### Install zizmor with pacman
Source: https://docs.zizmor.sh/installation
Install zizmor using pacman, which is available in the AUR.
```bash
pacman -S zizmor
```
--------------------------------
### Install Cargo Insta for Snapshot Testing
Source: https://docs.zizmor.sh/development
Install the cargo-insta tool, which is recommended for managing snapshot tests.
```bash
cargo install --locked cargo-insta
```
--------------------------------
### Install zizmor with pip, pipx, or uv
Source: https://docs.zizmor.sh/installation
Install zizmor using Python package installers. Wheels are provided on a best-effort basis for common architectures.
```bash
# with pip
pip install zizmor
# with pipx
pipx install zizmor
# with uv
uv tool install zizmor
# or, shortcut:
uvx zizmor --help
```
--------------------------------
### Install zizmor with Nix
Source: https://docs.zizmor.sh/installation
Install zizmor using Nix, either without flakes or with flakes.
```bash
# without flakes
nix-env -iA nixos.zizmor
# with flakes
nix profile install nixpkgs#zizmor
```
--------------------------------
### Install pinact CLI Tool
Source: https://docs.zizmor.sh/development
Install the pinact tool using Homebrew to manage action usages in documentation.
```bash
brew install pinact
```
--------------------------------
### Install zizmor with Homebrew
Source: https://docs.zizmor.sh/installation
Use this command to install zizmor if you are using Homebrew.
```bash
brew install zizmor
```
--------------------------------
### Build zizmor Website Locally with Make
Source: https://docs.zizmor.sh/development
Build a local copy of the zizmor website in the 'site_html' directory. Requires a Python runtime and uv installed.
```bash
make site
```
--------------------------------
### Verify Zizmor Installation
Source: https://docs.zizmor.sh/quickstart
Run this command to ensure Zizmor is installed correctly. It displays the available options and usage information.
```bash
zizmor -h
```
--------------------------------
### Install zizmor with conda
Source: https://docs.zizmor.sh/installation
Install zizmor from the conda-forge channel using conda.
```bash
conda install conda-forge::zizmor
```
--------------------------------
### Install zizmor from source with cargo
Source: https://docs.zizmor.sh/installation
Install the latest unstable zizmor directly from GitHub using cargo. This is not recommended for most users.
```bash
cargo install --locked --git https://github.com/zizmorcore/zizmor
```
--------------------------------
### Remediate ad-hoc package installation with bundle install
Source: https://docs.zizmor.sh/audits
Replaces direct gem installation with `bundle install` to use a managed manifest and lockfile.
```yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.0.0
- run: gem install rake
```
```yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.0.0
- run: bundle install
```
--------------------------------
### Install zizmor with apk on Chimera Linux
Source: https://docs.zizmor.sh/installation
Install zizmor using apk on Chimera Linux. Ensure the 'user' repo is enabled first if necessary.
```bash
# If you don't have the 'user' repo enabled yet, do that first
apk add chimera-repo-user
apk add zizmor
```
--------------------------------
### Run Offline Benchmarks with Cargo and Make
Source: https://docs.zizmor.sh/development
Execute all offline benchmarks after building the project in release mode. Ensure Cargo is installed and configured.
```bash
cargo build --release
make bench
```
--------------------------------
### Example JSON output from Zizmor
Source: https://docs.zizmor.sh/usage
This is an example of the detailed JSON output Zizmor produces, including finding details, severity, and location.
```json
{
"ident": "github-env",
"desc": "dangerous use of environment file",
"url": "https://docs.zizmor.sh/audits/#github-env",
"determinations": {
"confidence": "Low",
"severity": "High",
"persona": "Regular"
},
"locations": [
{
"symbolic": {
"key": {
"Local": {
"prefix": ".",
"given_path": "./tests/integration/test-data/github-env/action.yml"
}
},
"annotation": "write to GITHUB_ENV may allow code execution",
"route": {
"components": [
{
"Key": "runs"
},
{
"Key": "steps"
},
{
"Index": 0
},
{
"Key": "run"
}
]
},
"kind": "Primary"
},
"concrete": {
"location": {
"start_point": {
"row": 9,
"column": 6
},
"end_point": {
"row": 10,
"column": 40
},
"offset_span": {
"start": 202,
"end": 249
}
},
"feature": " run:\n echo \"foo=$(bar)\" >> $GITHUB_ENV",
"comments": []
}
}
],
"ignored": false
}
```
--------------------------------
### Install zizmor with cargo
Source: https://docs.zizmor.sh/installation
Install zizmor from crates.io using cargo. Passing --locked is strongly recommended to ensure dependency versions are tested.
