winget install --id zizmor.zizmorAbout zizmor
zizmor is a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups, including: - Template injection vulnerabilities, leading to attacker-controlled code execution - Accidental credential persistence and leakage - Excessive permission scopes and credential grants to runners - Impostor commits and confusable git references - ...and much more!
What's new in 1.25.2
Bug Fixes ππ - Fixed a bug where the unpinned-tools audit would incorrectly flag the aquasecurity/trivy-action action as installing an unpinned tool version, rather than aquasecurity/setup-trivy (#2018)
Version history
| Version | Updated | Notes |
|---|---|---|
| 1.25.2 | Unknown | Bug Fixes ππ - Fixed a bug where the unpinned-tools audit would incorrectly flag the aquasecurity/trivy-action action as installing an unpinned tool version, rather than aquasecurity/setup-trivy (#2018) |
| 1.25.1 | Unknown | Bug Fixes ππ - Fixed a bug where the cache-poisoning audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#2004) - Fixed a typo when suggesting --fix flags for... |
| 1.25.0 | Unknown | New Features ππ - zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913) Many thanks to @Proximyst for proposing and implementing this improvement! - New audit: gi... |
| 1.24.1 | Unknown | Bug Fixes ππ - Fixed a bug where the ref-version-mismatch audit would incorrectly flag some version comments as not containing an appropriate version (#1900) |
| 1.24.0 | Unknown | New Features ππ - zizmor now allows users to audit from stdin, by passing zizmor - (#1611) Enhancements π±π - The use-trusted-publishing audit now detects bun publish and bunx npm publish patterns (#1737) Many thanks to @... |
| 1.23.1 | Unknown | Bug Fixes ππ - Fixed a bug where zizmor would error if given both a GH_TOKEN and a GITHUB_TOKEN (or ZIZMOR_GITHUB_TOKEN) via the environment (#1724) |
| 1.23.0 | Unknown | New Features ππ - New audit: secrets-outside-env detects usage of the secrets context in jobs that don't have a corresponding environment (#1599) - New audit: superfluous-actions detects usage of actions that perform ope... |
| 1.22.0 | Unknown | Changes β οΈπ - The misfeature audit now only shows non-"well known" #!/yaml shell: findings when running with the "auditor" persona (#1532) Bug Fixes ππ - Fixed a bug where inputs containing CRLF line endings were not pat... |
| 1.21.0 | Unknown | New Features ππ - New audit: misfeature detects usage of GitHub Actions features that are considered "misfeatures." (#1517) Enhancements π±π - zizmor now uses exit code 3 to signal an audit that has failed because no inpu... |
| 1.20.0 | Unknown | Enhancements π±π - The excessive-permissions audit is now aware of the artifact-metadata and models permissions (#1461) - The cache-poisoning audit is now aware of the ramsey/composer-install action (#1489) - The unpinned... |
| 1.19.0 | Unknown | New Features ππ - New audit: archived-uses detects usages of archived repositories in uses: clauses (#1411) Enhancements π±π - The use-trusted-publishing audit now detects additional publishing command patterns, including... |