ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-04-15 00:57:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(docker): add zizmor v1.23.1 to CLI and API Docker images

Browse Source 
Install zizmor binary in both Dockerfile and api/Dockerfile following
the same pattern as Trivy, with architecture detection for x86_64 and
aarch64. Also remove "detected by zizmor" from dynamic CheckTitle.
This commit is contained in:
Andoni A.
2026-04-08 10:06:41 +02:00
parent 791d36efa1
commit ea62b12de7
4 changed files with 38 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
Dockerfile
View File

@@ -9,6 +9,9 @@ ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
ARG TRIVY_VERSION=0.69.2
ENV TRIVY_VERSION=${TRIVY_VERSION}
ARG ZIZMOR_VERSION=1.23.1
ENV ZIZMOR_VERSION=${ZIZMOR_VERSION}
# hadolint ignore=DL3008
RUN apt-get update && apt-get install -y --no-install-recommends \
wget libicu72 libunwind8 libssl3 libcurl4 ca-certificates apt-transport-https gnupg \
@@ -48,6 +51,21 @@ RUN ARCH=$(uname -m) && \
mkdir -p /tmp/.cache/trivy && \
chmod 777 /tmp/.cache/trivy
# Install zizmor for GitHub Actions workflow scanning
RUN ARCH=$(uname -m) && \
if [ "$ARCH" = "x86_64" ]; then \
ZIZMOR_ARCH="x86_64-unknown-linux-gnu" ; \
elif [ "$ARCH" = "aarch64" ]; then \
ZIZMOR_ARCH="aarch64-unknown-linux-gnu" ; \
else \
echo "Unsupported architecture for zizmor: $ARCH" && exit 1 ; \
fi && \
wget --progress=dot:giga "https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-${ZIZMOR_ARCH}.tar.gz" -O /tmp/zizmor.tar.gz && \
tar zxf /tmp/zizmor.tar.gz -C /tmp && \
mv /tmp/zizmor /usr/local/bin/zizmor && \
chmod +x /usr/local/bin/zizmor && \
rm /tmp/zizmor.tar.gz
# Add prowler user
RUN addgroup --gid 1000 prowler && \
adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler

18
api/Dockerfile
View File

@@ -8,6 +8,9 @@ ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
ARG TRIVY_VERSION=0.69.2
ENV TRIVY_VERSION=${TRIVY_VERSION}
ARG ZIZMOR_VERSION=1.23.1
ENV ZIZMOR_VERSION=${ZIZMOR_VERSION}
# hadolint ignore=DL3008
RUN apt-get update && apt-get install -y --no-install-recommends \
wget \
@@ -57,6 +60,21 @@ RUN ARCH=$(uname -m) && \
mkdir -p /tmp/.cache/trivy && \
chmod 777 /tmp/.cache/trivy
# Install zizmor for GitHub Actions workflow scanning
RUN ARCH=$(uname -m) && \
if [ "$ARCH" = "x86_64" ]; then \
ZIZMOR_ARCH="x86_64-unknown-linux-gnu" ; \
elif [ "$ARCH" = "aarch64" ]; then \
ZIZMOR_ARCH="aarch64-unknown-linux-gnu" ; \
else \
echo "Unsupported architecture for zizmor: $ARCH" && exit 1 ; \
fi && \
wget --progress=dot:giga "https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-${ZIZMOR_ARCH}.tar.gz" -O /tmp/zizmor.tar.gz && \
tar zxf /tmp/zizmor.tar.gz -C /tmp && \
mv /tmp/zizmor /usr/local/bin/zizmor && \
chmod +x /usr/local/bin/zizmor && \
rm /tmp/zizmor.tar.gz
# Add prowler user
RUN addgroup --gid 1000 prowler && \
adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler

2
prowler/providers/github/services/githubactions/githubactions_workflow_security_scan/githubactions_workflow_security_scan.py
View File

@@ -30,7 +30,7 @@ class githubactions_workflow_security_scan(Check):
metadata_dict = {
"Provider": "github",
"CheckID": f.finding_id,
"CheckTitle": f"GitHub Actions workflow {f.ident} detected by zizmor",
"CheckTitle": f"GitHub Actions workflow {f.ident}",
"CheckType": [],
"ServiceName": "githubactions",
"SubServiceName": "",

2
tests/providers/github/services/githubactions/githubactions_workflow_security_scan/githubactions_workflow_security_scan_test.py
View File

@@ -178,7 +178,7 @@ class Test_githubactions_workflow_security_scan:
)
assert (
result[0].check_metadata.CheckTitle
== "GitHub Actions workflow template-injection detected by zizmor"
== "GitHub Actions workflow template-injection"
)
assert result[0].check_metadata.Severity == "high"
assert result[0].check_metadata.Risk == "Template Injection Vulnerability"