Run zizmor from GitHub Actions!
Warning
This action is not ready for public use!
This section lists a handful of quick-start examples to get you up and
running with zizmor and zizmor-action. See the Inputs
section for more details on how zizmor-action can be configured.
Important
This mode requires that your repository is public or that you have Advanced Security as a paid feature on your private repository.
If neither of these applies to you, you can use zizmor-action
with advanced-security: false; see below for more details.
Important
In this mode, the action will not fail when zizmor produces findings.
This is because Advanced Security encourages workflows to only fail
on internal errors.
To use workflow failure as a blocking signal, you can use GitHub's rulesets feature. For more information, see About code scanning alerts - Pull request check failures for code scanning alerts.
Note
This is the recommended way to use zizmor-action as it provides
stateful analysis and enables incremental triage.
zizmor-action integrates with GitHub's Advanced Security
by default, giving you access to zizmor's findings via your
repository's security tab.
name: GitHub Actions Security Analysis with zizmor π
on:
push:
branches: ["main"]
pull_request:
branches: ["**"]
permissions: {}
jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read # only needed for private repos
actions: read # only needed for private repos
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run zizmor π
uses: zizmorcore/[email protected]If you can't or don't want to use GitHub's Advanced Security functionality,
you can still use zizmor-action without any issues or feature limitations!
To do so, you can set advanced-security: false
and omit the security-events: write permission. For example:
name: GitHub Actions Security Analysis with zizmor π
on:
push:
branches: ["main"]
pull_request:
branches: ["**"]
permissions: {}
jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
contents: read # only needed for private repos
actions: read # only needed for private repos
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run zizmor π
uses: zizmorcore/[email protected]
with:
advanced-security: falseDefault: .
inputs is a whitespace-separated list of inputs to pass to zizmor.
It defaults to . (the current working directory).
This set of inputs can be anything zizmor would normally accept as an
input. For example, you can audit one or more files, directories, or remote
repositories:
- name: Run zizmor π
uses: zizmorcore/[email protected]
with:
inputs: |
.github/workflows/fishy.yml
my-actions/
other-org/other-repo@mainSee zizmor's Input collection documentation for more information.
Default: true
online-audits controls whether zizmor runs online audits. Running without
online-audits is faster but will produce fewer results.
See zizmor's Audit Rules documentation for more information on which
audits are online-only.
Default: latest
version is the version of zizmor to use. It must be provided as
either an exact version (e.g. v1.7.0) or the special value latest,
which will always use the latest version of zizmor.
Default: ${{ github.token }}
token is the GitHub token to use for accessing the GitHub REST API
during online audits, as well as for uploading results to Advanced Security
when advanced-security is enabled.
Default: true
advanced-security controls whether zizmor-action uses GitHub's
Advanced Security functionality. If set to false, zizmor-action
will not upload results to Advanced Security, and will instead
print them to the console.