Skip to content

2.1.0 #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
github-actions wants to merge 2 commits into from
Closed

2.1.0 #88

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9566663
2.1.0
invalid-email-address Jun 9, 2026
57f97fe
update changelog
witmicko Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [2.1.0]

### Added

- feat: added github actions static analysis using zizmor

@Mrtenz Mrtenz Jun 9, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually worked on introducing this in core and the module template today. 😅 Makes sense to me to add it here instead, but I have some concerns about how we're introducing it. If we start shipping this to all repositories like this, won't we immediately hit the 10 annotation limit on all these repos? Wondering if it doesn't make more sense to enable advanced-security?

@witmicko witmicko Jun 9, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😅 Good point about the annotations limit. I haven’t seen zizmor create annotations though. For example, in this run: witmicko/accounts#39, it just lists issues in the action result/log.

If I recall correctly, all our main and internal repos using our code scanner are already on Advanced Security.

GitHub CodeQL scans GitHub Actions too, but zizmor is much better. In places where CodeQL was happy, zizmor found real issues.

My main concern is that it may block PRs and create extra work to address its findings. That said, I think this may be one of those “it is what it is” cases.

@Mrtenz Mrtenz Jun 9, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we merge this and it would start blocking PRs, that's definitely an issue. Would it make more sense to introduce to each repository separately, like I did here?


### Fixed

- fix: pined github actions versions to sha's
- fix: fixed zizmor findings

## [2.0.5]

### Added
Expand Down Expand Up @@ -72,7 +83,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Initial release of this action ([#29](https://github.com/MetaMask/action-security-code-scanner/pull/29))

[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.5...HEAD
[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.1.0...HEAD
[2.1.0]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.5...v2.1.0
[2.0.5]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.4...v2.0.5
[2.0.4]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.3...v2.0.4
[2.0.3]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.2...v2.0.3
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@metamask/action-security-code-scanner",
"version": "2.0.6",
"version": "2.1.0",
"private": true,
"description": "Security Code Scanner",
"repository": {
Expand Down
13 changes: 11 additions & 2 deletions packages/codeql-action/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [2.0.6]
## [2.1.0]

### Uncategorized

- Update publish-release workflow and CodeQL action versions
- Update actions/checkout to latest commit for consistency across workflows
- Update GitHub Actions to use latest versions of dependencies

## [2.0.6]

### Changed

- fix(codeql): prevent shell injection in debug steps and build command

## [2.0.5]
Expand Down Expand Up @@ -41,7 +49,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Added multi language support
- Updated CodeQL action to v4

[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.6...HEAD
[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.1.0...HEAD
[2.1.0]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.6...v2.1.0
[2.0.6]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.5...v2.0.6
[2.0.5]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.3...v2.0.5
[2.0.3]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.1...v2.0.3
Expand Down
2 changes: 1 addition & 1 deletion packages/codeql-action/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@metamask/codeql-action",
"version": "2.0.6",
"version": "2.1.0",
"private": true,
"description": "Custom CodeQL analysis action",
"keywords": [],
Expand Down
11 changes: 10 additions & 1 deletion packages/language-detector/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [2.1.0]

### Changed

- Update Node.js version to 24 in language-detector action and checkout action version in build-lint-test workflow for consistency
- Update Node.js version in .nvmrc and enable Corepack in actions using node
- Update GitHub Actions to use latest versions of dependencies

## [2.0.4]

### Changed
Expand Down Expand Up @@ -42,7 +50,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Added support for autodetecting languages using Github API

[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.4...HEAD
[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.1.0...HEAD
[2.1.0]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.4...v2.1.0
[2.0.4]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.3...v2.0.4
[2.0.3]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.2...v2.0.3
[2.0.2]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.1...v2.0.2
Expand Down
2 changes: 1 addition & 1 deletion packages/language-detector/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@metamask/language-detector",
"version": "2.0.4",
"version": "2.1.0",
"description": "Language detection and matrix generation for code scanning",
"type": "module",
"main": "src/index.js",
Expand Down
13 changes: 11 additions & 2 deletions packages/semgrep-action/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [2.1.0]

### Changed

- Update CodeQL action version in Semgrep workflow for consistency
- Update actions/checkout to latest commit for consistency across workflows
- Update GitHub Actions to use latest versions of dependencies

## [2.0.6]

### Uncategorized
### Changed

- fix(semgrep): prevent shell injection by using environment variable for paths_ignored

Expand Down Expand Up @@ -39,7 +47,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Migrated action from its separate repository to the monorepo

[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.6...HEAD
[Unreleased]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.1.0...HEAD
[2.1.0]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.6...v2.1.0
[2.0.6]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.5...v2.0.6
[2.0.5]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.2...v2.0.5
[2.0.2]: https://github.com/MetaMask/action-security-code-scanner/compare/v2.0.1...v2.0.2
Expand Down
2 changes: 1 addition & 1 deletion packages/semgrep-action/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@metamask/semgrep-action",
"version": "2.0.6",
"version": "2.1.0",
"private": true,
"description": "Semgrep-based security scanning action",
"keywords": [
Expand Down