William Woodruff (1.3.6.1.4.1.55738)'s Avatar

William Woodruff (1.3.6.1.4.1.55738)

@yossarian.net.bsky.social

skeeting in accordance with the universal law. yossarian.net / blog.yossarian.net

350 Followers  |  64 Following  |  145 Posts  |  Joined: 24.04.2023  |  2.2601

Latest posts by yossarian.net on Bluesky

Post image

zizmor v1.11.0 is out! this release comes with experimental LSP support and an accompanying vscode extension:

marketplace.visualstudio.com/items?itemNa...

full release notes here: docs.zizmor.sh/release-note...

30.06.2025 19:33 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
How to detect vulnerable GitHub Actions at scale with Zizmor | Grafana Labs In order to harden our infrastructure and pipelines, we have introduced the open source tool Zizmor into our CI/CD pipelines.

Do you want to find out more about how @grafana.bsky.social secures its GitHub actions using Zizmor? Check out this post from James on my team : grafana.com/blog/2025/06... @yossarian.net

27.06.2025 00:51 β€” πŸ‘ 2    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0

thanks a ton in particular to @mosi.bsky.social from @grafana.bsky.social for his hard work on the auto-fix feature!

26.06.2025 18:43 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Release Notes - zizmor Abbreviated change notes about each zizmor release.

zizmor v1.10.0 is released!

this is a *huge* new release: it exposes a new (experimental) auto-fix mode, more precise subspanning for fixtures, as well as a brand new pedantic audit (anonymous-definition)

read the full notes here: docs.zizmor.sh/release-note...

26.06.2025 18:42 β€” πŸ‘ 6    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0

"Tuscolo2025h2, Tuscolo2026h1, and Tuscolo2026h2 have passed their compliance monitoring period and will be added to an upcoming version of Chrome." issues.chromium.org/issues/41669...

The Geomys Certificate Transparency logs are on their way to become the first trusted Static CT API logs! πŸŽ‰

18.06.2025 23:06 β€” πŸ‘ 29    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0

thank you @grafana.bsky.social for being a logo-level sponsor of zizmor!

(and also thank you @mosi.bsky.social and other folks at Grafana who've been sending me patches -- the next few releases are going to have a lot of really great new features)

18.06.2025 16:14 β€” πŸ‘ 14    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0

A new adventure
https://blog.yossarian.net/2025/06/17/a-new-adventure
#lifestyle

17.06.2025 15:57 β€” πŸ‘ 17    πŸ” 1    πŸ’¬ 5    πŸ“Œ 0
Stop Using Encrypted Email Stop Using Encrypted Email

This is a piece I wrote with the Latacora team back in 2020 that came up today in light of the (yikes) OpenPGP.js bug. It's the best security advice I've given, and it includes a section that was lost in the migration from micro.blog.

Stop using encrypted email.

www.latacora.com/blog/2020/02...

10.06.2025 19:36 β€” πŸ‘ 38    πŸ” 18    πŸ’¬ 3    πŸ“Œ 1

Bypassing GitHub Actions policies in the dumbest way possible
https://blog.yossarian.net/2025/06/11/github-actions-policies-dumb-bypass
#security

11.06.2025 14:02 β€” πŸ‘ 7    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0

pronouncing knicks like knish

07.06.2025 00:27 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Once a Maintainer: William Woodruff The security engineer on meeting engineers where they are, and what keeps him up at night

i did an interview with Once a Maintainer about open source and supply chain security!

onceamaintainer.substack.com/p/once-a-mai...

21.05.2025 16:00 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Release Notes - zizmor Abbreviated change notes about each zizmor release.

zizmor v1.8.0 is out!

besides changes to the official website and org:

* you can now use `ZIZMOR_CONFIG` to pass a config file, as an alternative to `--config`
* index-style contexts no longer cause false positives in the `template-injection` audit

read more here:

docs.zizmor.sh/release-note...

20.05.2025 20:21 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 1
Preview
Securing GitHub Actions with William Woodruff William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent secur...

I chatted with @yossarian.net about securing GitHub Actions with Zizmor

I learned a ton, and given all the recent news about GitHub Actions, everyone should be looking at Zizmor

opensourcesecurity.io/2025/2025-05...

12.05.2025 14:50 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

thanks, will do! i just sent an invite but had to revoke it because the personal repo has something wonky with it because it was originally private; i'll re-invite once i transfer it to the org!

07.05.2025 17:47 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

thanks! yeah, i would definitely appreciate triage and gardening (especially issue and doc gardening) help!

07.05.2025 17:32 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

yeah, i can't say i'm an *enthusiastic* user of Discord, lol -- FWICT it's a happy balance for the moment because it gives me free features that Slack would charge me for, but i'll be looking for alternatives (Matrix in particular has come up, but doesn't have as strong a network)

07.05.2025 14:55 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
- PyCon US 2025 PyCon US 2025

Ho boy, I'm excited for @sethmlarson.dev and I to hit the main stage at #PyConUS 2025

us.pycon.org/2025/schedul...

Sunday morning!

06.05.2025 19:57 β€” πŸ‘ 7    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0

A Discord server and new GitHub organization for zizmor
https://blog.yossarian.net/2025/05/07/zizmor-discord-server-github-org
#security #oss #devblog #programming #rust #zizmor

07.05.2025 14:48 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 2    πŸ“Œ 1
Preview
Making PyPI's test suite 81% faster See how we slashed PyPI’s test suite runtime from 163 to 30 seconds. The techniques we share can help you dramatically improve your own project’s testing performance without sacrificing coverage.

my colleague @darkamaul.bsky.social has a new blog post on the @trailofbits.bsky.social blog about how we worked with @pypi.org's maintainers to slash test times on PyPI by over 80%:

blog.trailofbits.com/2025/05/01/m...

01.05.2025 14:50 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 1
Preview
Release Notes - zizmor Abbreviated change notes about each zizmor release.

i've released zizmor v1.6.0, with one new audit (forbidden-uses), one rewritten audit (unpinned-uses), a new output mode, and a whole bunch of bugfixes!

read the full release notes here: woodruffw.github.io/zizmor/relea...

20.04.2025 02:40 β€” πŸ‘ 9    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Sneak peek: A new ASN.1 API for Python We’re working on integrating an ASN.1 API into PyCA Cryptography, built on top of the same Rust ASN.1 implementation already used by Cryptography’s X.509 APIs.

i'm very excited about this new work my team at @trailofbits is doing: we're building an ASN.1 API for PyCA Cryptography, giving users direct access to the same memory-safe, high-performance DER parser that Cryptography already uses for X.509:

blog.trailofbits.com/2025/04/18/s...

18.04.2025 14:16 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
TIL: Any program can be a GitHub Actions shell

TIL Any program can be a GitHub Actions shell

yossarian.net/til/post/any...

08.04.2025 01:21 β€” πŸ‘ 5    πŸ” 0    πŸ’¬ 3    πŸ“Œ 0
Post image

hope this helps

07.04.2025 20:06 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

it seems very weird to me that LSP is/was advertised as a solution to the NxM matrix problem in IDEs, but to use an LSP server in vscode you still need to write a custom extension ("LSP client") that only talks to your particular LSP server

(other editors/IDEs seem to get this right, e.g. vim-lsp)

06.04.2025 15:05 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Check out @yossarian.net’s article on Zizmor, a vulnerability scanner for GitHub workflows! πŸ”Ž It even catches actions pinned to impostor commits! (Don’t know what they are? They’re described earlier in the same issue!)

29.03.2025 20:06 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

Learning about zizmor, a static analysis tool for GitHub Actions from @yossarian.net github.com/woodruffw/zi...

01.02.2025 17:04 β€” πŸ‘ 8    πŸ” 3    πŸ’¬ 0    πŸ“Œ 1
Preview
PyPI now supports archiving projects By Facundo Tuesca PyPI now supports marking projects as archived. Project owners can now archive their project to let users know that the project is not expected to receive any more updates. Projec…

you can now archive projects on @pypi.org!

this work was done by my teammate Facundo @trailofbits.bsky.social and is part of a larger multi-year arc of work dedicated to landing security and usability improvements on PyPI:

blog.trailofbits.com/2025/01/30/p...

30.01.2025 15:55 β€” πŸ‘ 14    πŸ” 7    πŸ’¬ 0    πŸ“Œ 0

All I did was kick off the release! The work towards this was done in bulk by Daniele Nicolodi, who has been doing some fantastic refactors recently.

24.01.2025 03:41 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

zizmor v1.2.0 is released!

this release brings a new audit (bot-conditions), which can detect spoofable `github.actor` checks. it also brings bugfixes/accuracy improvements across the board!

many thanks to astral.sh for being our first logo sponsor!

notes here: woodruffw.github.io/zizmor/relea...

18.01.2025 18:03 β€” πŸ‘ 6    πŸ” 0    πŸ’¬ 0    πŸ“Œ 1

Yep, that’s exactly the kind of case that’s been motivating this thought! I also find it very challenging and haven’t come up with good solutions for my own projects

10.01.2025 22:15 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@yossarian.net is following 19 prominent accounts