Introducing zizmor: now you can have beautiful clean workflows
Oct 27, 2024 Tags: devblog, programming, rust, security
This is an announcement for zizmor, a new tool for finding security issues in GitHub Actions setups. You can run it on one or more workflow definitions1, and it’ll emit cargo-style diagnostics, SARIF, or JSON as you please.
With this initial release, zizmor can detect a handful of common security issues in Github Actions workflows. A sampling of these:
The rest of this post is dedicated to some of zizmor’s background context, and some high-level implementation details on how it was built. Read on if that interests you, or go to zizmor’s README to get started with using it!
CI/CD security (and GitHub Actions in particular) has been a personal interest of mine for a while now, primarily because of how universal and critical it’s become.
