zizmor

Configuration file for zizmor, a static analysis tool for GitHub Actions

Type object
File match **/zizmor.yml **/zizmor.yaml **/.github/zizmor.yml **/.github/zizmor.yaml
Schema URL https://catalog.lintel.tools/schemas/github/zizmor/latest.json
Source https://raw.githubusercontent.com/woodruffw/zizmor/main/support/zizmor.schema.json

Validate with Lintel

npx @lintel/lintel check
Type: object

Configuration file for zizmor, a static analysis tool for GitHub Actions.

See: https://docs.zizmor.sh/configuration/

Properties

rules object
36 nested properties
anonymous-definition object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
archived-uses object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
artipacked object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
bot-conditions object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
cache-poisoning object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
concurrency-limits object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
dangerous-triggers object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
dependabot-cooldown object

Configuration for the dependabot-cooldown audit.

4 nested properties
config object

Configuration for the dependabot-cooldown audit.

1 nested properties
days integer

The minimum acceptable default-days value for Dependabot's cooldown setting.

Settings beneath this value will produce findings.

Default: 7
format=uintmin=1
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
dependabot-execution object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
excessive-permissions object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
forbidden-uses object

Configuration for the forbidden-uses audit.

4 nested properties
config ForbiddenUsesConfig | null
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
github-app object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
github-env object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
hardcoded-container-credentials object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
impostor-commit object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
insecure-commands object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
known-vulnerable-actions object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
misfeature object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
obfuscation object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
overprovisioned-secrets object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
ref-confusion object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
ref-version-mismatch object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
secrets-inherit object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
secrets-outside-env object

Configuration for the secrets-outside-env audit.

4 nested properties
config SecretsOutsideEnvConfig | null
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
self-hosted-runner object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
stale-action-refs object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
superfluous-actions object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
template-injection object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
undocumented-permissions object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unpinned-images object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unpinned-tools object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unpinned-uses object

Configuration for the unpinned-uses audit.

4 nested properties
config object

This configuration is reified into an UnpinnedUsesPolicies.

1 nested properties
policies Record<string, string | string | string>

A mapping of uses: patterns to policies.

disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unredacted-secrets object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unsound-condition object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unsound-contains object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
use-trusted-publishing object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null

Definitions

BaseRuleConfig object

Base configuration for all audit rules.

disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
DependabotCooldownConfig object

Configuration for the dependabot-cooldown audit.

days integer

The minimum acceptable default-days value for Dependabot's cooldown setting.

Settings beneath this value will produce findings.

Default: 7
format=uintmin=1
DependabotCooldownRuleConfig object

Configuration for the dependabot-cooldown audit.

config object

Configuration for the dependabot-cooldown audit.

1 nested properties
days integer

The minimum acceptable default-days value for Dependabot's cooldown setting.

Settings beneath this value will produce findings.

Default: 7
format=uintmin=1
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
ForbiddenUsesConfig object | object

An allow or deny list of uses: patterns for the forbidden-uses audit.

ForbiddenUsesRuleConfig object

Configuration for the forbidden-uses audit.

config ForbiddenUsesConfig | null
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
RemapConfig object
severity RemapSeverity | null

Remaps the audit's severity to the given severity.

It will apply this severity regardless of what the real severity is, including when an audit can be multiple severities.

RemapSeverity string

Severity level for use in remap configuration.

RepositoryUsesPattern string

These patterns are ordered by specificity; more specific patterns should be listed first.

RulesConfig object
anonymous-definition object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
archived-uses object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
artipacked object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
bot-conditions object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
cache-poisoning object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
concurrency-limits object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
dangerous-triggers object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
dependabot-cooldown object

Configuration for the dependabot-cooldown audit.

4 nested properties
config object

Configuration for the dependabot-cooldown audit.

1 nested properties
days integer

The minimum acceptable default-days value for Dependabot's cooldown setting.

Settings beneath this value will produce findings.

Default: 7
format=uintmin=1
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
dependabot-execution object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
excessive-permissions object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
forbidden-uses object

Configuration for the forbidden-uses audit.

4 nested properties
config ForbiddenUsesConfig | null
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
github-app object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
github-env object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
hardcoded-container-credentials object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
impostor-commit object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
insecure-commands object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
known-vulnerable-actions object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
misfeature object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
obfuscation object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
overprovisioned-secrets object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
ref-confusion object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
ref-version-mismatch object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
secrets-inherit object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
secrets-outside-env object

Configuration for the secrets-outside-env audit.

4 nested properties
config SecretsOutsideEnvConfig | null
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
self-hosted-runner object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
stale-action-refs object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
superfluous-actions object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
template-injection object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
undocumented-permissions object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unpinned-images object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unpinned-tools object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unpinned-uses object

Configuration for the unpinned-uses audit.

4 nested properties
config object

This configuration is reified into an UnpinnedUsesPolicies.

1 nested properties
policies Record<string, string | string | string>

A mapping of uses: patterns to policies.

disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unredacted-secrets object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unsound-condition object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
unsound-contains object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
use-trusted-publishing object

Base configuration for all audit rules.

3 nested properties
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
SecretsOutsideEnvConfig object

Configuration for the secrets-outside-env audit.

allow string[]

List of secret names excluded from the audit

Default:
[]
SecretsOutsideEnvRuleConfig object

Configuration for the secrets-outside-env audit.

config SecretsOutsideEnvConfig | null
disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
UnpinnedUsesConfig object

This configuration is reified into an UnpinnedUsesPolicies.

policies Record<string, string | string | string>

A mapping of uses: patterns to policies.

UnpinnedUsesRuleConfig object

Configuration for the unpinned-uses audit.

config object

This configuration is reified into an UnpinnedUsesPolicies.

1 nested properties
policies Record<string, string | string | string>

A mapping of uses: patterns to policies.

disable boolean
Default: false
ignore WorkflowRule[]
remap RemapConfig | null
UsesPolicy string | string | string

A singular policy for a uses: reference.

WorkflowRule string

Ignore rules are specified as filename.yml:line:col, where line and col are optional 1-based indices. If line is omitted, col must also be omitted.