Lib.rs

Command line utilities
#security #github-actions #static-analysis #action #runner

app zizmor

Static analysis for GitHub Actions

by William Woodruff and 30 contributors

35 releases (14 stable)

Uses new Rust 2024

1.5.2 Mar 23, 2025
1.4.1 Feb 25, 2025
0.10.0 Dec 19, 2024
0.6.0 Nov 26, 2024

#6 in Command line utilities

Download history 701/week @ 2024-12-27 984/week @ 2025-01-03 1345/week @ 2025-01-10 1830/week @ 2025-01-17 1443/week @ 2025-01-24 1478/week @ 2025-01-31 1389/week @ 2025-02-07 2195/week @ 2025-02-14 2016/week @ 2025-02-21 1429/week @ 2025-02-28 1694/week @ 2025-03-07 1253/week @ 2025-03-14 1868/week @ 2025-03-21 2358/week @ 2025-03-28 1651/week @ 2025-04-04 1821/week @ 2025-04-11

7,869 downloads per month

MIT license

315KB
7K SLoC

🌈 zizmor

CI Crates.io Packaging status GitHub Sponsors

zizmor is a static analysis tool for GitHub Actions.

It can find many common security issues in typical GitHub Actions CI/CD setups, including:

  • Template injection vulnerabilities, leading to attacker-controlled code execution
  • Accidental credential persistence and leakage
  • Excessive permission scopes and credential grants to runners
  • Impostor commits and confusable git references
  • ...and much more!

zizmor demo

See zizmor's documentation for installation steps, as well as a quickstart and detailed usage recipes.

License

zizmor is licensed under the MIT License.

Contributing

See our contributing guide!

The name?

Now you can have beautiful clean workflows!

Sponsors 💖

zizmor's development is supported by these amazing sponsors!


Astral

Star History

Star History Chart

Dependencies

~43–59MB
~1M SLoC