Favicon of zizmor

zizmor

Static analysis CLI tool that detects template injection, credentials, overscoped tokens, unpinned actions, and risky triggers in GitHub Actions workflows.

zizmor is a static analysis tool designed to identify security issues in GitHub Actions CI/CD pipelines. It scans YAML workflow files and detects common vulnerabilities that could compromise your automation infrastructure.

The tool catches critical security problems including template injection vulnerabilities that enable attacker-controlled code execution, accidental credential leakage through logs and artifacts, excessive permission scopes granted to runners, unpinned third-party actions that may receive unexpected updates, impostor commits and confusable git references, and risky workflow triggers that could be exploited.

Key capabilities include:

  • Multiple output formats: colored diagnostics, JSON, SARIF, and GitHub annotations for seamless CI integration
  • Fast static analysis without requiring workflow execution
  • Detailed audit documentation covering all detected issues
  • Support for both local scanning and automated pipeline checks

The tool is built for security engineers, DevOps teams, maintainers, and anyone managing GitHub Actions workflows who wants to prevent security misconfigurations before they reach production. It integrates directly into your development workflow and CI systems for continuous security validation.

Features

JSON output

Media

Pros

4
  • Detects template injection vulnerabilities
  • Identifies accidental credential leakage
  • Finds overscoped permissions and risky triggers
  • Analyzes GitHub Actions workflows

Related tools

Share:

Auto-fetched .

Recent releases

Similar to zizmor

Favicon

 

  
 
Favicon

 

  
 
Favicon