Zizmor

Bug Fixes 🐛[🔗](https://woodruffw.github.io/zizmor/release-notes/#bug-fixes)
- Fixed a bug where zizmor would over-eagerly parse invalid and commented-out expressions, resulting in spurious warnings ([570](https://github.com/woodruffw/zizmor/issues/570))
- Fixed a bug where zizmor would fail to honor ` zizmor: ignore[rule]` comments in unintuitive cases ([612](https://github.com/woodruffw/zizmor/issues/612))
- Fixed a regression in zizmor's SARIF output format that caused suboptimal presentation of findings on GitHub ([621](https://github.com/woodruffw/zizmor/issues/621))

Upcoming Changes 🚧[🔗](https://woodruffw.github.io/zizmor/release-notes/#upcoming-changes)
- The official [PyPI builds](https://woodruffw.github.io/zizmor/installation/#pypi) for zizmor will support fewer architectures in the next release, due to cross-compilation and testing difficulties. This should have no effect on the overwhelming majority of users. See [603](https://github.com/woodruffw/zizmor/issues/603) for additional details.

Bug Fixes 🐛[🔗](https://woodruffw.github.io/zizmor/release-notes/#bug-fixes)

- Fixed a bug where zizmor would fail to honor .gitignore files when a .git/ directory is not present ([598](https://github.com/woodruffw/zizmor/issues/598))

New Features 🌈[🔗](https://woodruffw.github.io/zizmor/release-notes/#new-features)

- The [overprovisioned-secrets](https://woodruffw.github.io/zizmor/audits/#overprovisioned-secrets) audit now detects indexing operations on the secrets context that result in overprovisioning ([573](https://github.com/woodruffw/zizmor/issues/573))
- zizmor now ignores patterns in .gitignore (and related files, like .git/info/exclude) by default when performing input collection. This makes input collection significantly faster for users with local development state and more closely reflects typical user expectations. Users who wish to explicitly collect everything regardless of ignore patterns can continue to use --collect=all ([575](https://github.com/woodruffw/zizmor/issues/575))
- zizmor now has a --no-progress flag that disables progress bars, even if the terminal supports them ([589](https://github.com/woodruffw/zizmor/issues/589))
- zizmor now has a --color flag that controls when zizmor's output is colorized (beyond basic terminal detection) ([586](https://github.com/woodruffw/zizmor/issues/586))

Bug Fixes 🐛[🔗](https://woodruffw.github.io/zizmor/release-notes/#bug-fixes)

- Fixed zizmor's path presentation behavior to correctly present unambiguous paths in both SARIF and "plain" outputs when multiple input directories are given ([572](https://github.com/woodruffw/zizmor/issues/572))

This is a small corrective release for v1.4.0.

Bug Fixes 🐛[🔗](https://woodruffw.github.io/zizmor/release-notes/#bug-fixes)

- Findings produced by ([unredacted-secrets](https://woodruffw.github.io/zizmor/audits/#unredacted-secrets)) now use the correct ID and link to the correct URL in the audit documentation ([566](https://github.com/woodruffw/zizmor/issues/566))

This release comes with one new audit ([unredacted-secrets](https://woodruffw.github.io/zizmor/audits/#unredacted-secrets)), plus a handful of bugfixes and analysis improvements to existing audits. It also comes with improvements to SARIF presentation, ignore comments, as well as an [official Docker image](https://ghcr.io/woodruffw/zizmor)!

New Features 🌈[🔗](https://woodruffw.github.io/zizmor/release-notes/#new-features)
- `zizmor` now has official Docker images! You can find them on the GitHub Container Registry under [ghcr.io/woodruffw/zizmor](https://ghcr.io/woodruffw/zizmor) ([#532](https://github.com/woodruffw/zizmor/issues/532))
- New audit: [unredacted-secrets](https://woodruffw.github.io/zizmor/audits/#unredacted-secrets) detects secret accesses that are not redacted in logs ([549](https://github.com/woodruffw/zizmor/issues/549))

Improvements 🌱[🔗](https://woodruffw.github.io/zizmor/release-notes/#improvements)
- SARIF outputs are now slightly more aligned with GitHub Code Scanning expectations ([528](https://github.com/woodruffw/zizmor/issues/528))
- ` zizmor: ignore[rule]` comments can now have trailing explanations, e.g. ` zizmor: ignore[rule] because reasons` ([531](https://github.com/woodruffw/zizmor/issues/531))
- The [bot-conditions](https://woodruffw.github.io/zizmor/audits/#bot-conditions) audit now detects `github.triggering_actor` as another spoofable actor check ([559](https://github.com/woodruffw/zizmor/issues/559))

Bug Fixes 🐛[🔗](https://woodruffw.github.io/zizmor/release-notes/#bug-fixes)
- Fixed a bug where `zizmor` would fail to parse workflows with `workflow_dispatch` triggers that contained non-string inputs ([563](https://github.com/woodruffw/zizmor/issues/563))

Upcoming Changes 🚧[🔗](https://woodruffw.github.io/zizmor/release-notes/#upcoming-changes)
- The next minor release of `zizmor` will be built with [Rust 2024](https://blog.rust-lang.org/2025/02/20/Rust-1.85.0.html). This should have no effect on most users, but may require users who build zizmor from source to update their Rust toolchain.

Improvements 🌱[🔗](https://woodruffw.github.io/zizmor/release-notes/#improvements)

- Passing both --offline and a GitHub token (either implicitly with GH_TOKEN or explicitly with --gh-token) no longer results in an error. --offline is now given precedence, regardless of any other flags or environment settings ([519](https://github.com/woodruffw/zizmor/issues/519))

Bug Fixes 🐛[🔗](https://woodruffw.github.io/zizmor/release-notes/#bug-fixes)

- Fixed a bug where zizmor would fail to parse composite actions with inputs/outputs that are missing descriptions ([502](https://github.com/woodruffw/zizmor/issues/502))
- Expressions that contain indices with non-semantic whitespace are now parsed correctly ([511](https://github.com/woodruffw/zizmor/issues/511))
- Fixed a false positive in [ref-confusion] where partial tag matches were incorrectly considered confusable ([519](https://github.com/woodruffw/zizmor/issues/519))
- Fixed a bug where zizmor would fail to parse workflow definitions with an expression inside strategy.max-parallel ([522](https://github.com/woodruffw/zizmor/issues/522))