From efc2a6acc572db18a4a591d5310796ade7a60f55 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 29 Oct 2025 06:09:17 +0000 Subject: [PATCH] docs: document zizmor URL links and verbose Docker command output MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated CLI documentation to reflect enhancements in PR #2701: - Zizmor findings now include documentation URL links - Verbose mode displays Docker command for manual reproduction 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- docs/src/content/docs/tools/cli.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/docs/src/content/docs/tools/cli.md b/docs/src/content/docs/tools/cli.md index 5f3180610a3..d9e07217721 100644 --- a/docs/src/content/docs/tools/cli.md +++ b/docs/src/content/docs/tools/cli.md @@ -211,10 +211,10 @@ The `--dependabot` flag cannot be used with specific workflow files or custom `- The `--zizmor` flag runs the [zizmor](https://github.com/zizmorcore/zizmor) security scanner on generated `.lock.yml` files to identify potential security vulnerabilities in compiled workflows. Zizmor analyzes workflows for excessive permissions, insecure practices, workflow misconfigurations, and supply chain risks. -Security findings are displayed in IDE-parseable format with clickable file locations: +Security findings are displayed in IDE-parseable format with clickable file locations and documentation URLs: ``` -./.github/workflows/workflow.lock.yml:7:5: warning: [Medium] excessive-permissions: overly broad permissions +./.github/workflows/workflow.lock.yml:7:5: warning: [Medium] excessive-permissions: overly broad permissions (https://docs.zizmor.sh/audits/#excessive-permissions) 5 | steps: 6 | - uses: actions/checkout@v4 7 | permissions: @@ -223,6 +223,21 @@ Security findings are displayed in IDE-parseable format with clickable file loca 9 | issues: write ``` +Each finding includes a direct link to the zizmor documentation explaining the security issue and how to resolve it. + +**Verbose Output:** + +When using `--verbose` with `--zizmor`, the Docker command used to run zizmor is displayed before execution, enabling manual reproduction: + +```bash +gh aw compile --zizmor --verbose +``` + +Example verbose output: +``` +ℹ Run zizmor directly: docker run --rm -v "/repo:/workdir" -w /workdir ghcr.io/zizmorcore/zizmor:latest --format json .github/workflows/workflow.lock.yml +``` + **Strict Mode Enforcement:** When combined with `--strict`, security findings block compilation, ensuring workflows meet security standards before deployment: