zizmor
zizmor is a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups.
Key Features:
- Expression Analysis: Identifies template injection vulnerabilities, which can lead to attacker-controlled code execution.
- Disk Credential Review: Prevent accidental credential persistence and leakage.
- Overprivileged Runner Detection: Identify excessive permission scopes and credential grants to runners.
- Invalid Reference Discovery: Locate impostor commits and confusable git references.
If you are using the GitHub action please use the
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES: GITHUB_TOKENto prevent plugin download issues
zizmor documentation
- Version in MegaLinter: 1.23.1
- Visit Official Web Site
- See How to configure zizmor rules
- See How to disable zizmor rules in files
- See Index of problems detected by zizmor
Configuration in MegaLinter
- Enable zizmor by adding
ACTION_ZIZMORin ENABLE_LINTERS variable - Disable zizmor by adding
ACTION_ZIZMORin DISABLE_LINTERS variable
- Enable autofixes by adding
ACTION_ZIZMORin APPLY_FIXES variable
| Variable | Description | Default value |
|---|---|---|
| ACTION_ZIZMOR_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| ACTION_ZIZMOR_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| ACTION_ZIZMOR_FILTER_REGEX_INCLUDE | Custom regex including filter Ex: (src\|lib) |
Include every file |
| ACTION_ZIZMOR_FILTER_REGEX_EXCLUDE | Custom regex excluding filter Ex: (test\|examples) |
Exclude no file |
| ACTION_ZIZMOR_CLI_LINT_MODE | Override default CLI lint mode - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
list_of_files |
| ACTION_ZIZMOR_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".yml", ".yaml"] |
| ACTION_ZIZMOR_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
| ACTION_ZIZMOR_PRE_COMMANDS | List of bash commands to run before the linter | None |
| ACTION_ZIZMOR_POST_COMMANDS | List of bash commands to run after the linter | None |
| ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling ACTION_ZIZMOR and its pre/post commands | None |
| ACTION_ZIZMOR_CONFIG_FILE | zizmor configuration file name Use LINTER_DEFAULT to let the linter find it |
zizmor.yml |
| ACTION_ZIZMOR_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| ACTION_ZIZMOR_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| ACTION_ZIZMOR_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| ACTION_ZIZMOR_CLI_EXECUTABLE | Override CLI executable | ['zizmor'] |
| ACTION_DIRECTORY | Directory containing ACTION files (use any to always activate the linter) |
.github/workflows |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 136 |   |
| c_cpp | Optimized for pure C/C++ projects | 57 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 90 |   |
|
| documentation | MegaLinter for documentation projects | 50 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 65 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 74 |   |
|
| go | Optimized for GO based projects | 52 |   |
|
| java | Optimized for JAVA based projects | 55 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 60 |   |
|
| php | Optimized for PHP based projects | 55 |   |
|
| python | Optimized for PYTHON based projects | 67 |   |
|
| ruby | Optimized for RUBY based projects | 51 |   |
|
| rust | Optimized for RUST based projects | 51 |   |
|
| salesforce | Optimized for Salesforce based projects | 57 |   |
|
| swift | Optimized for SWIFT based projects | 51 |   |
|
| terraform | Optimized for TERRAFORM based projects | 54 |   |
Behind the scenes
How are identified applicable files
- Activated only if sub-directory
.github/workflowsis found. (directory name can be overridden withACTION_DIRECTORY) - File extensions:
.yml,.yaml
How the linting is performed
- zizmor is called once with the list of files as arguments (
list_of_filesCLI lint mode)
Example calls
zizmor ci.yml tests.yml lint.yml action.yml
zizmor ./subdir/ci.yml ../sibling/tests.yml ./action/action.yml
zizmor .
zizmor --config zizmor.yml .
Help content
Static analysis for GitHub Actions
Usage: zizmor [OPTIONS] <INPUTS>...
Arguments:
<INPUTS>... The inputs to audit
Options:
--lsp
Run in language server mode (EXPERIMENTAL)
-p, --pedantic
Emit 'pedantic' findings
--persona <PERSONA>
The persona to use while auditing [default: regular] [possible values: auditor, pedantic, regular]
-o, --offline
Perform only offline operations [env: ZIZMOR_OFFLINE=]
--gh-token <GH_TOKEN>
The GitHub API token to use [env: GH_TOKEN or GITHUB_TOKEN or ZIZMOR_GITHUB_TOKEN]
--gh-hostname <GH_HOSTNAME>
The GitHub Server Hostname. Defaults to github.com [env: GH_HOST=] [default: github.com]
--no-online-audits
Perform only offline audits [env: ZIZMOR_NO_ONLINE_AUDITS=]
-v, --verbose...
Increase logging verbosity
-q, --quiet...
Decrease logging verbosity
--no-progress
Don't show progress bars, even if the terminal supports them
--format <FORMAT>
The output format to emit. By default, cargo-style diagnostics will be emitted [default: plain] [possible values: plain, json, json-v1, sarif, github]
--render-links <RENDER_LINKS>
Whether to render OSC 8 links in the output [env: ZIZMOR_RENDER_LINKS=] [default: auto] [possible values: auto, always, never]
--show-audit-urls <SHOW_AUDIT_URLS>
Whether to render audit URLs in the output, separately from any URLs embedded in OSC 8 links [env: ZIZMOR_SHOW_AUDIT_URLS=] [default: auto] [possible values: auto, always, never]
--color <MODE>
Control the use of color in output [possible values: auto, always, never]
-c, --config <CONFIG>
The configuration file to load. This loads a single configuration file across all input groups, which may not be what you intend [env: ZIZMOR_CONFIG=]
--no-config
Disable all configuration loading
--no-exit-codes
Disable all error codes besides success and tool failure
--min-severity <MIN_SEVERITY>
Filter all results below this severity [possible values: informational, low, medium, high]
--min-confidence <MIN_CONFIDENCE>
Filter all results below this confidence [possible values: low, medium, high]
--cache-dir <CACHE_DIR>
The directory to use for HTTP caching. By default, a host-appropriate user-caching directory will be used
--collect <COLLECT>...
Control which kinds of inputs are collected for auditing [default: default] [possible values: all, default, workflows, actions, dependabot]
--strict-collection
Fail instead of warning on syntax and schema errors in collected inputs
--completions <SHELL>
Generate tab completion scripts for the specified shell [possible values: bash, elvish, fish, nushell, powershell, zsh]
--fix[=<MODE>]
Fix findings automatically, when available (EXPERIMENTAL) [possible values: safe, unsafe-only, all]
--thanks
Emit thank-you messages for zizmor's sponsors
-h, --help
Print help (see more with '--help')
-V, --version
Print version
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=crate depName=zizmor
ARG CARGO_ZIZMOR_VERSION=1.23.1
- Cargo packages (Rust):