{"id":3859,"library":"zizmor","title":"Zizmor","description":"Zizmor is a static analysis tool for GitHub Actions, designed to identify common security vulnerabilities in CI/CD setups. It detects issues such as template injection, accidental credential leakage, excessive permission scopes, and impostor commits. Currently at version 1.23.1, the project maintains an active development pace with frequent releases.","status":"active","version":"1.23.1","language":"en","source_language":"en","source_url":"https://github.com/zizmorcore/zizmor","tags":["static-analysis","github-actions","security","ci-cd"],"install":[{"cmd":"pip install zizmor","lang":"bash","label":"Install via pip"}],"dependencies":[],"imports":[],"quickstart":{"code":"import subprocess\nimport os\n\n# Ensure zizmor is installed via 'pip install zizmor' and in your PATH.\n# A GitHub token (GH_TOKEN) is often required for full functionality,\n# especially for 'online audits' or resolving remote actions.\ngithub_token = os.environ.get('GH_TOKEN', '')\n\ntry:\n    # Run zizmor audit on the current directory ('.')\n    # Replace '.' with your target GitHub Actions workflow directory if different.\n    command = [\n        \"zizmor\",\n        \"audit\",\n        \"--target\",\n        \".\"\n    ]\n    if github_token:\n        command.extend([\"--github-token\", github_token])\n\n    print(f\"Running command: {' '.join(command)}\")\n    process = subprocess.run(\n        command,\n        capture_output=True,\n        text=True,\n        check=False  # Set to True if you want an exception on non-zero exit codes\n    )\n\n    print(\"\\n--- Zizmor Output ---\")\n    print(process.stdout)\n    if process.stderr:\n        print(\"\\n--- Zizmor Errors ---\")\n        print(process.stderr)\n\n    if process.returncode != 0:\n        print(f\"\\nZizmor exited with non-zero status code: {process.returncode}\")\n    else:\n        print(\"\\nZizmor completed successfully.\")\n\nexcept FileNotFoundError:\n    print(\"Error: 'zizmor' command not found. Please ensure zizmor is installed and in your system's PATH.\")\nexcept Exception as e:\n    print(f\"An unexpected error occurred: {e}\")","lang":"python","description":"This quickstart demonstrates how to run `zizmor` as a command-line tool from Python using `subprocess`. The `--target .` flag scans the current directory for GitHub Actions workflows. A GitHub token (GH_TOKEN) is often necessary for `zizmor` to perform comprehensive 'online audits' and resolve remote actions without hitting GitHub API rate limits."},"warnings":[{"fix":"Refer to release notes when upgrading from versions prior to 1.0.0. For later versions, breaking changes are confined to major version increments.","message":"Zizmor adopted Semantic Versioning starting with v1.0.0. While major versions guarantee breaking changes, pre-1.0.0 releases may have introduced them without strict adherence to semver.","severity":"breaking","affected_versions":"<1.0.0"},{"fix":"Provide a GitHub token (e.g., via `GH_TOKEN` environment variable or `--github-token` flag) to authenticate requests and increase the rate limit. Consider running `zizmor` with `--offline-audits` if online checks are not critical or rate limits are a concern.","message":"GitHub API rate limiting can be an issue when `zizmor` performs extensive 'online checks' (e.g., fetching tags and branches for actions) at scale on large projects. It can quickly hit the 15,000 calls per hour limit.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure your repository meets the GitHub Advanced Security requirements for full integration, or use `advanced-security: false` (if using `zizmor-action`) or rely on console output.","message":"Integrating `zizmor` with GitHub Advanced Security (recommended mode) requires your repository to be public or to have Advanced Security as a paid feature on private repositories. Otherwise, results are printed to the console rather than uploaded to Advanced Security.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Adjust any automation or tooling that consumes SARIF reports from `zizmor` to account for the updated severity mapping if precise categorization is critical.","message":"In version 1.23.1, SARIF (Static Analysis Results Interchange Format) categories were regraded. Specifically, `zizmor`'s 'medium' severity now maps to SARIF's 'low' severity.","severity":"breaking","affected_versions":">=1.23.1"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}