Audit GitHub Actions workflows for insecure permissions and unpinned actions
This ASE skill uses zizmor to audit GitHub Actions workflows and composite actions for security mistakes before they ship. An agent can scan local repos or remote GitHub repositories, flag risky permission scopes and unsafe workflow patterns, and return plain output, GitHub-nativ
What it does
Audit GitHub Actions workflows for insecure permissions and unpinned actions
This ASE skill uses zizmor to audit GitHub Actions workflows and composite actions for security mistakes before they ship. An agent can scan local repos or remote GitHub repositories, flag risky permission scopes and unsafe workflow patterns, and return plain output, GitHub-native findings, or SARIF for follow-up automation.
Prerequisites
GitHub Actions workflow files or a GitHub repository, with a GitHub token only when auditing remote or private repos
Installation
Basic usage or getting-started notes:
-
Extracted from upstream docs: https://raw.githubusercontent.com/zizmorcore/zizmor/HEAD/README.md
Documentation
Source
Capabilities
Install
Quality
deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (1,030 chars)