Trail of Bits Hardens zizmor GitHub Actions Static Analyzer After Trivy Supply-Chain Attack
Trail of Bits hardened zizmor, a static analyzer for GitHub Actions workflows, fixing four YAML anchor-handling bugs and other edge cases after attackers exploited a pull_request_target misconfiguration in trivy-action to backdoor LiteLLM.
In March 2026, attackers exploited a pull_request_target misconfiguration in the aquasecurity/trivy-action GitHub Action to exfiltrate organization and repository secrets, then used those credentials to backdoor LiteLLM on PyPI. zizmor is a static analyzer that GitHub Actions users run to catch exactly these misconfigurations before they ship. When GitHub Actions added support for YAML anchors in September 2025, a small but high-value slice of the ecosystem started writing workflows that zizmor could only analyze on a best-effort basis.
Over the past three months, Trail of Bits collaborated with the zizmor maintainers to bring zizmor's anchor support up to full coverage. First, they fixed parsing bugs that caused crashes, produced wrong-location findings, and silently mishandled aliased values. Second, they surfaced deserialization edge cases that broke zizmor on otherwise valid workflows. Finally, they helped align zizmor's expression evaluator with GitHub's own Known Answer Tests. The team validated all of this against a new corpus of 41,253 workflows from 6,612 high-value open-source repositories. The result: 20 filed issues and 15 merged pull requests.
To understand how anchors are used in CI today and to stress-test zizmor against the full variety of YAML it encounters in the wild, Trail of Bits built a corpus of real workflows. They used BigQuery's GitHub dataset to identify the 10,000 most-starred repositories created between 2022 and 2025, filtered to the 6,612 that use GitHub Actions, and downloaded every workflow file. That gave them 41,253 YAML files. When they ran zizmor against the corpus, it crashed on 45 of the 41,253 workflows—a low rate, but each crash meant a bug in zizmor.
zizmor's anchor support was deliberately limited, and for good reason. YAML anchors make workflows non-local: an alias defined in one place changes behavior elsewhere in the file. This complicated zizmor's parsing model, and adoption was rare enough that the zizmor maintainers reasonably discouraged anchor use. In the corpus, only 43 of the 41,253 workflows use YAML anchors (roughly 0.1%), but those 43 include some of the most foundational projects in open source: Bitcoin Core, PHP, and OpenSSL. However, anchors are a supported feature, and their use will likely grow over time.
Four anchor patterns from these workflows broke zizmor. Aliases in sequences were incorrectly flattened, causing zizmor to crash or produce findings pointing at the wrong location in the file (fixed in #1557). Anchor prefixes leaked into values—for example, looking up the first element of a flow sequence would return `&name v` instead of `v`, causing any step that consumed the node value to fail (fixed in #1562). Duplicate anchors caused a crash because zizmor's YAML layer assumed anchor names were unique and panicked on duplicates (fixed in #1575). The template-injection audit crashed on aliased `run:` values because the audit didn't expect the indirection (fixed in #1732).
Running zizmor against the full test corpus also surfaced bugs that had nothing to do with anchors. Deserialization edge cases—such as `if: 0` (an integer where a string is expected), `timeout-minutes: 0.5` (a float where an integer is expected), and `secrets: inherit` (a string where a mapping is expected)—each caused zizmor to reject the entire workflow. These were reported as individual issues (#1670, #1672, #1674) and fixed quickly. Additionally, the expression evaluator was validated against GitHub's own Known Answer Tests, and alignment was improved (#1694). Some crashes were traced to bugs in an upstream dependency, tree-sitter-yaml, and issues and PRs were filed there as well.
Supply-chain attacks like the Trivy compromise begin with a single misconfigured workflow. GitHub Actions is by far the most popular CI system for open-source projects, and zizmor plays an important role in catching these misconfigurations before they ship. By hardening zizmor's anchor support and fixing edge cases, Trail of Bits has helped ensure that even the most complex YAML workflows can be analyzed effectively, reducing the risk of CI/CD credential theft and supply-chain compromise.