Just in the venv for the app that scans the dependency tree for #zizmor flaws, there are 88 repos that I'd need to file Pull Request to fix my supply chain. This is going to take years.

    (this runs zizmor against every repo for every dependency to find out who is likely to turn into a malicious artifact next)

    #zizmor
  4. Matthew Martin @[email protected] ·

    If you run #zizmor on your on repo and fix the github actions there, you gain just about nothing if your entire dependency tree doesn't do the same. Malicious actors will stop targeting your app and target the 200+ softer targets in the dependency tree.

    #zizmor
  5. 🇺🇦 Sviatoslav Sydorenko @[email protected] ·

    RE: mastodon.social/@sethmlarson/1

    Dear #Python ecosystem, please follow @yossarian's recommendations through #Zizmor and secure your @github Actions workflows wisely!

    #python #zizmor
  6. Tim Schilling @[email protected] ·

    I like this touch to #zizmor:

    ❯ zizmor --thanks
    zizmor's development is sustained by our generous sponsors:
    🌈 Grafana Labs
    🌈 Kusari

    #zizmor
  7. Julien Roncaglia @[email protected] ·

    WTF?? #Zizmor is a GitHub actions security linting tool, and their own action basically pull the latest version by default...

    🤡

    github.com/zizmorcore/zizmor-a

    #zizmor
  8. yossarian @ PyCon US @[email protected] ·

    One year of zizmor

    blog.yossarian.net/2025/09/14/

    #devblog #programming #rust #zizmor

    #devblog #programming #rust #zizmor
  9. yossarian @ PyCon US @[email protected] ·

    Fun with finite state transducers

    blog.yossarian.net/2025/08/14/

    #devblog #programming #rust #zizmor

    #devblog #programming #rust #zizmor
  10. yossarian @ PyCon US @[email protected] ·

    A Discord server and new GitHub organization for zizmor

    blog.yossarian.net/2025/05/07/

    #security #oss #devblog #programming #rust #zizmor

    #security #oss #devblog #programming #rust #zizmor
  11. Kevin Bowen (has moved) :xfce: @kevinbowen ·

    Taking a first poke at auditing my Actions with

    There's a lot to digest here, for me. Pretty much shows me how little I understand the actions I've had in place for quite a while (that's bad).

    But, I've gotten it's tests to pass with remediation! (that's good, right???)
    I'm a damned cut-and-paste savage (that's bad). *sigh*

    woodruffw.github.io/zizmor/

    #github #zizmor #security
  12. Ben Cotton (he/him) @[email protected] ·

    I'm pretty sure @yossarian can tell every time I run #zizmor against a new repo by watching for my pull requests to exclude something else from the template injection audit.

    #zizmor