feat(secrets-outside-env): allowlist secrets in config (#1759)

* feat(secrets-outside-env): allowlist secrets in config

The `secrets-outside-env` audit gains an `allow` list in the
configuration file of secret names that should be ignored by the audit.

Signed-off-by: Robert Muir <rmuir@apache.org>

* test(secrets-outside-env): add test for base config as well

* docs: fix grammatical error

* test(secrets-outside-env): add some corner-case tests around secret name

Test that GITHUB_TOKEN works as both an index access and a property
dereference. Also test that case is ignored when comparing strings. This
exception works correctly, since it uses ContextPattern.

Test that allowlist works as an index access. This currently works
because `single_tail()` takes care. Case-insensitivity does NOT yet
work.

* fix(secrets-outside-env): use case-insensitive matching

Simple solution that uses ascii lowercasing. There's a TODO to use
a fancier approach via ContextPattern...

* Single-source the allowlist

Signed-off-by: William Woodruff <william@yossarian.net>

* Clippy

Signed-off-by: William Woodruff <william@yossarian.net>

* Record changes

Signed-off-by: William Woodruff <william@yossarian.net>

* Formatting

Signed-off-by: William Woodruff <william@yossarian.net>

* Bump schema

Signed-off-by: William Woodruff <william@yossarian.net>

---------

Signed-off-by: Robert Muir <rmuir@apache.org>
Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: William Woodruff <william@yossarian.net>

Author: rmuir

.gitignore

@@ -14,3 +14,4 @@
 
 # benchmarks
 .codspeed/
+bench/__pycache__/

crates/zizmor/src/audit/secrets_outside_env.rs

@@ -33,7 +33,7 @@ impl Audit for SecretsOutsideEnvironment {
     async fn audit_normal_job<'doc>(
         &self,
         job: &NormalJob<'doc>,
-        _config: &Config,
+        config: &Config,
     ) -> Result<Vec<Finding<'doc>>, AuditError> {
         if job.parent().has_workflow_call() {
             // Reusable workflows and environments don't interact well, and are more or less
@@ -71,9 +71,14 @@ impl Audit for SecretsOutsideEnvironment {
                     continue;
                 }
 
-                if context.matches("secrets.GITHUB_TOKEN") {
-                    // GITHUB_TOKEN is always latently available, so we don't
-                    // flag its usage outside of a dedicated environment.
+                // Check to see whether we allow this secret. The policy always includes
+                // GITHUB_TOKEN, since it's always latently available.
+                if let Some(secret_name) = context.single_tail()
+                    && config
+                        .secrets_outside_env_policy
+                        .allow
+                        .contains(&secret_name.to_ascii_lowercase())
+                {
                     continue;
                 }
 

crates/zizmor/src/config/mod.rs

@@ -1,4 +1,10 @@
-use std::{collections::HashMap, fs, num::NonZeroUsize, ops::Deref, str::FromStr};
+use std::{
+    collections::{HashMap, HashSet},
+    fs,
+    num::NonZeroUsize,
+    ops::Deref,
+    str::FromStr,
+};
 
 use anyhow::{Context as _, anyhow};
 use camino::Utf8Path;
@@ -16,7 +22,7 @@ use crate::{
     App, CollectionOptions,
     audit::{
         AuditCore, dependabot_cooldown::DependabotCooldown, forbidden_uses::ForbiddenUses,
-        unpinned_uses::UnpinnedUses,
+        secrets_outside_env::SecretsOutsideEnvironment, unpinned_uses::UnpinnedUses,
     },
     finding::Finding,
     github::{Client, ClientError},
@@ -228,6 +234,47 @@ pub(crate) enum ForbiddenUsesConfigInner {
     Deny(Vec<RepositoryUsesPattern>),
 }
 
+/// Configuration for the `secrets-outside-env` audit.
+#[derive(Clone, Debug, Default, Deserialize)]
+#[serde(rename_all = "kebab-case", deny_unknown_fields)]
+#[serde(default)]
+#[cfg_attr(feature = "schema", derive(schemars::JsonSchema))]
+pub(crate) struct SecretsOutsideEnvConfig {
+    /// List of secret names excluded from the audit
+    pub(crate) allow: Vec<String>,
+}
+
+/// Policy to evaluate secrets references
+#[derive(Clone, Debug)]
+pub(crate) struct SecretsOutsideEnvPolicy {
+    /// List of secret names excluded from the audit
+    pub(crate) allow: HashSet<String>,
+}
+
+impl Default for SecretsOutsideEnvPolicy {
+    fn default() -> Self {
+        let mut allow = HashSet::new();
+        allow.insert("github_token".into());
+
+        Self { allow }
+    }
+}
+
+impl From<SecretsOutsideEnvConfig> for SecretsOutsideEnvPolicy {
+    fn from(value: SecretsOutsideEnvConfig) -> Self {
+        let mut allow = value
+            .allow
+            .iter()
+            .map(|item| item.to_ascii_lowercase())
+            .collect::<HashSet<_>>();
+
+        let default = Self::default();
+        allow.extend(default.allow);
+
+        Self { allow }
+    }
+}
+
 /// # Configuration for the `unpinned-uses` audit.
 ///
 /// This configuration is reified into an `UnpinnedUsesPolicies`.
@@ -396,6 +443,7 @@ pub(crate) struct Config {
     raw: RawConfig,
     pub(crate) dependabot_cooldown_config: DependabotCooldownConfig,
     pub(crate) forbidden_uses_config: Option<ForbiddenUsesConfig>,
+    pub(crate) secrets_outside_env_policy: SecretsOutsideEnvPolicy,
     pub(crate) unpinned_uses_policies: UnpinnedUsesPolicies,
 }
 
@@ -410,6 +458,12 @@ impl Config {
 
         let forbidden_uses_config = raw.rule_config(ForbiddenUses::ident())?;
 
+        let secrets_outside_env_config =
+            raw.rule_config::<SecretsOutsideEnvConfig>(SecretsOutsideEnvironment::ident())?;
+        let secrets_outside_env_policy = secrets_outside_env_config
+            .map(Into::into)
+            .unwrap_or_default();
+
         let unpinned_uses_policies = {
             if let Some(unpinned_uses_config) =
                 raw.rule_config::<UnpinnedUsesConfig>(UnpinnedUses::ident())?
@@ -424,6 +478,7 @@ impl Config {
             raw,
             dependabot_cooldown_config,
             forbidden_uses_config,
+            secrets_outside_env_policy,
             unpinned_uses_policies,
         })
     }

crates/zizmor/src/config/schema.rs

@@ -11,7 +11,10 @@
 
 use schemars::JsonSchema;
 
-use super::{DependabotCooldownConfig, ForbiddenUsesConfig, UnpinnedUsesConfig, WorkflowRule};
+use super::{
+    DependabotCooldownConfig, ForbiddenUsesConfig, SecretsOutsideEnvConfig, UnpinnedUsesConfig,
+    WorkflowRule,
+};
 
 /// Base configuration for all audit rules.
 #[derive(Clone, Debug, Default, JsonSchema)]
@@ -46,6 +49,17 @@ struct ForbiddenUsesRuleConfig {
     config: Option<ForbiddenUsesConfig>,
 }
 
+/// Configuration for the `secrets-outside-env` audit.
+#[derive(Clone, Debug, Default, JsonSchema)]
+#[serde(deny_unknown_fields)]
+struct SecretsOutsideEnvRuleConfig {
+    #[serde(flatten)]
+    base: BaseRuleConfig,
+
+    #[serde(default)]
+    config: Option<SecretsOutsideEnvConfig>,
+}
+
 /// Configuration for the `unpinned-uses` audit.
 #[derive(Debug, Default, JsonSchema)]
 #[serde(deny_unknown_fields)]
@@ -106,11 +120,11 @@ define_audit_rules! {
     concurrency_limits,
     archived_uses,
     misfeature,
-    secrets_outside_env,
     superfluous_actions;
 
