Aman-Mittal commented on PR #5890:
URL: https://github.com/apache/fineract/pull/5890#issuecomment-4545974359
seems like need to fix security flaws raised by zizmor
warning[dependabot-cooldown]: insufficient cooldown in Dependabot updates
--> ./.github/dependabot.yml:6:5
|
6 | - package-ecosystem: "github-actions"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ missing cooldown configuration
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#dependabot-cooldown
warning[dependabot-cooldown]: insufficient cooldown in Dependabot updates
--> ./.github/dependabot.yml:13:5
|
13 | - package-ecosystem: "docker"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ missing cooldown configuration
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#dependabot-cooldown
error[excessive-permissions]: overly broad permissions
--> ./.github/workflows/full-build-ci.yml:7:3
|
7 | pull-requests: write
| ^^^^^^^^^^^^^^^^^^^^ pull-requests: write is overly broad at the
workflow level
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#excessive-permissions
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:11:11
|
11 | uses: ./.github/workflows/build-core.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
12 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:16:11
|
16 | uses: ./.github/workflows/build-progressive-loan.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable
workflow
17 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:21:11
|
21 | uses: ./.github/workflows/build-docker.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
22 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:26:11
|
26 | uses: ./.github/workflows/build-documentation.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable
workflow
27 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:31:11
|
31 | uses: ./.github/workflows/build-quality-checks.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable
workflow
32 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:36:11
|
36 | uses: ./.github/workflows/build-cucumber.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
37 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:41:11
|
41 | uses: ./.github/workflows/build-postgresql.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable
workflow
42 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:46:11
|
46 | uses: ./.github/workflows/build-mysql.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
47 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:51:11
|
51 | uses: ./.github/workflows/build-mariadb.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
52 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:56:11
|
56 | uses: ./.github/workflows/build-e2e-tests.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
57 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:61:11
|
61 | uses: ./.github/workflows/liquibase-only-postgresql.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this
reusable workflow
62 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:66:11
|
66 | uses: ./.github/workflows/smoke-messaging.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
67 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:71:11
|
71 | uses: ./.github/workflows/verify-api-backward-compatibility.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
this reusable workflow
72 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:76:11
|
76 | uses:
./.github/workflows/verify-liquibase-backward-compatibility.yml
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable
workflow
77 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:81:11
|
81 | uses: ./.github/workflows/verify-liquibase-ddl-safety.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this
reusable workflow
82 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:86:11
|
86 | uses: ./.github/workflows/regression-safety-db-changes.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this
reusable workflow
87 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:91:11
|
91 | uses: ./.github/workflows/sonarqube.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
92 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:96:11
|
96 | uses:
./.github/workflows/run-integration-test-sequentially-postgresql.yml
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this
reusable workflow
97 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
warning[secrets-inherit]: secrets unconditionally inherited by called
workflow
--> ./.github/workflows/full-build-ci.yml:101:11
|
101 | uses: ./.github/workflows/publish-dockerhub.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable
workflow
102 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation →
https://docs.zizmor.sh/audits/#secrets-inherit
error[template-injection]: code injection via template expansion
--> ./.github/workflows/pr-title-check.yml:18:22
|
17 | run: |
| --- this run block
18 | title="${{ github.event.pull_request.title }}"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into
attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/publish-dockerhub.yml:40:20
|
39 | run: |
| --- this run block
40 | TAGS=${{ github.ref_name }}
| ^^^^^^^^^^^^^^^ may expand into
attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/regression-safety-db-changes.yml:34:33
|
27 | run: |
| --- this run block
...
34 | git fetch origin "${{ github.event.pull_request.base.ref }}"
--no-tags
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may
expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/regression-safety-db-changes.yml:35:51
|
27 | run: |
| --- this run block
...
35 | MERGE_BASE=$(git merge-base "origin/${{
github.event.pull_request.base.ref }}" HEAD)
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-api-backward-compatibility.yml:42:45
|
38 | run: |
| --- this run block
...
42 | git fetch
"[https://github.com/${{](https://github.com/$%7B%7B)
github.event.pull_request.head.repo.full_name }}.git" \
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into
attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-api-backward-compatibility.yml:43:18
|
38 | run: |
| --- this run block
...
43 | "${{ github.event.pull_request.head.ref
}}:refs/remotes/pr-head" --no-tags
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into
attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-commits.yml:39:35
|
39 | run: git fetch origin ${{ github.base_ref }}
| --- this run block ^^^^^^^^^^^^^^^ may expand into
attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-commits.yml:45:35
|
42 | run: |
| --- this run block
...
45 | --base-ref origin/${{ github.base_ref }} \
| ^^^^^^^^^^^^^^^ may expand into
attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-liquibase-backward-compatibility.yml:74:38
|
73 | run: |
| --- this run block
74 | echo "Base branch ref: ${{ github.event.pull_request.base.ref
}}"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-liquibase-ddl-safety.yml:27:36
|
27 | run: git fetch origin "${{ github.event.pull_request.base.ref
}}" --no-tags
| --- this run block ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-liquibase-ddl-safety.yml:32:51
|
31 | run: |
| --- this run block
32 | MERGE_BASE=$(git merge-base "origin/${{
github.event.pull_request.base.ref }}" HEAD)
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-liquibase-ddl-safety.yml:63:35
|
60 | run: |
| --- this run block
...
63 | --base-ref origin/${{ github.event.pull_request.base.ref }}
\
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation →
https://docs.zizmor.sh/audits/#template-injection
149 findings (18 ignored, 97 suppressed, 14 fixable): 0 informational, 0
low, 21 medium, 13 high
Error: Process completed with exit code 14.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
