Static Analysis for GitHub Actions

zizmor helps you find and fix potential vulnerabilities in your GitHub workflows and action definitions.

Install zizmor Get Started
zizmor in action
A screenshot of zizmor running with the auditor persona

Audit your tokhes off

zizmor prefers a high signal-to-noise ratio by default, but lets you dial the sensitivity all the way up with pedantic and auditor personas to catch every potential issue.

Read more about using personas in our documentation.

A screenshot of GitHub code scanning showing a result from zizmor

No context switching

zizmor generates SARIF and integrates directly into GitHub's code scanning feature, giving you feedback directly in your pull requests.

Try our zizmor-action for integration into your CI/CD.

placeholder

Offline-native

Offline use is a first-class feature of zizmor, and is the default if you don't set a GitHub API token.

Pass --offline to run entirely offline, even if the you have a GH_TOKEN set.