Quickstart🔗
First, run zizmor --help to make sure your installation succeeded.
You should see something like this:
Finds security issues in GitHub Actions setups
Usage: zizmor [OPTIONS] <INPUTS>...
Arguments:
<INPUTS>... The workflow filenames or directories to audit
Options:
-p, --pedantic Emit findings even when the context suggests an explicit security decision made by the user
-o, --offline Only perform audits that don't require network access
-v, --verbose... Increase logging verbosity
-q, --quiet... Decrease logging verbosity
-n, --no-progress Disable the progress bar. This is useful primarily when running with a high verbosity level, as the two will fight for stderr
--gh-token <GH_TOKEN> The GitHub API token to use [env: GH_TOKEN=]
--format <FORMAT> The output format to emit. By default, plain text will be emitted [possible values: plain, json, sarif]
-c, --config <CONFIG> The configuration file to load. By default, any config will be discovered relative to $CWD
--no-config Disable all configuration loading
--no-exit-codes Disable all error codes besides success and tool failure
-h, --help Print help
-V, --version Print version
Running zizmor🔗
You can run zizmor on any file(s) you have locally:
# audit a specific workflow
zizmor my-workflow.yml
# discovers .github/workflows/*.yml automatically
zizmor path/to/repo
By default, zizmor will emit Rust-style diagnostics, e.g.:
error[pull-request-target]: use of fundamentally insecure workflow trigger
--> /home/william/devel/gha-hazmat/.github/workflows/pull-request-target.yml:20:1
|
20 | / on:
21 | | # NOT OK: pull_request_target should almost never be used
22 | | pull_request_target:
| |______________________^ triggers include pull_request_target, which is almost always used insecurely
|
1 findings (0 unknown, 0 informational, 0 low, 0 medium, 1 high)
See Usage for more examples, including examples of configuration.