     [DependabotCooldownRuleConfig] dependabot_cooldown,
     [ForbiddenUsesRuleConfig] forbidden_uses,
+    [SecretsOutsideEnvRuleConfig] secrets_outside_env,
     [UnpinnedUsesRuleConfig] unpinned_uses,
 }
 
@@ -246,6 +260,41 @@ mod tests {
             .expect("forbidden uses deny config should be valid");
     }
 
+    #[test]
+    fn test_secrets_outside_env_config() {
+        let secrets_allow = r#"
+        rules:
+          secrets-outside-env:
+            config:
+              allow:
+                - NOT_SO_SECRET
+                - ALSO_NOT_SO_SECRET
+        "#;
+
+        let instance = serde_yaml::from_str::<serde_json::Value>(secrets_allow).unwrap();
+        SCHEMA_VALIDATOR
+            .validate(&instance)
+            .expect("secrets-outside-env allow config should be valid");
+    }
+
+    #[test]
+    fn test_secrets_outside_env_base_plus_config() {
+        let secrets_allow = r#"
+        rules:
+          secrets-outside-env:
+            config:
+              allow:
+                - NOT_SO_SECRET
+            ignore:
+              - foo.yml
+        "#;
+
+        let instance = serde_yaml::from_str::<serde_json::Value>(secrets_allow).unwrap();
+        SCHEMA_VALIDATOR
+            .validate(&instance)
+            .expect("secrets-outside-env allow config with base config should be valid");
+    }
+
     #[test]
     fn test_unpinned_uses_config() {
         let valid = r#"

crates/zizmor/tests/integration/audit/secrets_outside_env.rs

@@ -1,6 +1,6 @@
 use anyhow::Result;
 
-use crate::common::{input_under_test, zizmor};
+use crate::common::{OutputMode, input_under_test, zizmor};
 
