Question on reused workflows

[huornlmj]

Consider a scenario where I have a workflow (A) that reuses another workflow (B). Workflow A is clean (according to zizmor) but B is not and has security issues. If I only scan A, will zizmor follow through and scan B for security issues?

[woodruffw]

If I only scan A, will zizmor follow through and scan B for security issues?

Making sure I understand: you're asking if zizmor a.yml will analyze b.yml if a invokes b, right?

If I got that right, the answer is (currently) no -- zizmor only audits the files you give it, it doesn't recurse into any references those files make. The nuance is that if you do zizmor foo/ and foo/ contains both a and b, then both will be audited (and similar for audits of remote repos).

[woodruffw]

See #678 for some related discussion on this -- a recursive mode is something I'd like to enable in the future, but there are some unanswered questions/design considerations about how best to present findings that aren't immediately actionable (e.g. in third party repos).