```bash
cargo install --locked zizmor
```
--------------------------------
### Enable zizmor LSP in Neovim
Source: https://docs.zizmor.sh/integrations
Configure Neovim to use zizmor as an LSP server. Ensure zizmor is installed separately. Refer to `:h lspconfig-all` for more LSP configuration details.
```lua
vim.lsp.enable('zizmor')
```
--------------------------------
### Remediation for overprovisioned secrets (Before)
Source: https://docs.zizmor.sh/audits
This example shows the 'before' state of a workflow where the entire secrets context is loaded, leading to overprovisioning.
```yaml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- run: ./deploy.sh
env:
SECRETS: ${{ toJSON(secrets) }}
```
--------------------------------
### Remediation for overprovisioned secrets (After)
Source: https://docs.zizmor.sh/audits
This example shows the 'after' state, where secrets are accessed individually, resolving the overprovisioning issue.
```yaml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- run: ./deploy.sh
env:
SECRET_ONE: ${{ secrets.SECRET_ONE }}
SECRET_TWO: ${{ secrets.SECRET_TWO }}
```
--------------------------------
### Zizmor Configuration File Example
Source: https://docs.zizmor.sh/usage
Define ignore rules for specific findings in a `zizmor.yml` file. This allows for centralized management of ignored issues across multiple files or specific lines and columns.
```yaml
rules:
template-injection:
ignore:
- safe.yml
- somewhat-safe.yml:123
- one-exact-spot.yml:123:456
```
--------------------------------
### Advanced Filtering with jq
Source: https://docs.zizmor.sh/usage
For advanced filtering, use `--format=json` and pipe the output to `jq`. This example selects results with 'High' confidence.
```bash
zizmor --format=json-v1 ... | jq 'map(select(.determinations.confidence == "High"))'
```
--------------------------------
### Remediate `pip-install` in GitHub Actions
Source: https://docs.zizmor.sh/audits
Before: Uses `pip-install` input on `actions/setup-python`, which can lead to auditing difficulties and dependency conflicts. After: Replaces `pip-install` with a virtual environment setup for better isolation and auditability.
```yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Setup Python
uses: actions/setup-python@v6
with:
pip-install: '.[dev]'
```
```yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Setup Python
uses: actions/setup-python@v6
- name: Install package
run: |
python -m venv .env
./.env/bin/pip install .[dev]
```
--------------------------------
### Run zizmor in LSP mode
Source: https://docs.zizmor.sh/integrations
Start zizmor in Language Server Protocol (LSP) mode. In this mode, zizmor communicates with the editor via stdin and stdout only. No other arguments are accepted.
```bash
zizmor --lsp
```
--------------------------------
### Remediate Unpinned Actions: Before
Source: https://docs.zizmor.sh/audits
Example of a workflow with unpinned GitHub Actions dependencies, including a specific version for pypa/gh-action-pypi-publish and a Docker image without a version tag.
```yaml
name: unpinned-uses
on: [push]
jobs:
unpinned-uses:
runs-on: ubuntu-latest
steps:
- uses: pypa/gh-action-pypi-publish@v1.12.4
with:
persist-credentials: false
- uses: docker://ubuntu
with:
entrypoint: /bin/echo
args: hello!
```
--------------------------------
### Run Zizmor with JSON output
Source: https://docs.zizmor.sh/usage
Execute Zizmor with the `--format=json` flag to get a flat array of findings. Pipe the output to `jq` for easier parsing.
```bash
zizmor --format=json . | jq .\[0\]
```
--------------------------------
### Dynamic Matrix Generation in GitHub Actions
Source: https://docs.zizmor.sh/usage
This example demonstrates a GitHub Actions workflow where a job's matrix is generated dynamically at runtime by a previous job. Static analysis tools like Zizmor cannot fully analyze such dynamic behavior, potentially flagging runtime-dependent variables as risks.
