Automic VaultAutomic Vault

brew

Install zizmor with Homebrew, apk, MacPorts, Nix, pacman, scoop, winget, zypper

Find security issues in GitHub Actions setups. Version 1.26.1 via Homebrew; verified 2026-06-21.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install zizmor

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install zizmor

MacPorts ports tree · security/zizmor/Portfile · source: api.github.com

Linux

Alpine Linux apkverified · 92%
sudo apk add zizmor

Alpine Linux edge package indexes · zizmor · source: dl-cdn.alpinelinux.org

Nixverified · 92%
nix profile install nixpkgs#zizmor

nixpkgs package indexes · pkgs/by-name/zi/zizmor/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S zizmor

Arch Linux sync databases · zizmor · source: geo.mirror.pkgbuild.com

openSUSE zypperverified · 92%
sudo zypper install zizmor

openSUSE Tumbleweed package metadata · zizmor · source: download.opensuse.org

Windows

Scoopverified · 92%
scoop install main/zizmor

Scoop official bucket manifest trees · bucket/zizmor.json · source: api.github.com

Windows Package Managerverified · 92%
winget install --id zizmor.zizmor -e

Windows Package Manager source index · zizmor.zizmor · source: cdn.winget.microsoft.com

overview

Package summary

Find security issues in GitHub Actions setups

Commands and aliases

  • zizmor

history

Project history and usage

zizmor is a static-analysis tool for GitHub Actions workflows and actions. It belongs to the newer supply-chain-security wave: instead of scanning application source code, it scans CI/CD definitions for patterns that can leak credentials, allow injection, over-grant permissions, or otherwise compromise releases.

Project history

The project documentation describes zizmor as a tool that can find and fix common security issues in GitHub Actions CI/CD setups. The README lists examples including template-injection vulnerabilities, accidental credential persistence and leakage, excessive permission scopes, and confusable Git references.

zizmor reached a first stable release with v1.0.0, where the official release notes state that the project adopted Semantic Versioning and made stability commitments for existing features. Since then, the project has continued adding audits, output modes, auto-fix behavior, and integrations.

The project also grew a companion GitHub Action. `zizmor-action` runs zizmor inside CI and can integrate with GitHub Advanced Security by uploading findings to code scanning, turning the CLI into a recurring workflow check.

Adoption history

zizmor's adoption tracks the rise of GitHub Actions as release infrastructure and the resulting need to audit workflows as security-sensitive code. Its documentation includes integrations for GitHub Actions, pre-commit, IDEs, and other environments, while the sponsor list includes Grafana Labs, Trail of Bits, Kusari, and Tracebit.

The official trophy case documents examples where zizmor helped larger projects improve GitHub Actions security. That is a strong adoption signal for this niche because the tool's value is demonstrated through pull requests that harden real workflows rather than through a generic scanner benchmark.

Trail of Bits' 2026 work on YAML-anchor support shows zizmor moving with the GitHub Actions platform itself: when Actions added YAML anchors, the analyzer had to understand that syntax to keep coverage over modern workflow files.

How it is used

Users run `zizmor` against workflow files, action definitions, directories, or repositories. The quickstart documents inputs, collection modes, severity and confidence filtering, multiple output formats including JSON, SARIF, and GitHub annotations, and an experimental `--fix` mode.

The usage docs emphasize its static nature: zizmor analyzes workflow and action definitions without executing code or observing runtime state. This makes it suitable for local checks, pre-commit hooks, CI jobs, and code-scanning uploads, while still requiring users to understand runtime-only limitations.

Why package nerds care

zizmor is package-nerd significant because it treats CI configuration as a first-class supply-chain artifact. For maintainers, installing it is a low-friction way to audit the same YAML that builds, signs, publishes, and deploys packages.

It is also a good example of modern security tooling packaging: a Rust CLI, documentation-first audit catalog, machine-readable outputs, and a GitHub Action wrapper that lets projects consume the tool either locally or as part of repository security automation.

Timeline

  • 2024: zizmor documentation copyright begins under William Woodruff, matching the project's early public documentation era.
  • 2025: v1.0.0 is identified in official release notes as the first stable release with Semantic Versioning.
  • 2025: The GitHub Marketplace lists zizmor-action as a public action for running zizmor in workflows.
  • 2026: Trail of Bits collaborates with zizmor maintainers to harden YAML-anchor support after GitHub Actions adds anchors.

Related projects

  • zizmor-action, the official GitHub Action wrapper for running zizmor in CI.
  • GitHub Advanced Security code scanning and SARIF-based workflows.
  • pre-commit, IDE integrations, Scorecard, OSSF/SLSA-adjacent supply-chain hardening tools, and GitHub Actions security guidance.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for zizmor. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 2 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
zizmor.ymlzizmor.yaml

executables

Installed executables

CommandKindExposureNote
zizmorcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.26.1
manager updated2026-06-21
local dataok
upstreamcurrent
latest detectedv1.26.1

https://github.com/zizmorcore/zizmor

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:zizmor
Version1.26.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/zizmor
Homepagehttps://docs.zizmor.sh/
Repositoryhttps://github.com/zizmorcore/zizmor
Upstream docshttps://docs.zizmor.sh/
LicenseMIT
Source archivehttps://github.com/zizmorcore/zizmor/archive/refs/tags/v1.26.1.tar.gz
Last updated2026-06-21T04:12:25Z
Pulseupdated
Build dependenciespkgconf, rust
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namezizmor
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

zizmor

nix profile install nixpkgs#zizmor
  • normalized package name match
  • Matched by: Zizmor
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/zi/zizmor/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

zizmor 1.25.2-r0

A static analysis tool for GitHub Actions

https://github.com/zizmorcore/zizmor

sudo apk add zizmor
  • License: MIT
  • Architecture: x86_64
  • Source Package: zizmor
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Zizmor
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: zizmor from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

zizmor-doc 1.25.2-r0

A static analysis tool for GitHub Actions (documentation)

https://github.com/zizmorcore/zizmor

sudo apk add zizmor-doc
  • License: MIT
  • Architecture: x86_64
  • Source Package: zizmor
  • normalized package name match
  • Matched by: Zizmor
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: zizmor-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
pacman95%

zizmor 1.25.2-1

A static analysis tool for GitHub Actions

https://github.com/zizmorcore/zizmor

sudo pacman -S zizmor
  • License: MIT
  • Architecture: x86_64
  • 2 dependencies
  • normalized package name match
  • Matched by: Zizmor
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: zizmor from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

zizmor 1.25.2-1.1

A static analysis tool for GitHub Actions

https://github.com/zizmorcore/zizmor

sudo zypper install zizmor
  • License: MIT
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: zizmor
  • 3 dependencies
  • 2 provides
  • normalized package name match
  • Matched by: Zizmor
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: zizmor from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

zizmor-bash-completion 1.25.2-1.1

Bash Completion for zizmor

https://github.com/zizmorcore/zizmor

sudo zypper install zizmor-bash-completion
  • License: MIT
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: zizmor
  • 2 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Zizmor
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: zizmor-bash-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

zizmor-fish-completion 1.25.2-1.1

Fish Completion for zizmor

https://github.com/zizmorcore/zizmor

sudo zypper install zizmor-fish-completion
  • License: MIT
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: zizmor
  • 2 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Zizmor
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: zizmor-fish-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

zizmor-zsh-completion 1.25.2-1.1

Zsh Completion for zizmor

https://github.com/zizmorcore/zizmor

sudo zypper install zizmor-zsh-completion
  • License: MIT
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: zizmor
  • 2 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Zizmor
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: zizmor-zsh-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

zizmor

sudo port install zizmor
  • normalized package name match
  • Matched by: Zizmor
MacPorts ports tree · api.github.com · MacPorts ports tree: security/zizmor/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Scoop95%

main/zizmor

scoop install main/zizmor
  • normalized package name match
  • Matched by: Zizmor
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/zizmor.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
winget95%

zizmor.zizmor

winget install --id zizmor.zizmor -e
  • normalized package name match
  • Matched by: Zizmor
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: zizmor.zizmor from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment