Skip to main content
zizmor is a static analysis tool for GitHub Actions. It finds common security issues in GitHub Actions CI/CD setups, such as template injection, excessive permissions, unpinned actions, and dangerous use of untrusted input. CodeRabbit runs zizmor version 1.25.2.

​
Files

zizmor will run on GitHub Actions definition files in the following locations:
  • .github/workflows/**/*.yml
  • .github/workflows/**/*.yaml
  • action.yml
  • action.yaml

​
Configuration

zizmor supports the following config files:
  • zizmor.yml
  • zizmor.yaml
  • .github/zizmor.yml
  • .github/zizmor.yaml
CodeRabbit will use the default configuration if no config file is found. To enable or disable zizmor, use your .coderabbit.yaml file or the CodeRabbit web UI:
.coderabbit.yaml
reviews:
  tools:
    zizmor:
      enabled: true

​
When we skip zizmor

CodeRabbit will skip running zizmor when:
  • No GitHub Actions workflow or action files are found in the pull request.
  • zizmor is already running in GitHub workflows.

​
What’s next

actionlint

Lint GitHub Actions workflow files for syntax errors and common misconfigurations.

All supported tools

Browse the complete list of linters, security analyzers, and CI/CD integrations available in CodeRabbit.

Configuration reference

Full reference for all available options, including how to enable, disable, and tune individual tools.