```yaml
build-matrix:
name: Build the matrix
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- id: set-matrix
run: |
echo "matrix=$(python generate_matrix.py)" >> "${GITHUB_OUTPUT}"
run:
name: ${{ matrix.name }}
needs:
- build-matrix
runs-on: ubuntu-latest
strategy:
matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
steps:
- run: |
echo "hello ${{ matrix.something }}"
```
--------------------------------
### Run zizmor in GitHub Actions
Source: https://docs.zizmor.sh/integrations
This GitHub Actions workflow installs uv and runs zizmor to check the repository. Remove the `env:` block to run only offline audits. Findings exceeding 10 will be logged but not rendered as annotations.
```yaml
jobs:
zizmor:
name: zizmor via PyPI
runs-on: ubuntu-latest
permissions:
contents: read # Only needed for private repos. Needed to clone the repo.
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Run zizmor 🌈
run: uvx "zizmor@${ZIZMOR_VERSION}" --format=github .
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```
--------------------------------
### Secure Container Credentials with Secrets
Source: https://docs.zizmor.sh/audits
Replace hardcoded container credentials with encrypted secrets to prevent exposure. This example shows the 'Before' and 'After' states of a workflow configuration.
```yaml
on:
push:
jobs:
test:
runs-on: ubuntu-latest
container:
image: fake.example.com/example
credentials:
username: user
password: ${{ secrets.REGISTRY_PASSWORD }}
services:
service-1:
image: fake.example.com/anotherexample
credentials:
username: user
password: ${{ secrets.REGISTRY_PASSWORD }}
steps:
- run: echo 'hello!'
```
--------------------------------
### Run zizmor on remote GitHub repositories
Source: https://docs.zizmor.sh/quickstart
Audit workflows and composite actions directly from GitHub repositories using a GitHub API token. Requires the `gh` CLI to be installed for token retrieval.
```bash
# audit all workflows and composite actions in zizmorcore/zizmor
# assumes you have `gh` installed
zizmor --gh-token=$(gh auth token) zizmorcore/zizmor
```
```bash
zizmor --gh-token=$(gh auth token) zizmorcore/zizmor zizmorcore/gha-hazmat
```
--------------------------------
### Configure unpinned-uses policies
Source: https://docs.zizmor.sh/audits
Define custom policies for the `unpinned-uses` audit to control how action references are pinned. This example shows how to enforce hash-pinning for `actions/checkout` and ref-pinning for other actions in the `actions/*` namespace.
```yaml
rules:
unpinned-uses:
config:
policies:
actions/checkout: hash-pin
actions/*: ref-pin
```
--------------------------------
### Running with Default Persona
Source: https://docs.zizmor.sh/usage
When using the default 'regular' persona, Zizmor may not report findings that are considered low-signal or false positives. This example shows no findings reported for a self-hosted runner configuration.
```bash
$ zizmor self-hosted.yml
```
```text
🌈 completed self-hosted.yml
No findings to report. Good job! (1 suppressed)
```
--------------------------------
### Add Version Comment to Hash-Pinned Action
Source: https://docs.zizmor.sh/audits
This example demonstrates a GitHub Actions workflow step where a version comment is missing for a hash-pinned action. The audit flags this for clarity and proper automation behavior.
```yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
```
```yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
```
--------------------------------
### Live Development Server for zizmor Website
Source: https://docs.zizmor.sh/development
Run a development server that monitors for changes in documentation files and rebuilds the site live. Access the site via the provided URL.
```bash
make site-live
```
--------------------------------
### Install zizmor with --locked flag
Source: https://docs.zizmor.sh/troubleshooting
Use the --locked flag with cargo install to force cargo to use exact dependencies from the Cargo.lock file, overriding yanked versions. This is an alternative to installing from binary distributions.
```bash
cargo install --locked zizmor
```
--------------------------------
### Run Snapshot Tests with Review and Online Features
Source: https://docs.zizmor.sh/development
A shortcut command to run snapshot tests, automatically enter review mode, and enable online tests with a GitHub token.
```bash
cargo insta test --review
# or, with online tests
GH_TOKEN=$(gh auth token) cargo insta test --review --features online-tests
```
--------------------------------
### Generate Developer Documentation with Cargo
Source: https://docs.zizmor.sh/development
Build the developer-specific documentation for zizmor using `cargo doc`. The `--open` flag will automatically open the documentation in your local browser.
```bash
# build only
cargo doc
# build and open in the local browser
cargo doc --open
```
--------------------------------
### Build zizmor Locally with Cargo
Source: https://docs.zizmor.sh/development
Clone the repository and build the zizmor project using the `cargo build` command. You can then run the executable directly or use `cargo run`.
