zizmor - Static analysis for GitHub Actions

The linked tool can be used to scan your CI/CD workflows for potential security issues and suboptimal defaults if they are based on GitHub Actions.

For example, it warns you about

  • string interpolations that may expand into attacker-controllable code
  • suboptimal defaults like e.g. persist-credentials: true for the checkout action Show archive.org snapshot
  • actions that are not pinned to a tag instead of a git SHA

Some of the warnings can be auto-fixed Show archive.org snapshot . The tool comes with its own CI integration action Show archive.org snapshot .

docs.zizmor.sh
Michael Leimstädtner
This website uses short-lived cookies to improve usability.
or learn more