Add zizmorcore/zizmor-action to the allowlist

[kevinjqliu]

Request for adding a new GitHub Action to the allow list

Overview

Name of action: zizmor-action

URL of action: https://github.com/zizmorcore/zizmor-action

Version to pin to (hash only): 71321a20a9ded102f6e9ce5718a2fcec2c4f70d8

zizmor-action runs zizmor, a static analysis tool for GitHub Actions workflows, directly from GitHub Actions. It finds security issues and potential bugs in workflow files, helping projects maintain secure CI/CD pipelines by catching common misconfigurations and vulnerabilities. It integrates with GitHub Advanced Security for stateful analysis and incremental triage.

Permissions

When used with Advanced Security (default), requires security-events: write to upload SARIF results. For private repos, also needs contents: read and actions: read. Does not require write access to code or credentials.

Related Actions

There is no existing equivalent action on the allowlist for GitHub Actions workflow static analysis.

Checklist

• The action is listed in the GitHub Actions Marketplace
• The action is not already on the list of approved actions
• The action has a sufficient number of contributors or has contributors within the ASF community
• The action has a clearly defined license
• The action is actively developed or maintained
• The action has CI/unit tests configured
• Compiled JavaScript in dist/ matches a clean rebuild (verify with uv run utils/verify-action-build.py org/repo@hash)

[kevinjqliu]

cc @raboof @potiuk could you please take a look?
We're adding the zizmore check to iceberg repo's CI, after fixing the vulnerabilities that it flagged. IMO this is the best way to catch and remediate github workflow vulnerabilities

[potiuk]

I reviewed it - it's mostly a bash script which runs zizmor via docker. While it passess GITHUB_TOKEN, those action should be run with read-only permissions (and it's ok) or in advanced security mode with rulesets, so it is safe to use - no SECRETS will leak as they are not passed to the container.