Esta página se muestra en inglés. Una traducción al español está en curso.
ScriptsJul 16, 2026·3 min de lectura

zizmor — Static Security Analysis for GitHub Actions

A fast, Rust-based static analysis tool that scans GitHub Actions workflow files for security vulnerabilities, misconfigurations, and common anti-patterns.

Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
zizmor
Comando de instalación directa
npx -y tokrepo@latest install f59596ac-80ae-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

Introduction

zizmor is a static analysis tool purpose-built for finding security issues in GitHub Actions workflows. It catches vulnerabilities like script injection, excessive permissions, and unsafe artifact handling that traditional linters miss, helping teams secure their CI/CD pipelines before attackers exploit them.

What zizmor Does

  • Detects script injection vulnerabilities from untrusted inputs in run steps
  • Identifies overly permissive workflow and job-level permissions
  • Flags unsafe usage of pull_request_target and workflow_run triggers
  • Catches credential exposure risks in environment variables and outputs
  • Reports unpinned third-party actions that could be supply-chain attacked

Architecture Overview

zizmor is written in Rust for speed and reliability. It parses GitHub Actions YAML workflow files into an AST, then runs a suite of security-focused analysis passes against the parsed structure. Each finding includes a severity level, a description of the vulnerability, and remediation guidance. Results can be output as text, JSON, or SARIF for CI integration.

Self-Hosting & Configuration

  • Install via cargo, pip, or download pre-built binaries
  • Run against individual workflow files or entire .github/workflows/ directories
  • Configure rule severity and suppressions via inline comments or config file
  • Integrate into CI by adding zizmor as a GitHub Actions step
  • Export results in SARIF format for GitHub Code Scanning integration

Key Features

  • Purpose-built for GitHub Actions security, not a generic YAML linter
  • Detects script injection — the most common Actions vulnerability class
  • SARIF output integrates directly with GitHub Code Scanning alerts
  • Fast Rust implementation scans large workflow files in milliseconds
  • Actionable remediation guidance with each finding

Comparison with Similar Tools

  • actionlint — focuses on syntax and type checking, less security depth
  • Semgrep — general-purpose SAST, requires custom rules for Actions
  • Checkov — IaC security scanner, limited Actions-specific rules
  • KICS — broad IaC scanner, fewer Actions security checks
  • Manual review — error-prone and does not scale across repositories

FAQ

Q: What types of vulnerabilities does zizmor find? A: Script injection, excessive permissions, unpinned actions, unsafe triggers, credential leakage, and artifact poisoning patterns.

Q: Can I run zizmor in my CI pipeline? A: Yes. Add it as a step in your GitHub Actions workflow. It returns a non-zero exit code when findings exceed the configured severity threshold.

Q: Does zizmor support SARIF output? A: Yes. Use --format sarif to generate SARIF output compatible with GitHub Code Scanning and other security dashboards.

Q: How does zizmor differ from actionlint? A: actionlint focuses on correctness (syntax errors, type mismatches). zizmor focuses on security vulnerabilities specific to GitHub Actions.

Sources

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados