zizmor is a static analysis tool designed to identify security issues in GitHub Actions CI/CD pipelines. It scans YAML workflow files and detects common vulnerabilities that could compromise your automation infrastructure.
The tool catches critical security problems including template injection vulnerabilities that enable attacker-controlled code execution, accidental credential leakage through logs and artifacts, excessive permission scopes granted to runners, unpinned third-party actions that may receive unexpected updates, impostor commits and confusable git references, and risky workflow triggers that could be exploited.
Key capabilities include:
The tool is built for security engineers, DevOps teams, maintainers, and anyone managing GitHub Actions workflows who wants to prevent security misconfigurations before they reach production. It integrates directly into your development workflow and CI systems for continuous security validation.
