TIL: Zizmor and GitHub Actions security

Dec 13, 2024

I was reading up on the recent Ultralytics GitHub Action compromise and I stumbled upon this great analysis of the situation. In it, zizmor is introduced, which is a static analysis tool for GitHub Actions.

I experimented with it a bit and I have to say it's working great. It correctly identified misconfigured GitHub Actions on some repositories I was working on. It's another tool that's worth having as part of your CI.

Another interesting resource about GitHub Actions and security is pwnhub, a repository with writeups and information on various security issues around Actions.

Tags: til log cicd