mirrors/zizmor
1
0
Fork 0
mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zizmor/docs/quickstart.md
William Woodruff 86d20c6a54
docs: fix quickstart grammar (#155)
2024-11-14 03:52:49 +00:00

973 B
Raw Blame History

Quickstart

First, run zizmor --help to make sure your installation succeeded.

You should see something like this:

--8<-- "help.txt"

Running zizmor

You can run zizmor on any file(s) you have locally:

# audit a specific workflow
zizmor my-workflow.yml
# discovers .github/workflows/*.yml automatically
zizmor path/to/repo

By default, zizmor will emit Rust-style diagnostics, e.g.:

error[pull-request-target]: use of fundamentally insecure workflow trigger
  --> /home/william/devel/gha-hazmat/.github/workflows/pull-request-target.yml:20:1
   |
20 | / on:
21 | |   # NOT OK: pull_request_target should almost never be used
22 | |   pull_request_target:
   | |______________________^ triggers include pull_request_target, which is almost always used insecurely
   |

1 findings (0 unknown, 0 informational, 0 low, 0 medium, 1 high)

See Usage for more examples, including examples of configuration.