Thanks to visit codestin.com
Credit goes to github.com

Skip to content

New audit: typosquat-uses#1985

Merged
woodruffw merged 7 commits into
zizmorcore:mainfrom
andrew:typosquat-audit
May 19, 2026
Merged

New audit: typosquat-uses#1985
woodruffw merged 7 commits into
zizmorcore:mainfrom
andrew:typosquat-audit

Conversation

@andrew
Copy link
Copy Markdown
Contributor

@andrew andrew commented May 11, 2026
edited
Loading

Pre-submission checks

  • Mandatory: This PR corresponds to an issue (if not, please create one first).
  • Having read the AI policy, I hereby disclose the use of an LLM or other AI coding assistant in the creation of this PR. PRs will not be rejected for using AI tools, but will be rejected for undisclosed use or use that violates the policy.

Closes #1989. Developed with Claude Code (Opus 4.7); I've reviewed the diff and can explain every change without referring back to the tool.

Summary

Adds a typosquat-uses audit that flags uses: references one edit away from a popular action but owned by a different account, e.g. action/checkout or dokcer/login-action.

Uses the typomania library against a baked-in corpus of ~50 popular actions in crates/zizmor/data/popular-actions.txt. The owner is treated as the package author so near-misses within the same org (e.g. actions/chckout) are ignored, since that namespace is already controlled and the step just 404s at runtime.

Works offline at low confidence. With a GitHub token it checks whether the misspelled repo actually exists and bumps confidence to high when it does. Adds Client::repo_exists for the lookup.

In a scan of ~150k repos this pattern surfaced ~15 near-misses, almost all harmless same-org typos. Only two resolved to live repos under a different owner. So the value here is less about finding active squats and more about catching the dangerous case where a typo'd owner name points at a namespace someone else could register.

The corpus is hand-seeded for now. Happy to add a support/popular-actions.py generator along the lines of archived-repos if the approach looks right.

Test Plan

Integration test at crates/zizmor/tests/integration/audit/typosquat_uses.rs with a fixture covering omission, transposition, homoglyph, repetition, and owner-transposition positive cases plus two negative cases (same-owner near-miss, unrelated slug). Snapshot is inline. The online (high-confidence) branch is not covered by a test since it needs a live foreign-owned squat; tested manually that the offline path produces correct findings.

@andrew andrew force-pushed the typosquat-audit branch from abfb5db to 589f121 Compare May 11, 2026 14:46
@andrew andrew mentioned this pull request May 12, 2026
Closed
2 tasks
@woodruffw woodruffw added enhancement New feature or request new-audit New audits labels May 12, 2026
@woodruffw woodruffw added this to the 1.26.0 milestone May 12, 2026
woodruffw
woodruffw reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @andrew! I agree this would be a great audit to have, and thanks a ton for working on it.

Mostly nits from me; the only general question I have is around case handling -- right now the uses: clauses get folded to lowercase; are there any concerns/risks with doing that? The answer is probably 'no' but I'm not 100% sure since I'm not sure how typomania works 🙂

Comment thread crates/zizmor/src/audit/typosquat_uses.rs Outdated
Comment thread crates/zizmor/src/audit/typosquat_uses.rs Outdated
Comment thread crates/zizmor/src/github.rs Outdated
Comment thread docs/audits.md Outdated
Comment thread crates/zizmor/src/registry.rs
Comment thread crates/zizmor/src/audit/typosquat_uses.rs
Comment thread crates/zizmor/src/audit/typosquat_uses.rs Outdated
@andrew
Copy link
Copy Markdown
Contributor Author

andrew commented May 12, 2026

Thanks for the review, all addressed in 79e8f0f.

On case folding: GitHub treats owner and repo names as case-insensitive (Actions/Checkout resolves to actions/checkout), so lowercasing both the corpus and the candidate before handing them to typomania is correct and stops mixed-case slugs from slipping past. typomania itself does byte-wise comparison so without the fold Actions/checkout wouldn't match the corpus entry.

woodruffw
woodruffw approved these changes May 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @andrew! I'll rebase and address some nits on my end, but this looks good to me.

Comment thread crates/zizmor/src/audit/typosquat_uses.rs Outdated
Comment thread crates/zizmor/src/audit/typosquat_uses.rs Outdated
@andrew
Copy link
Copy Markdown
Contributor Author

andrew commented May 14, 2026

I've also got a few improvement prs open on typomania, so hopefully there will be a new release of that before 1.2.6 comes around

@woodruffw
Copy link
Copy Markdown
Member

woodruffw commented May 14, 2026

(This also reminded me that I need to break RepositoryUses up a bit -- it should be renamed to ActionUses and should have an ActionSlug sub-type for just owner/repo pairs.)

@woodruffw woodruffw merged commit ba2e68b into zizmorcore:main May 19, 2026
12 checks passed
@woodruffw
Copy link
Copy Markdown
Member

woodruffw commented May 19, 2026

Thank you @andrew!

@andrew andrew deleted the typosquat-audit branch May 19, 2026 10:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request new-audit New audits

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

Feature: new audit for action typosquatting

2 participants

@andrew @woodruffw