zizmor William Woodruff
winget install --id=zizmor.zizmor -e zizmor is a static analysis tool designed to identify and mitigate security vulnerabilities in GitHub Actions workflows. It examines CI/CD setups to detect common issues such as template injection vulnerabilities, accidental credential persistence, excessive permissions granted to runners, impostor commits, and other critical security risks.
Key Features:
- Template Injection Detection: Identifies potential code execution via attacker-controlled templates.
- Credential Leak Prevention: Detects accidental credential storage or exposure in workflows.
- Permission Scope Review: Highlights excessive privileges assigned to GitHub Actions runners.
- Impostor Commit Protection: Prevents unauthorized commits by detecting misleading references.
- Personas for Sensitivity Control: Offers pedantic and auditor modes to adjust analysis sensitivity.
- GitHub Integration: Generates SARIF output, integrating seamlessly with GitHub's code scanning feature for pull request feedback.
Ideal for developers, DevOps engineers, and security teams using GitHub Actions, zizmor helps maintain secure CI/CD pipelines. By identifying vulnerabilities early in the workflow development process, it reduces risks of attacks and unintended data exposure. Offline functionality is supported by default, ensuring usability even without internet access or API tokens. Install via winget to get started.