---
title: "Audit GitHub Actions for privilege and supply-chain risks with zizmor"
description: "Run a focused security pass on GitHub Actions workflows before merge so token misuse, dangerous permissions, and unpinned actions are caught early."
verification: "listed"
source: "https://github.com/zizmorcore/zizmor"
author: "zizmorcore"
publisher_type: "organization"
category:
  - "Security & Verification"
framework:
  - "Multi-Framework"
tool_ecosystem:
  github_repo: "zizmorcore/zizmor"
  github_stars: 4186
---

# Audit GitHub Actions for privilege and supply-chain risks with zizmor

Run a focused security pass on GitHub Actions workflows before merge so token misuse, dangerous permissions, and unpinned actions are caught early.

## Prerequisites

Python 3.9+ or prebuilt zizmor binary, access to the target repository

## Installation

Choose whichever fits your setup:

1. Copy this skill folder into your local skills directory.
2. Clone the repo and symlink or copy the skill into your agent workspace.
3. Add the repo as a git submodule if you manage shared skills centrally.
4. Install it through your internal provisioning or packaging workflow.
5. Download the folder directly from GitHub and place it in your skills collection.

Install command or upstream instructions:

```
Install from the project documentation, then run `zizmor` against the repository or workflow files you want to review before merge or release.
```

## Documentation

- https://woodruffw.github.io/zizmor/

## Source

- [Agent Skill Exchange](https://agentskillexchange.com/skills/audit-github-actions-for-privilege-and-supply-chain-risks-with-zizmor/)