zizmor

zizmor is a static analysis CLI tool for GitHub Actions. It audits YAML files for common security issues in GitHub Actions CI/CD pipelines.

Features include detecting template‑injection strings, hard‑coded credentials, overscoped tokens, unpinned third‑party actions, impostor commits and risky triggers. The output defaults to colored cargo‑style diagnostics, JSON, SARIF (static analysis results interchange format) and GitHub‑annotation modes support CI integration.

This tool works best for security and devops engineers, maintainers and hobbyists who rely on Github Actions for their software.