# zizmor — Static Security Analysis for GitHub Actions > A fast, Rust-based static analysis tool that scans GitHub Actions workflow files for security vulnerabilities, misconfigurations, and common anti-patterns. ## Install Save as a script file and run: # zizmor — Static Security Analysis for GitHub Actions ## Quick Use ```bash # Install via cargo cargo install zizmor # Or via pip pip install zizmor # Scan a workflow file zizmor .github/workflows/ci.yml # Scan all workflows in a directory zizmor .github/workflows/ ``` ## Introduction zizmor is a static analysis tool purpose-built for finding security issues in GitHub Actions workflows. It catches vulnerabilities like script injection, excessive permissions, and unsafe artifact handling that traditional linters miss, helping teams secure their CI/CD pipelines before attackers exploit them. ## What zizmor Does - Detects script injection vulnerabilities from untrusted inputs in run steps - Identifies overly permissive workflow and job-level permissions - Flags unsafe usage of pull_request_target and workflow_run triggers - Catches credential exposure risks in environment variables and outputs - Reports unpinned third-party actions that could be supply-chain attacked ## Architecture Overview zizmor is written in Rust for speed and reliability. It parses GitHub Actions YAML workflow files into an AST, then runs a suite of security-focused analysis passes against the parsed structure. Each finding includes a severity level, a description of the vulnerability, and remediation guidance. Results can be output as text, JSON, or SARIF for CI integration. ## Self-Hosting & Configuration - Install via cargo, pip, or download pre-built binaries - Run against individual workflow files or entire `.github/workflows/` directories - Configure rule severity and suppressions via inline comments or config file - Integrate into CI by adding zizmor as a GitHub Actions step - Export results in SARIF format for GitHub Code Scanning integration ## Key Features - Purpose-built for GitHub Actions security, not a generic YAML linter - Detects script injection — the most common Actions vulnerability class - SARIF output integrates directly with GitHub Code Scanning alerts - Fast Rust implementation scans large workflow files in milliseconds - Actionable remediation guidance with each finding ## Comparison with Similar Tools - **actionlint** — focuses on syntax and type checking, less security depth - **Semgrep** — general-purpose SAST, requires custom rules for Actions - **Checkov** — IaC security scanner, limited Actions-specific rules - **KICS** — broad IaC scanner, fewer Actions security checks - **Manual review** — error-prone and does not scale across repositories ## FAQ **Q: What types of vulnerabilities does zizmor find?** A: Script injection, excessive permissions, unpinned actions, unsafe triggers, credential leakage, and artifact poisoning patterns. **Q: Can I run zizmor in my CI pipeline?** A: Yes. Add it as a step in your GitHub Actions workflow. It returns a non-zero exit code when findings exceed the configured severity threshold. **Q: Does zizmor support SARIF output?** A: Yes. Use `--format sarif` to generate SARIF output compatible with GitHub Code Scanning and other security dashboards. **Q: How does zizmor differ from actionlint?** A: actionlint focuses on correctness (syntax errors, type mismatches). zizmor focuses on security vulnerabilities specific to GitHub Actions. ## Sources - https://github.com/zizmorcore/zizmor - https://woodruffw.github.io/zizmor/ --- Source: https://tokrepo.com/en/workflows/asset-f59596ac Author: Script Depot