AI Summary: zizmor is a static analysis tool designed specifically for GitHub Actions, aimed at identifying common security vulnerabilities within CI/CD workflows. It detects issues such as template injection vulnerabilities, accidental credential leakage, excessive permission grants, and misleading git references, among others. The tool’s primary use case is to enhance the security posture of automated workflows by providing insights and recommendations for remediation.

README

🌈 zizmor

zizmor is a static analysis tool for GitHub Actions.

It can find many common security issues in typical GitHub Actions CI/CD setups, including:

• Template injection vulnerabilities, leading to attacker-controlled code execution
• Accidental credential persistence and leakage
• Excessive permission scopes and credential grants to runners
• Impostor commits and confusable git references
• …and much more!

See zizmor’s documentation for installation steps, as well as a quickstart and detailed usage recipes.

License

zizmor is licensed under the MIT License.

Contributing

See our contributing guide!

The name?

Now you can have beautiful clean workflows!

Sponsors

zizmor’s development is supported by these amazing sponsors!

Logo-level sponsors

Grafana Labs

Trail of Bits

Shipfox

Kusari

Want to see your name or logo above? Consider becoming a sponsor through one of the following:

• GitHub Sponsors (preferred)
• thanks.dev
• ko-fi

Star History