```bash
git clone https://github.com/zizmorcore/zizmor && cd zizmor
cargo build
# cargo run -- --help also works
./target/debug/zizmor --help
```
--------------------------------
### Example of Auto-fixable Finding
Source: https://docs.zizmor.sh/usage
This example shows how findings marked with a 'note: this finding has an auto-fix' annotation can be automatically corrected. It highlights a potential template injection vulnerability.
```yaml
error[template-injection]: code injection via template expansion
--> example.yml:18:36
|
17 | - run: |
18 | echo "doing a thing: ${{ inputs.test }}"
| ^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
```
--------------------------------
### Remediate Unredacted Secrets: Before
Source: https://docs.zizmor.sh/audits
Example of a deployment job that accesses username and password from a single JSON secret. This can lead to unredacted secrets in logs.
```yaml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- run: ./deploy.sh
env:
USERNAME: ${{ fromJSON(secrets.MY_SECRET).username }}
PASSWORD: ${{ fromJSON(secrets.MY_SECRET).password }}
```
--------------------------------
### Run zizmor on local repositories
Source: https://docs.zizmor.sh/quickstart
Treat local directories as GitHub repositories to discover workflows and composite actions. Supports finding `.github/workflows` and `action.yml` files.
```bash
# repo-a/ contains .github/workflows/{ci,tests}.yml
# as well as custom-action/action.yml
zizmor repo-a/
```
```bash
# or with multiple directories
zizmor repo-a/ ../../repo-b/
```
```bash
# collect only workflows, not composite actions or Dependabot configs
zizmor --collect=workflows repo-a/
```
--------------------------------
### Remediation for GitHub App Token Misuse
Source: https://docs.zizmor.sh/audits
When using GitHub App installation tokens, ensure tokens have limited lifespans and are scoped to only necessary repositories and permissions.
```yaml
on:
push:
jobs:
test:
runs-on: ubuntu-latest
container:
image: fake.example.com/example
credentials:
username: user
password: hackme
services:
service-1:
image: fake.example.com/anotherexample
credentials:
username: user
password: hackme
steps:
- run: echo 'hello!'
```
--------------------------------
### Format and Lint Code with Cargo
Source: https://docs.zizmor.sh/development
Run cargo fmt for formatting and cargo clippy for linting. Running these locally can reduce review cycles.
```bash
cargo fmt
cargo clippy --fix
```
--------------------------------
### Configure zizmor with pre-commit
Source: https://docs.zizmor.sh/integrations
Add zizmor to your `.pre-commit-config.yaml` to run it on every commit. The `files` option is optional for scanning specific files; otherwise, it scans the entire repository.
```yaml
- repo: https://github.com/zizmorcore/zizmor-pre-commit
rev: v1.22.0
hooks:
- id: zizmor
```
--------------------------------
### Secure Bot Actor Check for `pull_request`
Source: https://docs.zizmor.sh/audits
An example of a secure bot actor check for `pull_request` events, using `github.event.pull_request.user.login` to identify the actual PR creator.
```yaml
on: pull_request
jobs:
automerge:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
steps:
- run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```
--------------------------------
### Secure Bot Actor Check for `pull_request_target`
Source: https://docs.zizmor.sh/audits
An example of a secure bot actor check for `pull_request_target` events, using `github.event.pull_request.user.login` to identify the actual PR creator.
```yaml
on: pull_request_target
jobs:
automerge:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
steps:
- run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```
--------------------------------
### Zizmor Command-Line Help Output
Source: https://docs.zizmor.sh/quickstart
This is the detailed help output from the `zizmor -h` command, showing all available options for input, auditing, output, network, and general configuration.
```text
Static analysis for GitHub Actions
Usage: zizmor [OPTIONS] ...
