zizmor
zizmor is a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups.
Key Features:
- Expression Analysis: Identifies template injection vulnerabilities, which can lead to attacker-controlled code execution.
- Disk Credential Review: Prevent accidental credential persistence and leakage.
- Overprivileged Runner Detection: Identify excessive permission scopes and credential grants to runners.
- Invalid Reference Discovery: Locate impostor commits and confusable git references.
To allow zizmor to use GITHUB_TOKEN for online audits, add the following to your
.mega-linter.yml:
yaml ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES: - GITHUB_TOKEN
zizmor documentation
- Version in MegaLinter: 1.25.0
- Visit Official Web Site
- See How to configure zizmor rules
- See How to disable zizmor rules in files
- See Index of problems detected by zizmor
Configuration in MegaLinter
- Enable zizmor by adding
ACTION_ZIZMORin ENABLE_LINTERS variable - Disable zizmor by adding
ACTION_ZIZMORin DISABLE_LINTERS variable
- Enable autofixes by adding
ACTION_ZIZMORin APPLY_FIXES variable
| Variable | Description | Default value |
|---|---|---|
| ACTION_ZIZMOR_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| ACTION_ZIZMOR_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| ACTION_ZIZMOR_FILTER_REGEX_INCLUDE | Custom regex including filter Ex: (src\|lib) |
Include every file |
| ACTION_ZIZMOR_FILTER_REGEX_EXCLUDE | Custom regex excluding filter Ex: (test\|examples) |
Exclude no file |
| ACTION_ZIZMOR_CLI_LINT_MODE | Override default CLI lint mode - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
list_of_files |
| ACTION_ZIZMOR_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".yml", ".yaml"] |
| ACTION_ZIZMOR_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
| ACTION_ZIZMOR_PRE_COMMANDS | List of bash commands to run before the linter | None |
| ACTION_ZIZMOR_POST_COMMANDS | List of bash commands to run after the linter | None |
| ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling ACTION_ZIZMOR and its pre/post commands | None |
| ACTION_ZIZMOR_CONFIG_FILE | zizmor configuration file name Use LINTER_DEFAULT to let the linter find it |
zizmor.yml |
| ACTION_ZIZMOR_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| ACTION_ZIZMOR_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| ACTION_ZIZMOR_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| ACTION_ZIZMOR_CLI_EXECUTABLE | Override CLI executable | ['zizmor'] |
| ACTION_DIRECTORY | Directory containing ACTION files (use any to always activate the linter) |
.github/workflows |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 136 |   |
| c_cpp | Optimized for pure C/C++ projects | 59 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 92 |   |
|
| documentation | MegaLinter for documentation projects | 52 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 67 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 76 |   |
|
| go | Optimized for GO based projects | 54 |   |
|
| java | Optimized for JAVA based projects | 57 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 62 |   |
|
| php | Optimized for PHP based projects | 57 |   |
|
| python | Optimized for PYTHON based projects | 69 |   |
|
| ruby | Optimized for RUBY based projects | 53 |   |
|
| rust | Optimized for RUST based projects | 53 |   |
|
| salesforce | Optimized for Salesforce based projects | 59 |   |
|
| swift | Optimized for SWIFT based projects | 53 |   |
|
| terraform | Optimized for TERRAFORM based projects | 56 |   |
Behind the scenes
How are identified applicable files
- Activated only if sub-directory
.github/workflowsis found. (directory name can be overridden withACTION_DIRECTORY) - File extensions:
.yml,.yaml
How the linting is performed
- zizmor is called once with the list of files as arguments (
list_of_filesCLI lint mode)
Example calls
zizmor ci.yml tests.yml lint.yml action.yml
zizmor ./subdir/ci.yml ../sibling/tests.yml ./action/action.yml
zizmor .
zizmor --config zizmor.yml .
Help content
Static analysis for GitHub Actions
Usage: zizmor [OPTIONS] <INPUT>...
Input Options:
<INPUT>... The inputs to audit
--collect <KIND>... Control which kinds of inputs are collected for auditing [default: default] [possible values: all, default, workflows, actions, dependabot]
--strict-collection Fail instead of warning on syntax and schema errors in collected inputs
Audit Options:
--fix[=<MODE>] Fix findings automatically, when available (EXPERIMENTAL) [possible values: safe, unsafe-only, all]
-p, --pedantic Emit 'pedantic' findings
--persona <PERSONA> The persona to use while auditing [default: regular] [possible values: auditor, pedantic, regular]
--min-severity <LEVEL> Filter all results below this severity [possible values: informational, low, medium, high]
--min-confidence <LEVEL> Filter all results below this confidence [possible values: low, medium, high]
--no-ignores Don't honor ignore comments or ignore rules in configuration
Output Options:
-v, --verbose... Increase logging verbosity
-q, --quiet... Decrease logging verbosity
--format <KIND> The output format to emit. By default, cargo-style diagnostics will be emitted [default: plain] [possible values: plain, json, json-v1, sarif, github]
--no-progress Don't show progress bars, even if the terminal supports them
--color <WHEN> Control the use of color in output [possible values: auto, always, never]
--render-links <WHEN> Whether to render OSC 8 links in the output [env: ZIZMOR_RENDER_LINKS=] [default: auto] [possible values: auto, always, never]
--show-audit-urls <WHEN> Whether to render audit URLs in the output, separately from any URLs embedded in OSC 8 links [env: ZIZMOR_SHOW_AUDIT_URLS=] [default: auto] [possible values: auto, always, never]
--no-exit-codes Disable all error codes besides success and tool failure
Network Options:
-o, --offline Perform only offline operations [env: ZIZMOR_OFFLINE=]
--gh-token <GH_TOKEN> The GitHub API token to use [env: GH_TOKEN or GITHUB_TOKEN or ZIZMOR_GITHUB_TOKEN]
--gh-hostname <GH_HOSTNAME> The GitHub Server Hostname. Defaults to github.com [env: GH_HOST=] [default: github.com]
--no-online-audits Perform only offline audits [env: ZIZMOR_NO_ONLINE_AUDITS=]
--cache-dir <DIR> The directory to use for HTTP caching. By default, a host-appropriate user-caching directory will be used
Options:
--lsp Run in language server mode (EXPERIMENTAL)
-c, --config <FILE> The configuration file to load. This loads a single configuration file across all input groups, which may not be what you intend [env: ZIZMOR_CONFIG=]
--no-config Disable all configuration loading
--completions <SHELL> Generate tab completion scripts for the specified shell [possible values: bash, elvish, fish, nushell, powershell, zsh]
--thanks Emit thank-you messages for zizmor's sponsors
-h, --help Print help (see more with '--help')
-V, --version Print version
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=crate depName=zizmor
ARG CARGO_ZIZMOR_VERSION=1.25.0
FROM alpine:3.23 AS cargo-bin-zizmor
ARG CARGO_ZIZMOR_VERSION
RUN set -eu; \
apk add --no-cache build-base musl-dev openssl-dev openssl-libs-static pkgconfig bash perl rust cargo && \
mkdir -p /out/bin && \
cargo install --force --locked --root /out "zizmor@${CARGO_ZIZMOR_VERSION}" && \
chmod +x /out/bin/zizmor
COPY --link --from=cargo-bin-zizmor /out/bin/zizmor /usr/bin/zizmor