 #[test]
 fn test_secrets_outside_env() -> Result<()> {
@@ -27,3 +27,127 @@ fn test_secrets_outside_env() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+fn test_config_invalid_variant() -> Result<()> {
+    insta::assert_snapshot!(
+        zizmor()
+        .expects_failure(1)
+        .input(input_under_test("neutral.yml"))
+        .config(input_under_test("secrets-outside-env/configs/invalid-variant.yml"))
+        .output(OutputMode::Stderr)
+        .run()?,
+        @"
+    🌈 zizmor v@@VERSION@@
+    fatal: no audit was performed
+    error: configuration error in @@CONFIG@@
+      |
+      = help: check the configuration for the 'secrets-outside-env' rule
+      = help: see: https://docs.zizmor.sh/audits/#secrets-outside-env-configuration
+
+    Caused by:
+        0: configuration error in @@CONFIG@@
+        1: invalid syntax for audit `secrets-outside-env`
+        2: unknown field `mystery-variant`, expected `allow`
+    "
+    );
+    Ok(())
+}
+
+#[test]
+fn test_config_allow_none() -> Result<()> {
+    insta::assert_snapshot!(
+        zizmor()
+        .args(["--persona=auditor"])
+        .input(input_under_test("secrets-outside-env/multiple-secrets.yml"))
+        .config(input_under_test("secrets-outside-env/configs/allow-none.yml"))
+        .run()?,
+        @"
+    warning[secrets-outside-env]: secrets referenced without a dedicated environment
+      --> @@INPUT@@:20:30
+       |
+    12 |   test:
+       |   ---- this job
+    ...
+    20 |           NOT_SO_SECRET: ${{ secrets.NOT_SO_SECRET }}
+       |                              ^^^^^^^^^^^^^^^^^^^^^ secret is accessed outside of a dedicated environment
+       |
+       = note: audit confidence → High
+
+    warning[secrets-outside-env]: secrets referenced without a dedicated environment
+      --> @@INPUT@@:25:30
+       |
+    12 |   test:
+       |   ---- this job
+    ...
+    25 |           NOT_SO_SECRET: ${{ secrets.not_so_secret }}
+       |                              ^^^^^^^^^^^^^^^^^^^^^ secret is accessed outside of a dedicated environment
+       |
+       = note: audit confidence → High
+
+    warning[secrets-outside-env]: secrets referenced without a dedicated environment
+      --> @@INPUT@@:30:30
+       |
+    12 |   test:
+       |   ---- this job
+    ...
+    30 |           NOT_SO_SECRET: ${{ secrets['not_so_secret'] }}
+       |                              ^^^^^^^^^^^^^^^^^^^^^^^^ secret is accessed outside of a dedicated environment
+       |
+       = note: audit confidence → High
+
+    warning[secrets-outside-env]: secrets referenced without a dedicated environment
+      --> @@INPUT@@:35:35
+       |
+    12 |   test:
+       |   ---- this job
+    ...
+    35 |           ALSO_NOT_SO_SECRET: ${{ secrets.ALSO_NOT_SO_SECRET }}
+       |                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^ secret is accessed outside of a dedicated environment
+       |
+       = note: audit confidence → High
+
+    4 findings: 0 informational, 0 low, 4 medium, 0 high
+    "
+    );
+    Ok(())
+}
+
+#[test]
+fn test_config_allow_one() -> Result<()> {
+    insta::assert_snapshot!(
+        zizmor()
+        .args(["--persona=auditor"])
+        .input(input_under_test("secrets-outside-env/multiple-secrets.yml"))
+        .config(input_under_test("secrets-outside-env/configs/allow-one.yml"))
+        .run()?,
+        @"
+    warning[secrets-outside-env]: secrets referenced without a dedicated environment
+      --> @@INPUT@@:35:35
+       |
+    12 |   test:
+       |   ---- this job
+    ...
+    35 |           ALSO_NOT_SO_SECRET: ${{ secrets.ALSO_NOT_SO_SECRET }}
+       |                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^ secret is accessed outside of a dedicated environment
+       |
+       = note: audit confidence → High
+
+    1 finding: 0 informational, 0 low, 1 medium, 0 high
+    "
+    );
+    Ok(())
+}
+
+#[test]
+fn test_config_allow_some() -> Result<()> {
+    insta::assert_snapshot!(
+        zizmor()
+        .args(["--persona=auditor"])
+        .input(input_under_test("secrets-outside-env/multiple-secrets.yml"))
+        .config(input_under_test("secrets-outside-env/configs/allow-some.yml"))
+        .run()?,
+        @"No findings to report. Good job!"
+    );
+    Ok(())
+}

crates/zizmor/tests/integration/test-data/secrets-outside-env/configs/allow-none.yml

@@ -0,0 +1,6 @@
+# zizmor.yml config file allowing empty list of secrets for 'secrets-outside-env' rule
+
+rules:
+  secrets-outside-env:
+    config:
+      allow: []

crates/zizmor/tests/integration/test-data/secrets-outside-env/configs/allow-one.yml

@@ -0,0 +1,7 @@
+# zizmor.yml config file allowing individual secret for the 'secrets-outside-env' rule
+
+rules:
+  secrets-outside-env:
+    config:
+      allow:
+        - NOT_SO_SECRET

crates/zizmor/tests/integration/test-data/secrets-outside-env/configs/allow-some.yml

@@ -0,0 +1,8 @@
+# zizmor.yml config file allowing multiple secrets for the 'secrets-outside-env' rule
+
+rules:
+  secrets-outside-env:
+    config:
+      allow:
+        - NOT_SO_SECRET
+        - ALSO_NOT_SO_SECRET

crates/zizmor/tests/integration/test-data/secrets-outside-env/configs/invalid-variant.yml

@@ -0,0 +1,6 @@
+# zizmor.yml config file with an invalid schema for the 'secrets-outside-env' rule.
+
+rules:
+  secrets-outside-env:
+    config:
+      mystery-variant: 42