add zizmor pre-commit check

.clinerules

@@ -20,5 +20,17 @@
 - Handle errors gracefully, logging only essential details.
 - Use unique error codes or identifiers for easier debugging.
 
-## 6. CI considerations
+## 7. CI considerations
 - Make sure changes are not committed directly to the `main` branch
+
+## 8. Exclusions
+exclude:
+  - "*.png"
+
+## 9. Context limits
+context:
+  handoff_threshold: 50%
+  carry_over:
+    - summaries
+    - file_states
+    - next_steps

.git-hooks/pre-commit

@@ -26,6 +26,31 @@ if [ -n "$STAGED_FILES" ]; then
   fi
 fi
 
+# Check if the staged files include GitHub Actions workflow files
+STAGED_WORKFLOW_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '^\.github/workflows/.*\.ya?ml$' || true)
+
+# If GitHub Actions workflow files are staged, run zizmor
+if [ -n "$STAGED_WORKFLOW_FILES" ]; then
+  echo "Running zizmor to check GitHub Actions workflows..."
+
+  # Check if zizmor is installed
+  if ! command -v zizmor >/dev/null 2>&1; then
+    echo "zizmor is not installed. Please install it and try again."
+    exit 1
+  fi
+
+  # Run zizmor on each staged workflow file with pedantic persona and medium thresholds
+  for file in $STAGED_WORKFLOW_FILES; do
+    echo "Checking $file with zizmor (pedantic mode, medium+ severity/confidence)..."
+    if ! zizmor --persona=pedantic --min-severity=medium --min-confidence=medium "$ROOT_DIR/$file"; then
+      echo "Zizmor detected issues in $file. Commit aborted."
+      exit 1
+    fi
+  done
+
+  echo "All GitHub Actions workflows passed zizmor security checks!"
+fi
+
 # Check if the staged files include JavaScript files in the javascriptapp directory
 STAGED_JS_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '^javascriptapp/.*\.js$' || true)
 

.github/workflows/checks.yml

@@ -8,13 +8,19 @@ on:
     paths:
       - javascriptapp/**
 
+# Restrict permissions to minimum required (fixes zizmor excessive-permissions)
+permissions:
+  contents: read # Only read access to repository contents
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Use Node
         uses: actions/setup-node@v3

.github/workflows/zizmor_sarif.yml

@@ -0,0 +1,45 @@
+name: Zizmor Security Scan
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - ".github/workflows/**"
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor-scan:
+    runs-on: ubuntu-latest
+    name: Zizmor GitHub Actions Security Scan
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust and zizmor
+        run: |
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+          source ~/.cargo/env
+          cargo install zizmor
+
+      - name: Run zizmor security scan
+        run: |
+          source ~/.cargo/env
+          zizmor --persona=pedantic --min-severity=medium --min-confidence=medium --format=sarif .github/workflows/ > zizmor.sarif
+        continue-on-error: true
+
+      - name: Upload SARIF results to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: zizmor.sarif
+          category: zizmor
+        if: always()

README.md

@@ -4,6 +4,7 @@ This repository contains various projects and examples used for AI experimentati
 
 ## Structure
 
+- **goapp/**: A Go application that fetches and displays stock data using the Alpha Vantage API.
 - **javascriptapp/**: A simple JavaScript application with tests and coverage reports.
 - **mermaid_diagrams/**: Examples of using Mermaid to create diagrams for various architectures and workflows.
 - **.git-hooks/**: Git hooks for code quality and testing. See [Git Hooks](#git-hooks) section below.
@@ -32,6 +33,39 @@ brew install gitleaks
 
 The pre-commit hook will block commits if any secrets are detected in the staged files.
 
+### GitHub Actions Security Scanning with Zizmor
+
+This repository uses [zizmor](https://github.com/zizmorcore/zizmor) to scan GitHub Actions workflows for security vulnerabilities and misconfigurations. Zizmor is a security auditing tool that analyzes workflow files and identifies potential security issues such as excessive permissions, unsafe practices, and other workflow-related security concerns.
+
+To use zizmor on your system, you can install it via multiple package managers:
+
+**macOS (Homebrew):**
+```bash
+brew install zizmor
+```
+
+**Rust (Cargo):**
+```bash
+cargo install zizmor
+```
+
+**From GitHub Releases:**
+Download the appropriate binary from the [releases page](https://github.com/zizmorcore/zizmor/releases).
+
+To scan the GitHub Actions workflows in this repository:
+
+```bash
+zizmor .
+```
+
+The tool will output results in SARIF format, which can be viewed in compatible editors or saved to a file:
+
+```bash
+zizmor . --format sarif > zizmor.sarif
+```
+
+For more information about zizmor and its security audits, see the [official documentation](https://docs.zizmor.sh).
+
 ## Note
 
 This repository is part of an AI experimentation project and is not actively maintained. Contributions are not being accepted at this time.

zizmor.sarif

@@ -0,0 +1,24 @@
+{
+  "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json",
+  "runs": [
+    {
+      "invocations": [
+        {
+          "executionSuccessful": true
+        }
+      ],
+      "results": [],
+      "tool": {
+        "driver": {
+          "downloadUri": "https://github.com/zizmorcore/zizmor",
+          "informationUri": "https://docs.zizmor.sh",
+          "name": "zizmor",
+          "rules": [],
+          "semanticVersion": "1.8.0",
+          "version": "1.8.0"
+        }
+      }
+    }
+  ],
+  "version": "2.1.0"
+}