ScriptsJul 16, 2026·3 min read

zizmor — Static Security Analysis for GitHub Actions

A fast, Rust-based static analysis tool that scans GitHub Actions workflow files for security vulnerabilities, misconfigurations, and common anti-patterns.

Agent ready

Ready-to-run agent install

This asset can be installed after the agent chooses its runtime, checks the plan, and runs the matching command.

Native · 98/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Single
Trust
Trust: Established
Entrypoint
zizmor
Direct install command
npx -y tokrepo@latest install f59596ac-80ae-11f1-9bc6-00163e2b0d79 --target codex

Run after dry-run confirms the install plan.

Introduction

zizmor is a static analysis tool purpose-built for finding security issues in GitHub Actions workflows. It catches vulnerabilities like script injection, excessive permissions, and unsafe artifact handling that traditional linters miss, helping teams secure their CI/CD pipelines before attackers exploit them.

What zizmor Does

  • Detects script injection vulnerabilities from untrusted inputs in run steps
  • Identifies overly permissive workflow and job-level permissions
  • Flags unsafe usage of pull_request_target and workflow_run triggers
  • Catches credential exposure risks in environment variables and outputs
  • Reports unpinned third-party actions that could be supply-chain attacked

Architecture Overview

zizmor is written in Rust for speed and reliability. It parses GitHub Actions YAML workflow files into an AST, then runs a suite of security-focused analysis passes against the parsed structure. Each finding includes a severity level, a description of the vulnerability, and remediation guidance. Results can be output as text, JSON, or SARIF for CI integration.

Self-Hosting & Configuration

  • Install via cargo, pip, or download pre-built binaries
  • Run against individual workflow files or entire .github/workflows/ directories
  • Configure rule severity and suppressions via inline comments or config file
  • Integrate into CI by adding zizmor as a GitHub Actions step
  • Export results in SARIF format for GitHub Code Scanning integration

Key Features

  • Purpose-built for GitHub Actions security, not a generic YAML linter
  • Detects script injection — the most common Actions vulnerability class
  • SARIF output integrates directly with GitHub Code Scanning alerts
  • Fast Rust implementation scans large workflow files in milliseconds
  • Actionable remediation guidance with each finding

Comparison with Similar Tools

  • actionlint — focuses on syntax and type checking, less security depth
  • Semgrep — general-purpose SAST, requires custom rules for Actions
  • Checkov — IaC security scanner, limited Actions-specific rules
  • KICS — broad IaC scanner, fewer Actions security checks
  • Manual review — error-prone and does not scale across repositories

FAQ

Q: What types of vulnerabilities does zizmor find? A: Script injection, excessive permissions, unpinned actions, unsafe triggers, credential leakage, and artifact poisoning patterns.

Q: Can I run zizmor in my CI pipeline? A: Yes. Add it as a step in your GitHub Actions workflow. It returns a non-zero exit code when findings exceed the configured severity threshold.

Q: Does zizmor support SARIF output? A: Yes. Use --format sarif to generate SARIF output compatible with GitHub Code Scanning and other security dashboards.

Q: How does zizmor differ from actionlint? A: actionlint focuses on correctness (syntax errors, type mismatches). zizmor focuses on security vulnerabilities specific to GitHub Actions.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets