macOS
brew install zizmorlocal Homebrew formula metadata
sudo port install zizmorMacPorts ports tree · security/zizmor/Portfile · source: api.github.com
brew
Find security issues in GitHub Actions setups. Version 1.26.1 via Homebrew; verified 2026-06-21.
install
brew install zizmorlocal Homebrew formula metadata
sudo port install zizmorMacPorts ports tree · security/zizmor/Portfile · source: api.github.com
sudo apk add zizmorAlpine Linux edge package indexes · zizmor · source: dl-cdn.alpinelinux.org
nix profile install nixpkgs#zizmornixpkgs package indexes · pkgs/by-name/zi/zizmor/package.nix · source: api.github.com
sudo pacman -S zizmorArch Linux sync databases · zizmor · source: geo.mirror.pkgbuild.com
sudo zypper install zizmoropenSUSE Tumbleweed package metadata · zizmor · source: download.opensuse.org
scoop install main/zizmorScoop official bucket manifest trees · bucket/zizmor.json · source: api.github.com
winget install --id zizmor.zizmor -eWindows Package Manager source index · zizmor.zizmor · source: cdn.winget.microsoft.com
overview
Find security issues in GitHub Actions setups
history
zizmor is a static-analysis tool for GitHub Actions workflows and actions. It belongs to the newer supply-chain-security wave: instead of scanning application source code, it scans CI/CD definitions for patterns that can leak credentials, allow injection, over-grant permissions, or otherwise compromise releases.
The project documentation describes zizmor as a tool that can find and fix common security issues in GitHub Actions CI/CD setups. The README lists examples including template-injection vulnerabilities, accidental credential persistence and leakage, excessive permission scopes, and confusable Git references.
zizmor reached a first stable release with v1.0.0, where the official release notes state that the project adopted Semantic Versioning and made stability commitments for existing features. Since then, the project has continued adding audits, output modes, auto-fix behavior, and integrations.
The project also grew a companion GitHub Action. `zizmor-action` runs zizmor inside CI and can integrate with GitHub Advanced Security by uploading findings to code scanning, turning the CLI into a recurring workflow check.
zizmor's adoption tracks the rise of GitHub Actions as release infrastructure and the resulting need to audit workflows as security-sensitive code. Its documentation includes integrations for GitHub Actions, pre-commit, IDEs, and other environments, while the sponsor list includes Grafana Labs, Trail of Bits, Kusari, and Tracebit.
The official trophy case documents examples where zizmor helped larger projects improve GitHub Actions security. That is a strong adoption signal for this niche because the tool's value is demonstrated through pull requests that harden real workflows rather than through a generic scanner benchmark.
Trail of Bits' 2026 work on YAML-anchor support shows zizmor moving with the GitHub Actions platform itself: when Actions added YAML anchors, the analyzer had to understand that syntax to keep coverage over modern workflow files.
Users run `zizmor` against workflow files, action definitions, directories, or repositories. The quickstart documents inputs, collection modes, severity and confidence filtering, multiple output formats including JSON, SARIF, and GitHub annotations, and an experimental `--fix` mode.
The usage docs emphasize its static nature: zizmor analyzes workflow and action definitions without executing code or observing runtime state. This makes it suitable for local checks, pre-commit hooks, CI jobs, and code-scanning uploads, while still requiring users to understand runtime-only limitations.
zizmor is package-nerd significant because it treats CI configuration as a first-class supply-chain artifact. For maintainers, installing it is a low-friction way to audit the same YAML that builds, signs, publishes, and deploys packages.
It is also a good example of modern security tooling packaging: a Rust CLI, documentation-first audit catalog, machine-readable outputs, and a GitHub Action wrapper that lets projects consume the tool either locally or as part of repository security automation.
security posture
No matching local secret-handling manifest was found for zizmor. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
zizmor.ymlzizmor.yamlexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
zizmor | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/zizmorcore/zizmor
install metadata
| Package key | brew:zizmor |
|---|---|
| Version | 1.26.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/zizmor |
| Homepage | https://docs.zizmor.sh/ |
| Repository | https://github.com/zizmorcore/zizmor |
| Upstream docs | https://docs.zizmor.sh/ |
| License | MIT |
| Source archive | https://github.com/zizmorcore/zizmor/archive/refs/tags/v1.26.1.tar.gz |
| Last updated | 2026-06-21T04:12:25Z |
| Pulse | updated |
| Build dependencies | pkgconf, rust |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | zizmor |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
zizmor
nix profile install nixpkgs#zizmorzizmor 1.25.2-r0
A static analysis tool for GitHub Actions
https://github.com/zizmorcore/zizmor
sudo apk add zizmorzizmor-doc 1.25.2-r0
A static analysis tool for GitHub Actions (documentation)
https://github.com/zizmorcore/zizmor
sudo apk add zizmor-doczizmor 1.25.2-1
A static analysis tool for GitHub Actions
https://github.com/zizmorcore/zizmor
sudo pacman -S zizmorzizmor 1.25.2-1.1
A static analysis tool for GitHub Actions
https://github.com/zizmorcore/zizmor
sudo zypper install zizmorzizmor-bash-completion 1.25.2-1.1
Bash Completion for zizmor
https://github.com/zizmorcore/zizmor
sudo zypper install zizmor-bash-completionzizmor-fish-completion 1.25.2-1.1
Fish Completion for zizmor
https://github.com/zizmorcore/zizmor
sudo zypper install zizmor-fish-completionzizmor-zsh-completion 1.25.2-1.1
Zsh Completion for zizmor
https://github.com/zizmorcore/zizmor
sudo zypper install zizmor-zsh-completionzizmor
sudo port install zizmormain/zizmor
scoop install main/zizmorzizmor.zizmor
winget install --id zizmor.zizmor -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.