Input Options:
... The inputs to audit
--collect ... Control which kinds of inputs are collected for auditing [default: default] [possible values: all, default, workflows, actions, dependabot]
--strict-collection Fail instead of warning on syntax and schema errors in collected inputs
Audit Options:
--fix[=] Fix findings automatically, when available (EXPERIMENTAL) [possible values: safe, unsafe-only, all]
-p, --pedantic Emit 'pedantic' findings
--persona The persona to use while auditing [default: regular] [possible values: auditor, pedantic, regular]
--min-severity Filter all results below this severity [possible values: informational, low, medium, high]
--min-confidence Filter all results below this confidence [possible values: low, medium, high]
--no-ignores Don't honor ignore comments or ignore rules in configuration
Output Options:
-v, --verbose... Increase logging verbosity
-q, --quiet... Decrease logging verbosity
--format The output format to emit. By default, cargo-style diagnostics will be emitted [default: plain] [possible values: plain, json, json-v1, sarif, github]
--no-progress Don't show progress bars, even if the terminal supports them
--color Control the use of color in output [possible values: auto, always, never]
--render-links Whether to render OSC 8 links in the output [env: ZIZMOR_RENDER_LINKS=] [default: auto] [possible values: auto, always, never]
--show-audit-urls Whether to render audit URLs in the output, separately from any URLs embedded in OSC 8 links [env: ZIZMOR_SHOW_AUDIT_URLS=] [default: auto] [possible values: auto, always, never]
--no-exit-codes Disable all error codes besides success and tool failure
Network Options:
-o, --offline Perform only offline operations [env: ZIZMOR_OFFLINE=]
--gh-token The GitHub API token to use [env: GH_TOKEN or GITHUB_TOKEN or ZIZMOR_GITHUB_TOKEN]
--gh-hostname The GitHub Server Hostname. Defaults to github.com [env: GH_HOST=] [default: github.com]
--no-online-audits Perform only offline audits [env: ZIZMOR_NO_ONLINE_AUDITS=]
--cache-dir The directory to use for HTTP caching. By default, a host-appropriate user-caching directory will be used
Options:
--lsp Run in language server mode (EXPERIMENTAL)
-c, --config The configuration file to load. This loads a single configuration file across all input groups, which may not be what you intend [env: ZIZMOR_CONFIG=]
--no-config Disable all configuration loading
--completions Generate tab completion scripts for the specified shell [possible values: bash, elvish, fish, nushell, powershell, zsh]
--thanks Emit thank-you messages for zizmor's sponsors
-h, --help Print help (see more with '--help')
-V, --version Print version
```
--------------------------------
### Zizmor Detailed Help Command
Source: https://docs.zizmor.sh/quickstart
Use this command for a more comprehensive version of the help information, providing deeper insights into Zizmor's functionalities.
```bash
zizmor --help
```
--------------------------------
### Run Online Benchmarks with GitHub Token
Source: https://docs.zizmor.sh/development
Execute online benchmarks by setting the GH_TOKEN environment variable. This requires authentication with GitHub.
```bash
GH_TOKEN=$(gh auth token) make bench
```
--------------------------------
### Configure Zizmor for Custom GitHub Hosts
Source: https://docs.zizmor.sh/usage
Use Zizmor with custom GitHub Enterprise instances by specifying the hostname. This allows analysis of repositories hosted on private or on-premises GitHub Enterprise servers.
```bash
zizmor --gh-hostname custom.example.com ...
```
```bash
GH_HOST=custom.ghe.com zizmor ...
```
--------------------------------
### Unsound Condition Example (Always True)
Source: https://docs.zizmor.sh/audits
Illustrates a common pitfall where a multi-line YAML string combined with a GitHub Actions expression results in a condition that always evaluates to true, despite appearing to be conditional.
```yaml
if: |
${{ false }}
```
--------------------------------
### Detect Mismatched Version Comments in Actions
Source: https://docs.zizmor.sh/audits
This example shows a GitHub Actions workflow step where the version comment does not match the pinned commit hash. This can lead to automation tools like Dependabot not updating correctly.
```yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.2.2
```
```yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
```
--------------------------------
### Run and Review Snapshot Tests with Cargo Insta
Source: https://docs.zizmor.sh/development
Manage snapshot tests using cargo insta. 'cargo insta test' runs tests and generates/updates snapshots, while 'cargo insta review' allows for manual review of changes.
```bash
# run all the tests, generating new snapshots as necessary
cargo insta test
# review the new snapshots generated above
cargo insta review
```
--------------------------------
### Running Zizmor with a Specific Config File
Source: https://docs.zizmor.sh/usage
Pass a custom configuration file to Zizmor using the `--config` argument. This is useful when you need to specify a configuration that is not in the default location or has a custom name.
```bash
zizmor --config my-zizmor-config.yml /dir/to/audit
```
--------------------------------
### Set Concurrency Limits in Workflows
Source: https://docs.zizmor.sh/audits
Include a `concurrency` setting in your workflow to manage concurrent runs. Set `cancel-in-progress` to `true` to cancel older runs when a new one starts, preventing resource waste and potential race conditions.
```yaml
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
```
--------------------------------
### Run Unit and Integration Tests with Cargo
Source: https://docs.zizmor.sh/development
Orchestrate unit and integration tests using cargo test. Use flags like --bins to run only unit tests or --test to specify integration tests.
```bash
# run only unit tests
cargo test --bins
# run specific integration tests
cargo test --test acceptance
cargo test --test snapshot
# run all of the tests
cargo test
```
--------------------------------
### Audit Specific Directory
Source: https://docs.zizmor.sh/release-notes
This command audits the specified .github/ directory. It will load configuration files as before.
```bash
zizmor .github/
```
--------------------------------
### Run JSON Schema Tests
Source: https://docs.zizmor.sh/development
Validate the JSON schema of the configuration file by enabling the 'schema' crate feature.
```bash
cargo test --features schema
```
--------------------------------
### Configure zizmor-action with custom PAT
Source: https://docs.zizmor.sh/troubleshooting
Provide a custom Personal Access Token (PAT) with read-only access to necessary repositories via the 'token' input in the zizmor-action. This resolves 'can't access ORG/REPO' errors when the default GITHUB_TOKEN lacks cross-repository permissions.
```yaml
- uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
token: ${{ secrets.ZIZMOR_GH_TOKEN }}
```
--------------------------------
### Configure Pinned Dependencies with rules.secrets-outside-env.config.allow
Source: https://docs.zizmor.sh/audits
Define policies for pinning GitHub Actions dependencies. Use 'hash-pin' for specific actions and 'ref-pin' for broader categories. An implicit 'hash-pin' rule applies if no other rule matches.
```yaml
rules:
unpinned-uses:
config:
policies:
"example/*": hash-pin
"*": ref-pin
```
--------------------------------
### Manual GitHub Actions Integration with SARIF Output
Source: https://docs.zizmor.sh/integrations
Manually integrate zizmor using `--format=sarif` for GitHub Advanced Security. This workflow requires specific permissions and uploads SARIF files for analysis.
```yaml
name: GitHub Actions Security Analysis with zizmor 🌈
on:
push:
branches: ["main"]
pull_request:
branches: ["**"]
env:
ZIZMOR_VERSION: 1.26.1
permissions: {}
jobs:
zizmor:
name: zizmor via PyPI
runs-on: ubuntu-latest
permissions:
security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
contents: read # Only needed for private repos. Needed to clone the repo.
actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info.
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Run zizmor 🌈
run: uvx "zizmor@${ZIZMOR_VERSION}" --format=sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
with:
sarif_file: results.sarif
category: zizmor
```
--------------------------------
### Update Action Usages with pinact
Source: https://docs.zizmor.sh/development
Run the pinact command via make to update 'uses:' clauses in the project's documentation.
```bash
make pinact
```
--------------------------------
### Audit Multiple Input Sources
Source: https://docs.zizmor.sh/usage
Audit various input sources, including local workflows, local directories, and remote repositories, in a single command.
```bash
zizmor ../example.yml ../other-repo/ example/example
```
--------------------------------
### Applying Unsafe Auto-fixes with Zizmor
Source: https://docs.zizmor.sh/usage
To apply 'unsafe' fixes, which may be correct but require manual review, use `--fix=all` to enable both safe and unsafe fixes, or `--fix=unsafe-only` to enable only unsafe fixes. These options also modify files in-place.
```bash
zizmor --fix=all example.yml
```
```bash
zizmor --fix=unsafe-only example.yml
```
--------------------------------
### Run Project Checks with Cargo
Source: https://docs.zizmor.sh/development
Execute these commands to ensure code formatting, linting, and tests pass before submitting a Pull Request. Ensure all warnings from clippy are addressed.
```bash
cargo fmt
cargo clippy -- -D warnings
cargo test
```
--------------------------------
### Force Update Snapshots with Online Features
Source: https://docs.zizmor.sh/development
Update snapshot files, including meta information, while running tests with online features enabled. Requires a GitHub token.
```bash
GH_TOKEN=$(gh auth token) cargo insta test --force-update-snapshots --features online-tests
```