# Install zizmor with Homebrew, apk, MacPorts, Nix, pacman, scoop, winget, zypper

Find security issues in GitHub Actions setups. Version 1.26.1 via Homebrew; verified 2026-06-21.

## Install

```sh
sudo av install brew:zizmor
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install zizmor
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install zizmor
```

  Evidence: MacPorts ports tree: security/zizmor/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add zizmor
```

  Evidence: Alpine Linux edge package indexes: zizmor from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Nix (92%):

```sh
nix profile install nixpkgs#zizmor
```

  Evidence: nixpkgs package indexes: pkgs/by-name/zi/zizmor/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S zizmor
```

  Evidence: Arch Linux sync databases: zizmor from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install zizmor
```

  Evidence: openSUSE Tumbleweed package metadata: zizmor from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Scoop (92%):

```sh
scoop install main/zizmor
```

  Evidence: Scoop official bucket manifest trees: bucket/zizmor.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id zizmor.zizmor -e
```

  Evidence: Windows Package Manager source index: zizmor.zizmor from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:zizmor
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/zizmor>
- **Version:** 1.26.1
- **Source summary:** Find security issues in GitHub Actions setups
- **Homepage:** <https://docs.zizmor.sh/>
- **Repository:** <https://github.com/zizmorcore/zizmor>
- **Upstream docs:** <https://docs.zizmor.sh/>
- **License:** MIT
- **Source archive:** <https://github.com/zizmorcore/zizmor/archive/refs/tags/v1.26.1.tar.gz>
- **Last updated:** 2026-06-21T04:12:25Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- zizmor (cli)
- zizmor (alias)

## Build dependencies

- pkgconf
- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.26.1
- Package-manager updated: 2026-06-21
- Local data: ok
- Upstream repository: https://github.com/zizmorcore/zizmor
- Upstream latest detected: v1.26.1 (current)
## Project history and usage

zizmor is a static-analysis tool for GitHub Actions workflows and actions. It belongs to the newer supply-chain-security wave: instead of scanning application source code, it scans CI/CD definitions for patterns that can leak credentials, allow injection, over-grant permissions, or otherwise compromise releases.

### Project history

The project documentation describes zizmor as a tool that can find and fix common security issues in GitHub Actions CI/CD setups. The README lists examples including template-injection vulnerabilities, accidental credential persistence and leakage, excessive permission scopes, and confusable Git references.

zizmor reached a first stable release with v1.0.0, where the official release notes state that the project adopted Semantic Versioning and made stability commitments for existing features. Since then, the project has continued adding audits, output modes, auto-fix behavior, and integrations.

The project also grew a companion GitHub Action. `zizmor-action` runs zizmor inside CI and can integrate with GitHub Advanced Security by uploading findings to code scanning, turning the CLI into a recurring workflow check.

### Adoption history

zizmor's adoption tracks the rise of GitHub Actions as release infrastructure and the resulting need to audit workflows as security-sensitive code. Its documentation includes integrations for GitHub Actions, pre-commit, IDEs, and other environments, while the sponsor list includes Grafana Labs, Trail of Bits, Kusari, and Tracebit.

The official trophy case documents examples where zizmor helped larger projects improve GitHub Actions security. That is a strong adoption signal for this niche because the tool's value is demonstrated through pull requests that harden real workflows rather than through a generic scanner benchmark.

Trail of Bits' 2026 work on YAML-anchor support shows zizmor moving with the GitHub Actions platform itself: when Actions added YAML anchors, the analyzer had to understand that syntax to keep coverage over modern workflow files.

### How it is used

Users run `zizmor` against workflow files, action definitions, directories, or repositories. The quickstart documents inputs, collection modes, severity and confidence filtering, multiple output formats including JSON, SARIF, and GitHub annotations, and an experimental `--fix` mode.

The usage docs emphasize its static nature: zizmor analyzes workflow and action definitions without executing code or observing runtime state. This makes it suitable for local checks, pre-commit hooks, CI jobs, and code-scanning uploads, while still requiring users to understand runtime-only limitations.

### Why package nerds care

zizmor is package-nerd significant because it treats CI configuration as a first-class supply-chain artifact. For maintainers, installing it is a low-friction way to audit the same YAML that builds, signs, publishes, and deploys packages.

It is also a good example of modern security tooling packaging: a Rust CLI, documentation-first audit catalog, machine-readable outputs, and a GitHub Action wrapper that lets projects consume the tool either locally or as part of repository security automation.

