zizmor is a static analysis tool for GitHub Actions.
It can find many common security issues in typical GitHub Actions CI/CD setups, including:
- Template injection vulnerabilities, leading to attacker-controlled code execution
- Accidental credential persistence and leakage
- Excessive permission scopes and credential grants to runners
- Impostor commits and confusable
gitreferences - ...and much more!
See zizmor's documentation
for installation steps, as well as a quickstart and
detailed usage recipes.
zizmor is licensed under the MIT License.
Now you can have beautiful clean workflows!
zizmor's development is supported by these amazing sponsors!
Astral |
Grafana Labs |
Trail of Bits |
| Tenki Cloud |
Is your name missing above? Consider becoming one of our sponsors through one of the following:
- GitHub Sponsors (preferred)
- thanks.dev
- ko-fi
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
