Introduction
zizmor is a static analysis tool purpose-built for finding security issues in GitHub Actions workflows. It catches vulnerabilities like script injection, excessive permissions, and unsafe artifact handling that traditional linters miss, helping teams secure their CI/CD pipelines before attackers exploit them.
What zizmor Does
- Detects script injection vulnerabilities from untrusted inputs in run steps
- Identifies overly permissive workflow and job-level permissions
- Flags unsafe usage of pull_request_target and workflow_run triggers
- Catches credential exposure risks in environment variables and outputs
- Reports unpinned third-party actions that could be supply-chain attacked
Architecture Overview
zizmor is written in Rust for speed and reliability. It parses GitHub Actions YAML workflow files into an AST, then runs a suite of security-focused analysis passes against the parsed structure. Each finding includes a severity level, a description of the vulnerability, and remediation guidance. Results can be output as text, JSON, or SARIF for CI integration.
Self-Hosting & Configuration
- Install via cargo, pip, or download pre-built binaries
- Run against individual workflow files or entire
.github/workflows/directories - Configure rule severity and suppressions via inline comments or config file
- Integrate into CI by adding zizmor as a GitHub Actions step
- Export results in SARIF format for GitHub Code Scanning integration
Key Features
- Purpose-built for GitHub Actions security, not a generic YAML linter
- Detects script injection — the most common Actions vulnerability class
- SARIF output integrates directly with GitHub Code Scanning alerts
- Fast Rust implementation scans large workflow files in milliseconds
- Actionable remediation guidance with each finding
Comparison with Similar Tools
- actionlint — focuses on syntax and type checking, less security depth
- Semgrep — general-purpose SAST, requires custom rules for Actions
- Checkov — IaC security scanner, limited Actions-specific rules
- KICS — broad IaC scanner, fewer Actions security checks
- Manual review — error-prone and does not scale across repositories
FAQ
Q: What types of vulnerabilities does zizmor find? A: Script injection, excessive permissions, unpinned actions, unsafe triggers, credential leakage, and artifact poisoning patterns.
Q: Can I run zizmor in my CI pipeline? A: Yes. Add it as a step in your GitHub Actions workflow. It returns a non-zero exit code when findings exceed the configured severity threshold.
Q: Does zizmor support SARIF output?
A: Yes. Use --format sarif to generate SARIF output compatible with GitHub Code Scanning and other security dashboards.
Q: How does zizmor differ from actionlint? A: actionlint focuses on correctness (syntax errors, type mismatches). zizmor focuses on security vulnerabilities specific to GitHub Actions.