### Timeline

- 2024: zizmor documentation copyright begins under William Woodruff, matching the project's early public documentation era.
- 2025: v1.0.0 is identified in official release notes as the first stable release with Semantic Versioning.
- 2025: The GitHub Marketplace lists zizmor-action as a public action for running zizmor in workflows.
- 2026: Trail of Bits collaborates with zizmor maintainers to harden YAML-anchor support after GitHub Actions adds anchors.

### Related projects

- zizmor-action, the official GitHub Action wrapper for running zizmor in CI.
- GitHub Advanced Security code scanning and SARIF-based workflows.
- pre-commit, IDE integrations, Scorecard, OSSF/SLSA-adjacent supply-chain hardening tools, and GitHub Actions security guidance.

### Sources

- <https://blog.trailofbits.com/2026/05/22/we-hardened-zizmors-github-actions-static-analyzer/>
- <https://docs.zizmor.sh/>
- <https://docs.zizmor.sh/audits/>
- <https://docs.zizmor.sh/quickstart/>
- <https://docs.zizmor.sh/trophy-case/>
- <https://docs.zizmor.sh/usage/>
- <https://github.com/marketplace/actions/zizmor-action>
- <https://github.com/zizmorcore/zizmor>
- <https://github.com/zizmorcore/zizmor-action>
- <https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md>


## Security Notes

No matching local secret-handling manifest was found for zizmor. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: zizmor.yml, zizmor.yaml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** zizmor
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - zizmor: normalized package name match | nixpkgs package indexes: pkgs/by-name/zi/zizmor/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - zizmor - 1.25.2-r0: normalized package name match | Alpine Linux edge package indexes: zizmor from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | A static analysis tool for GitHub Actions | https://github.com/zizmorcore/zizmor
- apk - zizmor-doc - 1.25.2-r0: normalized package name match | Alpine Linux edge package indexes: zizmor-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | A static analysis tool for GitHub Actions (documentation) | https://github.com/zizmorcore/zizmor
- pacman - zizmor - 1.25.2-1: normalized package name match | Arch Linux sync databases: zizmor from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | A static analysis tool for GitHub Actions | https://github.com/zizmorcore/zizmor
- zypper - zizmor - 1.25.2-1.1: normalized package name match | openSUSE Tumbleweed package metadata: zizmor from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | A static analysis tool for GitHub Actions | https://github.com/zizmorcore/zizmor
- zypper - zizmor-bash-completion - 1.25.2-1.1: normalized package name match | openSUSE Tumbleweed package metadata: zizmor-bash-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Bash Completion for zizmor | https://github.com/zizmorcore/zizmor
- zypper - zizmor-fish-completion - 1.25.2-1.1: normalized package name match | openSUSE Tumbleweed package metadata: zizmor-fish-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Fish Completion for zizmor | https://github.com/zizmorcore/zizmor
- zypper - zizmor-zsh-completion - 1.25.2-1.1: normalized package name match | openSUSE Tumbleweed package metadata: zizmor-zsh-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Zsh Completion for zizmor | https://github.com/zizmorcore/zizmor
- MacPorts - zizmor: normalized package name match | MacPorts ports tree: security/zizmor/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Scoop - main/zizmor: normalized package name match | Scoop official bucket manifest trees: bucket/zizmor.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
- winget - zizmor.zizmor: normalized package name match | Windows Package Manager source index: zizmor.zizmor from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [chain-bench](https://www.automicvault.com/pkg/brew/chain-bench/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [vet](https://www.automicvault.com/pkg/brew/vet/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [frizbee](https://www.automicvault.com/pkg/brew/frizbee/) - Shares av.db curated category or tags: cli, github-actions, security, supply-chain.
- [opensca-cli](https://www.automicvault.com/pkg/brew/opensca-cli/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [parlay](https://www.automicvault.com/pkg/brew/parlay/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [poutine](https://www.automicvault.com/pkg/brew/poutine/) - Shares av.db curated category or tags: ci, cli, github-actions, security, supply-chain-security.
- [ratchet](https://www.automicvault.com/pkg/brew/ratchet/) - Shares av.db curated category or tags: cli, security, supply-chain.
- [ratify](https://www.automicvault.com/pkg/brew/ratify/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.

## Combined YAML source

View the package source record on GitHub. [combined/zizmor.yml](https://github.com/automic-vault/db/blob/main/combined/zizmor.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
