> ## Documentation Index > Fetch the complete documentation index at: https://docs.coderabbit.ai/llms.txt > Use this file to discover all available pages before exploring further. # zizmor > CodeRabbit's guide to zizmor, a static security analyzer for GitHub Actions workflow files. [zizmor](https://docs.zizmor.sh/) is a static analysis tool for GitHub Actions. It finds common security issues in GitHub Actions CI/CD setups, such as template injection, excessive permissions, unpinned actions, and dangerous use of untrusted input. CodeRabbit runs zizmor version 1.25.2. ## Files zizmor will run on GitHub Actions definition files in the following locations: * `.github/workflows/**/*.yml` * `.github/workflows/**/*.yaml` * `action.yml` * `action.yaml` ## Configuration zizmor supports the following config files: * `zizmor.yml` * `zizmor.yaml` * `.github/zizmor.yml` * `.github/zizmor.yaml` CodeRabbit will use the default configuration if no config file is found. To enable or disable zizmor, use your `.coderabbit.yaml` file or the CodeRabbit web UI: ```yaml .coderabbit.yaml theme={null} reviews: tools: zizmor: enabled: true ``` Go to **Reviews → Tools → zizmor** in your organization or repository settings and toggle zizmor `on` or `off`. *** ## When we skip zizmor CodeRabbit will skip running zizmor when: * No GitHub Actions workflow or action files are found in the pull request. * zizmor is already running in GitHub workflows. ## Links * [zizmor Documentation](https://docs.zizmor.sh/) * [zizmor Configuration](https://docs.zizmor.sh/configuration/) * [zizmor Audit Rules](https://docs.zizmor.sh/audits/) * [zizmor GitHub Repository](https://github.com/zizmorcore/zizmor) ## What's next Lint GitHub Actions workflow files for syntax errors and common misconfigurations. Browse the complete list of linters, security analyzers, and CI/CD integrations available in CodeRabbit. Full reference for all available options, including how to enable, disable, and tune individual tools.