New Features ππ
- New audit: archived-uses detects usages of archived repositories in uses: clauses (#1411)
Enhancements π±π
-
The use-trusted-publishing audit now detects additional publishing command patterns, including common "wrapped" patterns like bundle exec gem publish (#1394)
-
zizmor now produces better error messages on a handful of error cases involving invalid input files. Specifically, a subset of syntax and schema errors now produce more detailed and actionable error messages (#1396)
-
The use-trusted-publishing audit now detects additional publishing command patterns, including uv run ..., uvx ..., and poetry publish (#1402)
-
zizmor now produces more useful and less ambiguous spans for many findings, particularly those from the anonymous-definition audit (#1416)
-
zizmor now discovers configuration files named zizmor.yaml, in addition to zizmor.yml (#1431)
-
zizmor now produces a more useful error message when input collection yields no inputs (#1439)
-
The --render-links flag now allows users to control zizmor's OSC 8 terminal link rendering behavior. This is particularly useful in environments that advertise themselves as terminals but fail to correctly render or ignore OSC 8 links (#1454)
Performance Improvements ππ
- The [impostor-commit] audit is now significantly faster on true positives, making true positive detection virtually as fast as true negative detection. In practice, true positive runs are over 100 times faster than before (#1429)
Bug Fixes ππ
-
Fixed a bug where the obfuscation audit would crash if it encountered a CMD shell that was defined outside of the current step block (i.e. as a job or workflow default) (#1418)
-
Fixed a bug where the opentofu ecosystem was not recognized in Dependabot configuration files (#1452)
-
--color=alwaysno longer implies--render-links=always, as some environments (like GitHub Actions) support ANSI color codes but fail to handle OSC escapes gracefully (#1454)