https://github.com/zizmorcore/zizmor

Static analysis for GitHub Actions
https://github.com/zizmorcore/zizmor

github-actions security security-tools static-analysis

Last synced: 3 days ago
JSON representation

Static analysis for GitHub Actions

• Host: GitHub
• URL: https://github.com/zizmorcore/zizmor
• Owner: zizmorcore
• License: mit
• Created: 2024-08-19T18:26:28.000Z (9 months ago)
• Default Branch: main
• Last Pushed: 2025-05-10T00:20:06.000Z (5 days ago)
• Last Synced: 2025-05-10T01:20:22.424Z (5 days ago)
• Topics: github-actions, security, security-tools, static-analysis
• Language: Rust
• Homepage: http://docs.zizmor.sh/
• Size: 1.96 MB
• Stars: 2,453
• Watchers: 9
• Forks: 67
• Open Issues: 61
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-starred - zizmorcore/zizmor - Static analysis for GitHub Actions (Rust)

README

        
# 🌈 zizmor

[![CI](https://github.com/zizmorcore/zizmor/actions/workflows/ci.yml/badge.svg)](https://github.com/zizmorcore/zizmor/actions/workflows/ci.yml)

[![Crates.io](https://img.shields.io/crates/v/zizmor)](https://crates.io/crates/zizmor)

[![Packaging status](https://repology.org/badge/tiny-repos/zizmor.svg)](https://repology.org/project/zizmor/versions)

[![GitHub Sponsors](https://img.shields.io/github/sponsors/woodruffw?style=flat&logo=githubsponsors&labelColor=white&color=white)](https://github.com/sponsors/woodruffw)

[![Discord](https://img.shields.io/badge/Discord-%235865F2.svg?logo=discord&logoColor=white)](https://discord.com/invite/PGU3zGZuGG)

`zizmor` is a static analysis tool for GitHub Actions.

It can find many common security issues in typical GitHub Actions CI/CD setups,

including:

* Template injection vulnerabilities, leading to attacker-controlled code execution

* Accidental credential persistence and leakage

* Excessive permission scopes and credential grants to runners

* Impostor commits and confusable `git` references

* ...[and much more]!

[and much more]: https://docs.zizmor.sh/audits/

![zizmor demo](https://raw.githubusercontent.com/zizmorcore/zizmor/main/docs/assets/zizmor-demo.gif)

See [`zizmor`'s documentation](https://docs.zizmor.sh/)

for [installation steps], as well as a [quickstart] and

[detailed usage recipes].

[please file them]: https://github.com/zizmorcore/zizmor/issues/new?assignees=&labels=bug%2Ctriage&projects=&template=bug-report.yml&title=%5BBUG%5D%3A+

[installation steps]: https://docs.zizmor.sh/installation/

[quickstart]: https://docs.zizmor.sh/quickstart/

[detailed usage recipes]: https://docs.zizmor.sh/usage/

## License

`zizmor` is licensed under the [MIT License](./LICENSE).

## Contributing

See [our contributing guide!](./CONTRIBUTING.md)

## The name?

*[Now you can have beautiful clean workflows!]*

[Now you can have beautiful clean workflows!]: https://www.youtube.com/watch?v=ol7rxFCvpy8

## Sponsors 💖

`zizmor`'s development is supported by these amazing sponsors!








Astral



## Star History