Key takeaways
- De facto standard auditor for GitHub Actions security: 500+ trophy-case entries spanning CPython, cURL, PyPI, Rust, Sigstore, Apache, Mozilla, and Google projects as of June 2026
- 38 audit rules target the exact attack classes behind the spring 2026 supply-chain wave — template injection, credential leakage, cache poisoning, and impostor commits — with auto-fix for most findings
- Free, MIT-licensed, sponsor-funded Rust CLI with no commercial tier; audit-only scope — it hardens workflow files, it does not scan package payloads or runtime behavior
FAQ
What is zizmor?
zizmor is a static analysis tool that finds and fixes common security issues in GitHub Actions CI/CD workflows.
How much does zizmor cost?
Nothing — zizmor is free and MIT-licensed, funded through GitHub Sponsors with backers including Grafana Labs and Trail of Bits.
How does zizmor work?
It parses workflow and action YAML and runs 38 audit rules — mostly offline in milliseconds, with optional online audits like impostor-commit detection — at three sensitivity levels (regular, pedantic, auditor), and can auto-fix most findings via --fix.
How is zizmor different from OpenSSF Scorecard?
Scorecard scores a repository's overall security posture across many heuristics; zizmor goes deep on one layer — GitHub Actions workflows — with file-level findings and automated fixes.
Executive Summary
zizmor is an open-source static analysis tool for GitHub Actions: it scans workflow and action definitions for the security mistakes that turn CI pipelines into supply-chain attack vectors — template injection, leaked credentials, poisonable caches, and impostor commits — and can automatically fix most of what it finds.[1][2] It is created and maintained by William Woodruff, a supply-chain security engineer, and funded through sponsorships from backers including Grafana Labs and Trail of Bits rather than a commercial entity.[3][4]
The timing argument for the tool is strong: the spring 2026 supply-chain wave entered through Actions pipelines — the TanStack npm worm alone published 84 malicious artifacts via a compromised CI pipeline.[5] zizmor audits exactly that entry surface, and the ecosystem has noticed: 5,611 GitHub stars with daily pushes, 3.2M+ PyPI downloads as of September 2025, and a trophy case of 500+ adopting projects including CPython, cURL, PyPI, Rust, Sigstore, and projects from Apache, Mozilla, and Google.[1][4][6]
| Attribute | Detail |
|---|---|
| Creator | William Woodruff (zizmorcore org)[3][1] |
| Created | August 2024[1] |
| Funding | None (sponsor-funded: GitHub Sponsors, thanks.dev, ko-fi)[3] |
| GitHub Stars | 5,611 (216 forks) as of June 2026[1] |
| License | MIT[1] |
| Language | Rust[1] |
Product Overview
zizmor is a CLI you point at a repository or workflow file. It runs 38 audit rules against GitHub Actions workflows, composite actions, and Dependabot configurations — mostly offline, with a few online audits (like impostor-commit detection) that query the GitHub API.[2] Findings come at three sensitivity levels ("personas"): the default regular persona prioritizes high-signal actionable findings, while pedantic and auditor personas progressively surface noisier code smells and platform-limitation findings.[7]
Key Capabilities
| Capability | Description |
|---|---|
| Template-injection detection | Flags attacker-controllable contexts (e.g. github.event.issue.title) expanded into shell code[2] |
| Credential-leak detection | Hardcoded container credentials; persistent git credentials leaked via artifacts ("artipacked")[2] |
| Cache-poisoning detection | Flags release workflows that restore attacker-poisonable build caches[2] |
| Impostor-commit detection | Online audit for fork-network commits that don't exist in the upstream repository[2] |
| Permissions & pinning hygiene | Over-scoped workflow permissions; unpinned action references (hash-pinning enforced by default)[2] |
| Auto-fix | --fix mode repairs findings for all but four audits (impostor-commit, known-vulnerable-actions, ref-confusion, stale-action-refs)[2] |
Product Surfaces
| Surface | Description | Availability |
|---|---|---|
| CLI | Rust binary; offline runs in tens of milliseconds[4] | crates.io, PyPI, Homebrew, conda-forge[3] |
