Lib.rs

Security
#github-actions #static-analysis

app zizmor

Static analysis for GitHub Actions

by William Woodruff and 64 contributors

62 releases (35 stable)

Uses new Rust 2024

1.18.0 Nov 29, 2025
1.16.1 Oct 29, 2025
1.11.1-rc1 Jul 2, 2025
1.5.2 Mar 23, 2025
0.6.0 Nov 26, 2024

#4 in Security

Download history 1268/week @ 2025-08-24 1096/week @ 2025-08-31 1602/week @ 2025-09-07 1450/week @ 2025-09-14 1433/week @ 2025-09-21 1539/week @ 2025-09-28 1205/week @ 2025-10-05 1597/week @ 2025-10-12 1264/week @ 2025-10-19 1061/week @ 2025-10-26 857/week @ 2025-11-02 733/week @ 2025-11-09 727/week @ 2025-11-16 811/week @ 2025-11-23 1016/week @ 2025-11-30 734/week @ 2025-12-07

3,301 downloads per month

MIT license

1MB
23K SLoC

🌈 zizmor

zizmor CI Crates.io Packaging status GitHub Sponsors Discord

zizmor is a static analysis tool for GitHub Actions.

It can find many common security issues in typical GitHub Actions CI/CD setups, including:

  • Template injection vulnerabilities, leading to attacker-controlled code execution
  • Accidental credential persistence and leakage
  • Excessive permission scopes and credential grants to runners
  • Impostor commits and confusable git references
  • ...and much more!

zizmor demo

See zizmor's documentation for installation steps, as well as a quickstart and detailed usage recipes.

License

zizmor is licensed under the MIT License.

Contributing

See our contributing guide!

The name?

Now you can have beautiful clean workflows!

Sponsors 💖

zizmor's development is supported by these amazing sponsors!

Logo-level sponsors

Grafana Labs
Trail of Bits
Shipfox
Name-level sponsors
Alexander Riccio

Want to see your name or logo above? Consider becoming a sponsor through one of the following:

Star History

Star History Chart

Dependencies

~50–74MB
~1.5M SLoC