A Claude Code skill that adds a zizmor GitHub Actions security-analysis workflow to a repository and then fixes every finding zizmor surfaces in the existing workflows.
zizmor runs in pedantic mode, so the bar is high. The skill drives an agent to:
- add a
zizmorworkflow (.github/workflows/zizmor.yml) and adependabot.yml— the latter on the default branch only, since dependabot ignores it on other branches; a non-default branch is covered by atarget-branchentry added to the default branch'sdependabot.yml, - run zizmor and iterate until it reports no findings — pinning actions to commit SHAs at
their latest release, tightening and documenting
permissions, addingconcurrency, settingpersist-credentials, removing template injection, replacing$GITHUB_ENVwrites with step outputs, switching PR-creating steps to theghCLI, etc., - open a PR (or hand off if
ghisn't available).
It fixes issues with explicit, real values — never with zizmor ignore/suppression comments —
and surfaces anything that genuinely can't be fixed (e.g. an action with no release tags) instead
of hiding it.
SKILL.md # the skill instructions (frontmatter + playbook)
assets/zizmor.yml # the workflow that gets added to target repos
assets/dependabot.yml # the dependabot config added on the default branch
Drop the skill into your Claude Code skills directory — either user-wide (~/.claude/skills/)
or per-project (<repo>/.claude/skills/):
git clone https://github.com/Seldaek/zizmorify ~/.claude/skills/zizmorifyThe skill registers under the name in its frontmatter, so it's invoked as /add-zizmor
regardless of the directory name.
In Claude Code, run /add-zizmor (or just ask it to "add zizmor to this repo"). The skill
adapts to your environment: it runs zizmor locally if it's installed, otherwise iterates via
the workflow run using the gh CLI, and otherwise prepares a local branch for you to push.
zizmor is by zizmorcore. This repo just packages a workflow + an agent playbook around it.