Merge pull request #90 from crazy-max/zizmor-root

crazy-max · web-flow · commit f50b1cb0fcf0 · 2026-03-31T22:12:47.000+02:00
zizmor: default scan path to repository root
diff --git a/.github/workflows/.zizmor.yml b/.github/workflows/.zizmor.yml
@@ -22,8 +22,6 @@ jobs:
       contents: read
       security-events: write
     with:
-      version: v1.22.0
-      path: .
       min-severity: medium
       min-confidence: medium
       persona: pedantic
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -10,7 +10,7 @@ on:
       path:
         required: false
         type: string
-        default: .github
+        default: .
       version:
         required: false
         type: string
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,4 @@
+# https://docs.zizmor.sh/configuration/
+rules:
+  secrets-outside-env:
+    disable: true
diff --git a/README.md b/README.md
@@ -340,7 +340,7 @@ if it contains new releases, so it's kept in sync with [https://github.com/gohug
 ### `zizmor`
 
 [`zizmor` reusable workflow](.github/workflows/zizmor.yml) scans GitHub Actions
-workflows under `.github` by default with [Zizmor](https://github.com/zizmorcore/zizmor)
+workflows in the repository with [Zizmor](https://github.com/zizmorcore/zizmor)
 and uploads the SARIF report to GitHub code scanning.
 
 ```yaml
@@ -370,7 +370,7 @@ Here are the main inputs for this reusable workflow:
 
 | Name                | Type   | Default   | Description                                                            |
 |---------------------|--------|-----------|------------------------------------------------------------------------|
-| `path`              | String | `.github` | Path passed to `zizmor` as the scan target.                            |
+| `path`              | String | `.`       | Path passed to `zizmor` as the scan target.                            |
 | `version`           | String |           | Install a specific zizmor version.                                     |
 | `collect`           | List   |           | Extra artifact collection modes passed as repeated `--collect=` flags. |
 | `min-severity`      | String |           | Minimum severity to report.                                            |
@@ -380,8 +380,4 @@ Here are the main inputs for this reusable workflow:
 | `no-online-audits`  | Bool   | `false`   | Skip online audits while keeping the rest of the scan enabled.         |
 | `strict-collection` | Bool   | `false`   | Fail when artifact collection cannot be completed.                     |
 
-> [!NOTE]
-> This workflow scans `.github` by default, not the whole codebase. Override
-> `path` if you need to target a different workflow or action directory.
-
 You can find the list of available inputs directly in [the reusable workflow](.github/workflows/zizmor.yml).
