William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guidance. Fresh off the heels of the tj-actions/changed-files backdoor, this is a great topic with some things everyone can do right away.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Before diving into the technical details, it’s worth noting the unique origin of the project’s name. Zizmor is a reference recognized by many New York City locals. It harks back to Dr. Zizmor, whose distinctive, rainbow-filled advertisements were a common sight in the city’s subways. William chose the name as a playful homage, acknowledging that while the tool addresses the complex topic of CI/CD security, the name itself carries a lighter, memorable quality, Zizmor serves as a specialized linter or static analysis tool to scan GitHub Actions.

Why GitHub Actions Security Matters

The significance of a tool like Zizmor becomes clear when considering the ubiquity of GitHub Actions. It has rapidly become the default continuous integration and continuous delivery (CI/CD) solution for a huge number of open-source projects on GitHub. While its integration and ease of use are positives, there are security problems. The age old security vs usability, except security always loses.

One challenge arises from the way GitHub Actions processes workflows using a templating language. This system evaluates expressions and inserts values directly into scripts. While convenient, this process occurs before shells like bash get a chance to parse the commands safely, creating an opportunity for injection attacks. Malicious actors could potentially craft pull request, branch names, or tags containing shell code, which gets executed within the CI/CD environment. We’ve seen real-world attacks leverage these vectors in the past.

The architecture of GitHub Actions also introduces complexities around permissions. Historically, the default permissions granted to the tokens used within workflows were quite broad, essentially providing write access across the repository. While GitHub has worked to restrict these defaults over time, making newer repositories default to read-only permissions, many existing repositories still operate under the older more permissive settings without maintainers realizing it.

Paging Dr. Zizmor

The inspiration for Zizmor grew directly from William’s experiences managing the complex CI/CD infrastructure for the Homebrew project. As maintainers, the Homebrew crew faced recurring challenges in auditing their GitHub Actions workflows and responding to problems. Recognizing the repetitive nature of these checks, William, like many engineers aiming for efficiency (the best engineers are the laziest engineers), decided to automate the process. Thus, Zizmor was born out of a practical need to address Homebrew’s CI/CD security concerns.

Zizmor functions as a static analysis tool specifically tailored for GitHub Actions. It examines workflow files, written in YAML, looking for patterns and configurations known to be associated with security risks. The tool boasts a growing collection of audit rules, currently numbering around twenty-four, with many more on the way. These rules cover a broad spectrum of potential issues. Zizmor checks for supply chain risks, such as actions being pinned to mutable tags instead of specific commit hashes, the use of actions known to have security advisories, identifying potential template injection vulnerabilities, and more.

Zizmor can output its results in the Static Analysis Results Interchange Format, or SARIF. This standardized JSON format is understood by GitHub’s Advanced Security features page, enabling findings to be displayed directly within the repository’s Security tab. This provides an interface for triaging, assigning, dismissing, and tracking vulnerabilities over time. SARIF is a well supported format that security tool folks are very familiar with.

Adopting Zizmor is designed to be a relatively straightforward process. For local analysis or experimentation, it can be easily installed using popular package managers such as pip, uv, or cargo. Once installed, running it is as simple as executing the zizmor command within a directory containing GitHub Actions files. The tool will scan the files and output its findings directly to the console in a human-readable format.

Get involved

For those interested in contributing code, the Zizmor website offers a dedicated “hacking” guide with instructions on how to set up the development environment and write new rules. The project is written entirely in Rust, and while Rust experience is helpful, William expressed openness to helping newcomers learn the ropes. The API for adding new audit rules is designed to be relatively straightforward.

The convenience and power of modern CI/CD systems like GitHub Actions are undeniable, but they come with inherent security challenges that require care and feeding. Issues ranging from injection attacks to overly broad permissions can be overlooked or missed. Maintaining secure CI/CD pipelines is a big deal now.

Tools like Zizmor represent a step forward in making security more accessible and manageable for everyone. By automating the detection of common misconfigurations in the GitHub Actions workflow files, Zizmor helps anyone using it. The focus on providing clear findings, actionable remediation advice, and seamless integration through formats like SARIF aims to make the secure path the easier path for developers.