[plan] Implement automated security scanning in CI/CD pipeline

[github-actions]

Objective

Integrate zizmor and actionlint into the CI/CD pipeline to automatically catch security and code quality issues before they reach production.

Context

Current State: Manual static analysis via scheduled workflow
Goal: Prevent security issues at PR time with automated checks
Tools: zizmor (security), actionlint (linting + shellcheck)

Automated security scanning provides continuous protection by:

• Blocking PRs with High/Critical security findings
• Catching shellcheck issues during development
• Providing immediate feedback to contributors
• Reducing manual security review burden

Approach

Phase 1: Add Pre-commit Hooks (Local Development)

1. Create .pre-commit-config.yaml in repository root
2. Configure hooks for:
   • zizmor (security scanning)
   • actionlint (workflow linting)
   • shellcheck (shell script validation)
3. Document setup in DEVGUIDE.md
4. Make it optional but recommended for contributors

Phase 2: Add CI/CD Checks (Required for PRs)

1. Create new workflow: .github/workflows/security-lint.md
2. Configure to run on:
   • Pull requests (when workflow files change)
   • Push to main branch
3. Add job steps:
   • Install zizmor and actionlint
   • Scan all workflow files
   • Report findings as PR comments
   • Fail CI for High/Critical issues
4. Integrate with GitHub branch protection rules

Phase 3: Enhanced Reporting

1. Add actionable error messages with fix suggestions
2. Link to security documentation for each finding type
3. Generate summary reports for PRs
4. Track security metrics over time

Files to Create

• .pre-commit-config.yaml (pre-commit hooks configuration)
• .github/workflows/security-lint.md (CI security checks)
• Update: DEVGUIDE.md (document security scanning setup)
• Update: Makefile (add make security-lint target)

Example Pre-commit Configuration

repos:
  - repo: local
    hooks:
      - id: zizmor
        name: zizmor security scan
        entry: zizmor
        language: system
        files: \.github/workflows/.*\.(lock\.yml|md)$
        pass_filenames: true
      
      - id: actionlint
        name: actionlint workflow linting
        entry: actionlint
        language: system
        files: \.github/workflows/.*\.lock\.yml$
        pass_filenames: true

Example CI Workflow (security-lint.md)

---
name: Security Lint
on:
  pull_request:
    paths:
      - '.github/workflows/**'
  push:
    branches: [main]
permissions:
  contents: read
  pull-requests: write
---

# Security and Code Quality Checks

This workflow runs automated security scanning and linting on GitHub Actions workflows.

- name: Install tools
  run: |
    # Install zizmor
    curl -sSfL https://github.com/woodruffw/zizmor/releases/latest/download/zizmor-x86_64-unknown-linux-musl -o /usr/local/bin/zizmor
    chmod +x /usr/local/bin/zizmor
    
    # Install actionlint
    bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)

- name: Run zizmor security scan
  run: |
    zizmor --format=sarif .github/workflows/*.lock.yml > zizmor-results.sarif || true
    zizmor .github/workflows/*.lock.yml

- name: Run actionlint
  run: |
    actionlint .github/workflows/*.lock.yml

- name: Check for critical issues
  run: |
    # Fail CI if High or Critical issues found
    if zizmor --format=json .github/workflows/*.lock.yml | jq -e '.[] | select(.severity == "High" or .severity == "Critical")'; then
      echo "❌ Critical or High severity security issues found!"
      exit 1
    fi

Makefile Target

.PHONY: security-lint
security-lint: build recompile  ## Run security linting on workflows
	@echo "Running zizmor security scan..."
	@zizmor .github/workflows/*.lock.yml
	@echo "Running actionlint..."
	@actionlint .github/workflows/*.lock.yml

Acceptance Criteria

• Pre-commit hooks configured and documented
• CI workflow created and running on PRs
• High/Critical findings block PR merge
• Clear error messages with fix suggestions
• Makefile target make security-lint added
• DEVGUIDE.md updated with setup instructions
• CI passes for existing workflows (or issues fixed first)

Testing

# Test pre-commit hooks locally
pre-commit install
pre-commit run --all-files

# Test Makefile target
make security-lint

# Test CI workflow (push to test branch)
git checkout -b test-security-lint
git push origin test-security-lint
# Verify workflow runs and reports correctly

Dependencies

This issue should be implemented after fixing:

• High severity unpinned action issue (rejig docs #1)
• Medium severity credential persistence issues (Add workflow: githubnext/agentics/weekly-research #2)
• Missing permissions (Add workflow: githubnext/agentics/weekly-research #3)

This ensures the CI won't immediately fail when implemented.

References

• Zizmor: https://docs.zizmor.sh/
• Actionlint: https://github.com/rhysd/actionlint
• Pre-commit: https://pre-commit.com/
• GitHub Branch Protection: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches
  Related to [plan] Security remediation plan for static analysis findings (Jan 14, 2026) #9990

AI generated by Plan Command for discussion #9966