Skip to content
.ca
sign in
4 mininfo

We hardened zizmor's GitHub Actions static analyzer

Trail of Bits collaborated with the maintainers of zizmor, a GitHub Actions static analyzer, to improve its parsing capabilities and robustness. By testing against a massive corpus of real-world workflows, they identified and fixed multiple YAML anchor handling bugs, deserialization edge cases, and expression evaluator flaws, significantly enhancing zizmor's ability to detect CI/CD misconfigurations.

Conf:highAnalyzed:2026-05-22Google

Authors: Trail of Bits

ActorsTrivy compromise
YAMLGitHub ActionszizmorStatic AnalysisCI/CD Security

Source:Trail of Bits

Detection / HunterGoogle

What Happened

Security researchers worked with the creators of a tool called zizmor to make it better at finding flaws in GitHub Actions, which are used to automate software building. They tested the tool against over 40,000 real-world automation files to find where it crashed or failed to parse complex configurations. This matters because attackers can exploit misconfigured automation files to steal secrets or insert malicious code into software, as seen in a recent supply chain attack. Organizations using GitHub Actions should ensure they are using the latest version of zizmor to scan their workflows for security risks.

Key Takeaways

  • Trail of Bits collaborated with maintainers to harden zizmor, a static analyzer for GitHub Actions, bringing its YAML anchor support to full coverage.
  • Testing against a corpus of 41,253 real-world workflows revealed 45 crashes, resulting in 20 filed issues and 15 merged pull requests.
  • Four specific YAML anchor handling bugs were fixed, preventing crashes, incorrect findings, and silent mishandling of aliased values.
  • Deserialization edge cases and expression evaluator bugs were also identified and resolved to align with GitHub's Known Answer Tests.
  • These improvements help prevent supply-chain attacks stemming from misconfigured workflows, such as the March 2026 Trivy compromise.

Affected Systems

  • GitHub Actions
  • zizmor static analyzer

Attack Chain

In March 2026, attackers exploited a pull_request_target misconfiguration in the aquasecurity/trivy-action GitHub Action. They used this misconfiguration to exfiltrate organization and repository secrets. Finally, the attackers utilized the stolen credentials to backdoor the LiteLLM package on PyPI.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the article, as it focuses on improvements to a static analysis tool.

Detection Engineering Assessment

EDR Visibility: None — EDR solutions do not monitor GitHub Actions workflow configurations or static analysis tool executions in cloud CI/CD environments. Network Visibility: None — This article discusses static analysis tool improvements, which do not generate network telemetry. Detection Difficulty: Moderate — Detecting CI/CD misconfigurations requires specialized static analysis tools like zizmor and continuous scanning of repository configurations.

Required Log Sources

  • GitHub Audit Logs
  • CI/CD Pipeline Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for pull_request_target triggers in GitHub Actions workflows that checkout untrusted code or expose secrets.GitHub Actions workflow YAML filesExecutionHigh (Many legitimate workflows use pull_request_target, requiring manual review to determine if secrets are actually exposed to untrusted code)

Control Gaps

  • Lack of automated static analysis on CI/CD pipelines
  • Inadequate secret scoping in GitHub Actions

Key Behavioral Indicators

  • Workflows using the pull_request_target trigger combined with explicit secret passing

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider updating zizmor to the latest version to benefit from the improved YAML anchor parsing and bug fixes.
  • Evaluate running zizmor against all active GitHub Actions workflows to identify potential misconfigurations.

Infrastructure Hardening

  • Evaluate whether GitHub Actions workflows can be restricted from using the pull_request_target trigger unless strictly necessary.
  • Consider implementing least-privilege permissions for the GITHUB_TOKEN in all workflows.

User Protection

  • If applicable, enforce strict secret scoping to ensure credentials are only available to specific, trusted workflow jobs.

Security Awareness

  • Consider training development teams on the security implications of GitHub Actions triggers, specifically the risks associated with pull_request_target.

MITRE ATT&CK Mapping

  • T1195.001 - Compromise Software Dependencies and Development Tools
  • T1528 - Steal Application Access Token
  • T1078 - Valid Accounts

Related