Cette page est affichée en anglais. Une traduction française est en cours.
ScriptsJul 16, 2026·3 min de lecture

zizmor — Static Security Analysis for GitHub Actions

A fast, Rust-based static analysis tool that scans GitHub Actions workflow files for security vulnerabilities, misconfigurations, and common anti-patterns.

Prêt pour agents

Installation agent prête

Cet actif peut être installé après choix du runtime, vérification du plan et exécution de la commande adaptée.

Native · 98/100Policy : autoriser
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Single
Confiance
Confiance : Established
Point d'entrée
zizmor
Commande d'installation directe
npx -y tokrepo@latest install f59596ac-80ae-11f1-9bc6-00163e2b0d79 --target codex

À exécuter après confirmation du plan en dry-run.

Introduction

zizmor is a static analysis tool purpose-built for finding security issues in GitHub Actions workflows. It catches vulnerabilities like script injection, excessive permissions, and unsafe artifact handling that traditional linters miss, helping teams secure their CI/CD pipelines before attackers exploit them.

What zizmor Does

  • Detects script injection vulnerabilities from untrusted inputs in run steps
  • Identifies overly permissive workflow and job-level permissions
  • Flags unsafe usage of pull_request_target and workflow_run triggers
  • Catches credential exposure risks in environment variables and outputs
  • Reports unpinned third-party actions that could be supply-chain attacked

Architecture Overview

zizmor is written in Rust for speed and reliability. It parses GitHub Actions YAML workflow files into an AST, then runs a suite of security-focused analysis passes against the parsed structure. Each finding includes a severity level, a description of the vulnerability, and remediation guidance. Results can be output as text, JSON, or SARIF for CI integration.

Self-Hosting & Configuration

  • Install via cargo, pip, or download pre-built binaries
  • Run against individual workflow files or entire .github/workflows/ directories
  • Configure rule severity and suppressions via inline comments or config file
  • Integrate into CI by adding zizmor as a GitHub Actions step
  • Export results in SARIF format for GitHub Code Scanning integration

Key Features

  • Purpose-built for GitHub Actions security, not a generic YAML linter
  • Detects script injection — the most common Actions vulnerability class
  • SARIF output integrates directly with GitHub Code Scanning alerts
  • Fast Rust implementation scans large workflow files in milliseconds
  • Actionable remediation guidance with each finding

Comparison with Similar Tools

  • actionlint — focuses on syntax and type checking, less security depth
  • Semgrep — general-purpose SAST, requires custom rules for Actions
  • Checkov — IaC security scanner, limited Actions-specific rules
  • KICS — broad IaC scanner, fewer Actions security checks
  • Manual review — error-prone and does not scale across repositories

FAQ

Q: What types of vulnerabilities does zizmor find? A: Script injection, excessive permissions, unpinned actions, unsafe triggers, credential leakage, and artifact poisoning patterns.

Q: Can I run zizmor in my CI pipeline? A: Yes. Add it as a step in your GitHub Actions workflow. It returns a non-zero exit code when findings exceed the configured severity threshold.

Q: Does zizmor support SARIF output? A: Yes. Use --format sarif to generate SARIF output compatible with GitHub Code Scanning and other security dashboards.

Q: How does zizmor differ from actionlint? A: actionlint focuses on correctness (syntax errors, type mismatches). zizmor focuses on security vulnerabilities specific to GitHub Actions.

Sources

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires