Security¶
Generated projects are hardened by default. Here’s the full picture.
Static analysis¶
zizmor — security static analysis for the GitHub Actions workflows: template injection, excessive permissions, credential persistence, unpinned actions, and cache poisoning. It runs as a pre-commit hook and in CI, and the generated workflows are zizmor-clean.
actionlint — workflow correctness linting.
Ruff
flake8-bandit(S) rules — bandit-style Python security linting, part of the Ruff set.
Supply-chain hardening¶
Every GitHub Action is pinned to a full commit SHA (with a version comment), kept current by Dependabot.
Workflows declare least-privilege
permissions:and usepersist-credentials: falseon checkouts.
Releases¶
Trusted publishing to PyPI (OIDC) — no long-lived API tokens.
Sigstore signing of the published artifacts.
SLSA build-provenance attestations (verifiable with
gh attestation verify).
Reporting a vulnerability¶
Use your repository’s private vulnerability reporting (GitHub → Security → “Report a vulnerability”)
or a SECURITY.md policy for disclosures.