Skip to content

Quickstart🔗

First, run zizmor --help to make sure your installation succeeded.

You should see something like this:

Finds security issues in GitHub Actions setups

Usage: zizmor [OPTIONS] <INPUTS>...

Arguments:
  <INPUTS>...  The workflow filenames or directories to audit

Options:
  -p, --pedantic             Emit findings even when the context suggests an explicit security decision made by the user
  -o, --offline              Only perform audits that don't require network access
  -v, --verbose...           Increase logging verbosity
  -q, --quiet...             Decrease logging verbosity
  -n, --no-progress          Disable the progress bar. This is useful primarily when running with a high verbosity level, as the two will fight for stderr
      --gh-token <GH_TOKEN>  The GitHub API token to use [env: GH_TOKEN=]
      --format <FORMAT>      The output format to emit. By default, plain text will be emitted [possible values: plain, json, sarif]
  -c, --config <CONFIG>      The configuration file to load. By default, any config will be discovered relative to $CWD
      --no-config            Disable all configuration loading
      --no-exit-codes        Disable all error codes besides success and tool failure
  -h, --help                 Print help
  -V, --version              Print version

Running zizmor🔗

You can run zizmor on any file(s) you have locally:

# audit a specific workflow
zizmor my-workflow.yml
# discovers .github/workflows/*.yml automatically
zizmor path/to/repo

By default, zizmor will emit Rust-style diagnostics, e.g.:

error[pull-request-target]: use of fundamentally insecure workflow trigger
  --> /home/william/devel/gha-hazmat/.github/workflows/pull-request-target.yml:20:1
   |
20 | / on:
21 | |   # NOT OK: pull_request_target should almost never be used
22 | |   pull_request_target:
   | |______________________^ triggers include pull_request_target, which is almost always used insecurely
   |

1 findings (0 unknown, 0 informational, 0 low, 0 medium, 1 high)

See Usage for more examples, including examples of configuration.