Add automated security scanning for GitHub Actions workflows

[Copilot]

Implements automated security scanning in CI/CD to catch workflow vulnerabilities at PR time using zizmor and actionlint. Blocks merges on High/Critical findings.

Changes

Pre-commit hooks (.pre-commit-config.yaml)

• zizmor: scans workflow files for security vulnerabilities
• actionlint: validates workflow syntax and best practices
• shellcheck: validates shell scripts

CI workflow (.github/workflows/security-lint.md)

• Triggers on PR changes to .github/workflows/** and push to main
• Installs zizmor and actionlint
• Scans all .lock.yml files
• Generates SARIF reports
• Fails CI on High/Critical security issues

Makefile target (make security-lint)

• Runs build + recompile + security scans
• Graceful fallbacks when tools not installed
• Shows installation instructions for missing tools

Documentation (DEVGUIDE.md)

• Installation instructions for zizmor (Linux/macOS)
• Pre-commit setup guide
• Usage examples

Usage

# Local development (optional)
pip install pre-commit && pre-commit install
pre-commit run --all-files

# Manual security scan
make security-lint

CI runs automatically on workflow changes. High/Critical findings block merge.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Implement automated security scanning in CI/CD pipeline</issue_title>
<issue_description>## Objective

Integrate zizmor and actionlint into the CI/CD pipeline to automatically catch security and code quality issues before they reach production.

Context

Current State: Manual static analysis via scheduled workflow
Goal: Prevent security issues at PR time with automated checks
Tools: zizmor (security), actionlint (linting + shellcheck)

Automated security scanning provides continuous protection by:

• Blocking PRs with High/Critical security findings
• Catching shellcheck issues during development
• Providing immediate feedback to contributors
• Reducing manual security review burden

Approach

Phase 1: Add Pre-commit Hooks (Local Development)

1. Create .pre-commit-config.yaml in repository root
2. Configure hooks for:
   • zizmor (security scanning)
   • actionlint (workflow linting)
   • shellcheck (shell script validation)
3. Document setup in DEVGUIDE.md
4. Make it optional but recommended for contributors

Phase 2: Add CI/CD Checks (Required for PRs)

1. Create new workflow: .github/workflows/security-lint.md
2. Configure to run on:
   • Pull requests (when workflow files change)
   • Push to main branch
3. Add job steps:
   • Install zizmor and actionlint
   • Scan all workflow files
   • Report findings as PR comments
   • Fail CI for High/Critical issues
4. Integrate with GitHub branch protection rules

Phase 3: Enhanced Reporting

1. Add actionable error messages with fix suggestions
2. Link to security documentation for each finding type
3. Generate summary reports for PRs
4. Track security metrics over time

Files to Create

• .pre-commit-config.yaml (pre-commit hooks configuration)
• .github/workflows/security-lint.md (CI security checks)
• Update: DEVGUIDE.md (document security scanning setup)
• Update: Makefile (add make security-lint target)

Example Pre-commit Configuration

repos:
  - repo: local
    hooks:
      - id: zizmor
        name: zizmor security scan
        entry: zizmor
        language: system
        files: \.github/workflows/.*\.(lock\.yml|md)$
        pass_filenames: true
      
      - id: actionlint
        name: actionlint workflow linting
        entry: actionlint
        language: system
        files: \.github/workflows/.*\.lock\.yml$
        pass_filenames: true

Example CI Workflow (security-lint.md)

---
name: Security Lint
on:
  pull_request:
    paths:
      - '.github/workflows/**'
  push:
    branches: [main]
permissions:
  contents: read
  pull-requests: write
---

# Security and Code Quality Checks

This workflow runs automated security scanning and linting on GitHub Actions workflows.

- name: Install tools
  run: |
    # Install zizmor
    curl -sSfL https://github.com/woodruffw/zizmor/releases/latest/download/zizmor-x86_64-unknown-linux-musl -o /usr/local/bin/zizmor
    chmod +x /usr/local/bin/zizmor
    
    # Install actionlint
    bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)

- name: Run zizmor security scan
  run: |
    zizmor --format=sarif .github/workflows/*.lock.yml > zizmor-results.sarif || true
    zizmor .github/workflows/*.lock.yml

- name: Run actionlint
  run: |
    actionlint .github/workflows/*.lock.yml

- name: Check for critical issues
  run: |
    # Fail CI if High or Critical issues found
    if zizmor --format=json .github/workflows/*.lock.yml | jq -e '.[] | select(.severity == "High" or .severity == "Critical")'; then
      echo "❌ Critical or High severity security issues found!"
      exit 1
    fi

Makefile Target

.PHONY: security-lint
security-lint: build recompile  ## Run security linting on workflows
	@echo "Running zizmor security scan..."
	@zizmor .github/workflows/*.lock.yml
	@echo "Running actionlint..."
	@actionlint .github/workflows/*.lock.yml

Acceptance Criteria

• Pre-commit hooks configured and documented
• CI workflow created and running on PRs
• High/Critical findings block PR merge
• Clear error messages with fix suggestions
• Makefile target make security-lint added
• DEVGUIDE.md updated with setup instructions
• CI passes for existing workflows (or issues fixed first)

Testing

# Test pre-commit hooks locally
pre-commit install
pre-commit run --all-files

# Test Makefile target
make security-lint

# Test CI workflow (push to test branch)
git checkout -b test-security-lint
git push origin test-security-lint
# Verify workflow runs and reports correctly

Dependencies

This issue should be implemented after fixing:

• High severity unpinned action issue (rejig docs #1)
• Medium severity credential persistence issues (Add workflow: githubnext/agentics/weekly-research #2)
• Missing permissions (Add workflow: githubnext/agentics/weekly-research #3)

This ensures the CI won't immediately fail when implemented.

References

• **Zizmo...

• Fixes [plan] Implement automated security scanning in CI/CD pipeline #9994

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.