Bug: secrets-outside-env not flagging some secrets

[marcoieni]

Pre-submission checks

• I am not reporting a bug (crash, false positive/negative, etc). These must be filed via the bug report template.
• I have looked through both the open and closed issues for a duplicate request.

What's the problem this feature will solve?

At the moment, secrets-outside-env doesn't work with reusable workflows. I.e. secrets aren't detected.

Reproduction

git clone git@github.com:rust-lang/compiler-builtins.git
cd compiler-builtins
git checkout 22c27f85a19230d3ff3f7b6e815449aa1dc314ea
zizmor .github/workflows/rustc-pull.yml

The output is:

🌈 zizmor v1.23.1
 INFO audit: zizmor: 🌈 completed .github/workflows/rustc-pull.yml
No findings to report. Good job!

while the rustc-pull.yml file contains secrets outside of environments.

Describe the solution you'd like

The best solution I found is discourage the use of reusable workflows in case they contain secrets, and:

• inline the linked workflow
• create a proper github action based on the linked workflow

Additional context

No response

[woodruffw]

Hi @marcoieni, thanks for the report!

Hmm, I'm actually pretty confused by what's happening there rustc-pull.yml doesn't appear to be reusable (it uses workflow_dispatch not workflow_call), but we definitely should be flagging those secret references. I'll triage further.

(For context, zizmor currently incorrectly flags secret references in reusable workflows when it really shouldn't, since reusable workflows can't actually access environment secrets in a constrained way. This appears to be an undocumented bug/limitation on GitHub's side. But it's not what's affecting you since you have a dispatchable workflow, not a reusable one 🙂)

[woodruffw]

(See #1777 for the fix for the reusable workflow case, which is a false positive unlike this false negative.)

[woodruffw]

Oh, I see what's happening here -- rustc-pull.yml isn't itself reusable, but it calls a reusable workflow. So this is kind of related to the larger problem in #1777, which is that reusable workflows and environments just don't really work together at all -- AFAICT the only way to use environment secrets in a reusable workflow is to pass secrets: inherit from the caller, which (1) makes no sense, and (2) gets correctly flagged by the secrets-inherit audit.

I'm not sure if there's a good fix for this, and I think this is the final nail in the coffin for this audit being useful in the default persona -- I'm going to lower it down to auditor, since it grinds too much against GitHub's platform limitations.

[woodruffw]

#1777 will "fix" this by punting on the issue entirely 🙂

[marcoieni]

Mmmh this issue wasn't fixed, in the sense that my request was for zizmor to detect that rustc-pull.yml is using secrets outside of an environment.

I know that GitHub doesn't allow a easy fix, but I would prefer zizmor to issue a warning with a suggestion to either inline the workflow or create a github action from the reusable workflow.