mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00

Static analysis for GitHub Actions http://docs.zizmor.sh/

Find a file

William Woodruff fc356a3654 still not right		2025-07-01 16:16:23 -04:00
.cargo	ci: experiment with a binary release build (#828 )	2025-05-20 14:29:51 -04:00
.github	chore(deps): bump the github-actions group with 3 updates (#990 )	2025-06-30 14:46:18 -04:00
crates	still not right	2025-07-01 16:16:23 -04:00
docs	Fix autofix for template-injection (#995 )	2025-07-01 09:37:32 -04:00
support	chore(ci): add missing setup-uv step to codegen workflow (#900 )	2025-06-05 21:19:54 +00:00
.gitignore	Handle flow and block style values properly (#904 )	2025-06-10 17:31:06 -04:00
Cargo.lock	chore: release 1.11.0 (#993 )	2025-06-30 14:58:49 -04:00
Cargo.toml	feat: LSP skeleton code from #607 (#984 )	2025-06-30 14:53:25 -04:00
CONTRIBUTING.md	chore(docs): the great @zizmorcore renaming (#776 )	2025-05-09 20:08:45 -04:00
Dockerfile	ci: convert Dockerfile to Wolfi (#667 )	2025-04-14 19:09:48 +00:00
LICENSE	chore: add LICENSE	2024-10-27 12:42:49 -04:00
Makefile	chore: fix webhooks-to-contexts target (#928 )	2025-06-09 14:43:09 +00:00
mkdocs.yml	feat: LSP skeleton code from #607 (#984 )	2025-06-30 14:53:25 -04:00
pyproject.toml	feat: add CodeQL injection sink data (#849 )	2025-05-25 12:14:56 -04:00
README.md	feat: LSP skeleton code from #607 (#984 )	2025-06-30 14:53:25 -04:00
uv.lock	feat: add CodeQL injection sink data (#849 )	2025-05-25 12:14:56 -04:00

🌈 zizmor

zizmor is a static analysis tool for GitHub Actions.

It can find many common security issues in typical GitHub Actions CI/CD setups, including:

Template injection vulnerabilities, leading to attacker-controlled code execution
Accidental credential persistence and leakage
Excessive permission scopes and credential grants to runners
Impostor commits and confusable git references
...and much more!