| pre-commit hook | Run audits before commit | Free[3] |
| GitHub Action | zizmor-action runs audits in CI | Free[3] |
Technical Architecture
zizmor is a single Rust binary with no service dependency; the default offline mode analyzes representative inputs in tens of milliseconds, and online audits trade speed for fork-network and registry checks.[4]
# Install and audit a repository
brew install zizmor # or: cargo install zizmor / pip install zizmor
zizmor .github/workflows/
zizmor --fix .github/workflows/ # auto-fix supported findings
Key Technical Details
| Aspect | Detail |
|---|---|
| Deployment | Local CLI, pre-commit, or GitHub Action; offline by default[3] |
| Model(s) | None — deterministic static analysis, no LLM component[1] |
| Integrations | GitHub Actions, Dependabot configs, GitHub API (online audits)[2] |
| Open Source | Yes — MIT, ~50 contributors as of September 2025[1][4] |
Strengths
- Audits the layer attackers actually used in 2026. The spring 2026 supply-chain wave entered through Actions pipelines — the TanStack worm shipped 84 malicious artifacts through a compromised pipeline — and zizmor's audit set (injection, credential leakage, cache poisoning, impostor commits) maps directly onto those entry points.[5][2]
- Exceptional ecosystem adoption for a two-year-old tool. 500+ trophy-case entries spanning CPython, cURL, PyPI, Rust, Sigstore, Apache, Mozilla, Google, and Kubernetes-adjacent projects; 3.2M+ PyPI downloads with 633K in a single month as of September 2025.[6][4]
- Fix, not just flag. All but four of the 38 audits support automated remediation via
--fix, which lowers the cost of acting on findings — a real differentiator versus posture scanners.[2] - Fast and CI-friendly. Offline runs complete in tens of milliseconds, so it fits in pre-commit hooks without friction.[4]
- Tunable signal-to-noise. The default persona is deliberately high-signal; pedantic and auditor personas exist for teams that want exhaustive sweeps.[7]
- Externally hardened. Trail of Bits audited the analyzer itself in May 2026, filing 20 issues and merging 15 pull requests to improve handling of YAML anchors and other edge cases.[8]
Cautions
- False positives in the flagship audit. Community reports describe a high false-positive rate for template-injection findings, with manual triage costs significant enough to prompt a proposed redesign of the context allowlist.[9] The maintainers have repeatedly demoted noisy audits — secrets-outside-env and misfeature findings are now auditor-persona-only because of false positives and GitHub platform limitations.[10]
- Audit-only scope. zizmor hardens workflow files; it does not scan package payloads, monitor runtime behavior, or detect a compromised dependency once it is inside the pipeline. A TanStack-style worm payload is out of scope — zizmor closes the workflow misconfigurations such attacks exploit, nothing more.[1][5]
- Largely intraprocedural analysis. Woodruff is candid that zizmor analyzes workflows in isolation and misses transitive, cross-repository issues — and that ideally "zizmor doesn't really want to exist"; the root problem is GitHub Actions' security model itself.[4]
- GitHub Actions only. No coverage for GitLab CI, CircleCI, Buildkite, or other pipeline systems.[1]
- Single-maintainer concentration. ~50 contributors exist, but the project is Woodruff-driven and sponsor-funded with no commercial entity behind it.[4][3]
- Analyzer robustness is still maturing. The fact that a May 2026 external review surfaced 20 issues (notably YAML anchor handling) shows the parser had real gaps two years in — encouraging that they were fixed, but a reminder that static analyzers have their own bug surface.[8]
Pricing & Licensing
| Tier | Price | Includes |
|---|---|---|
| Open source | $0 | Everything — all 38 audits, all personas, auto-fix, GitHub Action[2][3] |
Licensing model: MIT — free for commercial and open-source use; development is funded via GitHub Sponsors, thanks.dev, and ko-fi, with sponsors including Grafana Labs and Trail of Bits.[1][3]
Hidden costs: Triage time for false positives (especially at pedantic/auditor sensitivity) and the engineering effort to remediate findings auto-fix can't handle.[9][2]
Competitive Positioning
Direct Competitors
| Competitor | Differentiation |
|---|---|
| OpenSSF Scorecard | Broad repository-posture scoring across many heuristics; zizmor goes deep on one layer (Actions workflows) with file-level findings and auto-fix[2] |
| Socket.dev | Scans package payloads and dependency behavior — the artifact layer; zizmor audits the pipeline layer that publishes those artifacts. Complementary, not substitutes[1] |
| actionlint | General workflow linting (syntax, expressions); zizmor is security-specific with attack-class audits[2] |
| Vouch | Gates who may contribute; zizmor audits what the pipeline does — different ends of the same trust chain[1] |
When to Choose zizmor Over Alternatives
- You ship through GitHub Actions and want the pipeline itself hardened — not just dependencies scanned or posture scored.[2]
- You want automated fixes, not a report — most findings are
--fix-able.[2] - You want a free, fast, offline-capable check that runs in pre-commit and CI without a vendor account.[3][4]
- You are not the right fit if you need coverage beyond GitHub Actions or payload-level malware detection — pair it with a package-layer tool like Socket.dev for that.[1]
Ideal Customer Profile
Best fit:
- Open-source maintainers and platform teams shipping releases through GitHub Actions[6]
- Security teams responding to the 2026 Actions-pipeline attack wave who need a deployable control this week[5]
- Organizations already running Scorecard or Socket that lack workflow-level depth[2]
Poor fit:
- Teams on GitLab CI, CircleCI, or other non-GitHub pipelines[1]
- Buyers who need a vendor contract, SLA, or enterprise support — none exists[3]
- Teams expecting malware or payload detection rather than configuration auditing[1]
Viability Assessment
| Dimension | Assessment |
|---|---|
| Financial Health | Sponsor-funded with credible backers (Grafana Labs, Trail of Bits); no revenue model, no burn[3] |
| Market Position | De facto standard for Actions auditing — 500+ trophy-case adopters including CPython, cURL, Rust, Sigstore[6][4] |
| Innovation Pace | Strong: audits grew from 10 at v0.1.0 to 38 in the stable 1.x series (v1.24.0); pushes daily as of June 2026[4][2][10][1] |
| Community/Ecosystem | ~50 contributors, multiple package-manager distributions, external security review by Trail of Bits[4][8] |
| Long-term Outlook | Healthy but maintainer-concentrated; durable as long as Woodruff and sponsors stay engaged[3] |
zizmor is the rare security tool whose adoption curve preceded the attack wave that justified it. The risks are structural rather than technical: single-maintainer concentration and a scope deliberately limited to one CI platform.[4]
Bottom Line
zizmor is the strongest pure-play answer to a question the spring 2026 supply-chain attacks made urgent: is your CI pipeline itself a vulnerability? It audits the exact attack classes used in the wild — injection, credential leakage, cache poisoning, impostor commits — fixes most of what it finds, costs nothing, and is already embedded in the CI of the software everyone depends on.[2][6][5] Its honesty is also its limitation: it is an auditor, not a detector, and its own creator frames it as a patch over GitHub Actions' security model rather than a solution to it.[4]
Recommended for: Any team shipping through GitHub Actions — especially open-source projects and release pipelines — ideally paired with a package-layer scanner like Socket.dev.
Not recommended for: Non-GitHub CI users, or buyers needing vendor support and payload-level detection.
Outlook: Positive. Adoption, audit count, and external hardening all trended up through mid-2026; the open question is whether a sponsor-funded, maintainer-driven project can keep pace as the Actions threat landscape becomes a primary attack surface.[1][8]
Research by Ry Walker Research • methodology
Sources
- [1] zizmor GitHub Repository
- [2] zizmor Audit Rules
- [3] zizmor Documentation
- [4] One Year of zizmor (William Woodruff)
- [5] TanStack npm Supply-Chain Worm (Orca Security)
- [6] zizmor Trophy Case
- [7] zizmor Usage — Personas
- [8] We Hardened zizmor's GitHub Actions Static Analyzer (Trail of Bits)
- [9] zizmor Issue #1878 — Template-Injection False Positives
- [10] zizmor Release Notes