ci-doctor vs zizmor
zizmor is a Rust-based static analyzer focused exclusively on security audits of GitHub Actions workflows. ci-doctor is a broader cost-security-reliability audit. They are complementary - zizmor digs deeper on supply-chain and injection vectors; ci-doctor adds cost and reliability rules zizmor doesn't claim.
Where zizmor wins
- Deeper template-injection analysis: traces user-controlled context (
github.event.issue.title) intorun:blocks across step boundaries. - Catches dangerous
pull_request_target+ checkout patterns with sub-rule precision. - Audits self-hosted runner labels, impostor commits, ref confusion, cache poisoning.
- 23+ pure security rules vs ci-doctor's 6 security rules.
- Native Rust binary, no Node runtime needed.
- Maintained by William Woodruff, well-known supply-chain security researcher.
Where ci-doctor wins
- Cost rules zizmor does not have:
missing-concurrency,missing-cache,expensive-runner,cron-storm,wide-paths,service-no-healthcheck. - Reliability rules zizmor does not have:
missing-timeout-minutes,flaky-retries,legacy-actions-version. - Auto-fix:
npx ci-doctor --fixrewrites four safe categories in place. zizmor is read-only. - Pairs with
gha-budgetfor $-denominated cost numbers per workflow. - Zero install via
npx ci-doctor- no compile, no PATH wiring. - Same engine ports to GitLab (
gitlab-ci-doctor), Bitbucket (bitbucket-ci-doctor), Azure (azure-pipelines-ci-doctor) - one mental model across CIs.
Rule-set overlap
| Concern | zizmor | ci-doctor |
|---|---|---|
Pin uses: to SHAs | yes (unpinned-uses) | yes (no-pin-actions) |
| Template injection from user input | deep (template-injection) | basic (script-injection-context) |
pull_request_target + checkout | yes (sub-rule precise) | yes (pull-request-target-checkout) |
| Container image not pinned to digest | no | yes (docker-no-pin) |
| Self-hosted runner label spoofing | yes | no |
| Cache poisoning vectors | yes | no |
| Service container missing healthcheck | no | yes (service-no-healthcheck) |
Missing concurrency: (cost) | no | yes |
Missing timeout-minutes: (cost+reliability) | no | yes |
| Missing language/dep cache (cost) | no | yes |
| Expensive runner (cost) | no | yes |
| Auto-fix mode | no | yes (--fix) |
| SARIF output | yes | yes |
| Other CIs (GitLab, Bitbucket, Azure) | no (GHA-only) | yes (sister CLIs) |
Run them side by side
This is what we recommend for any team that takes both security and cost seriously:
# supply-chain depth pip install zizmor zizmor . # cost + reliability + lighter security npx ci-doctor
Or in one workflow:
name: ci-audit
on: pull_request
permissions:
contents: read
security-events: write
jobs:
zizmor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: { python-version: '3.12' }
- run: pip install zizmor
- run: zizmor --format sarif . > zizmor.sarif
- uses: github/codeql-action/upload-sarif@v3
with: { sarif_file: zizmor.sarif, category: zizmor }
ci-doctor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: depmedicdev-byte/ci-doctor-action@v1
Both reports land in the same Security tab under different categories.
Try ci-doctor in 6 ms
Zero install:
# 16-rule audit of every workflow under .github/workflows/ npx ci-doctor # auto-apply safe fixes npx ci-doctor --fix # SARIF for GitHub Code Scanning npx ci-doctor --sarif > results.sarifView on npm All 16 rules explained
What about woodpecker, mega-linter, super-linter?
Woodpecker is a CI system, not a workflow linter, so it isn't in the same category - it's an alternative to GitHub Actions, not an analyzer of it. MegaLinter and super-linter bundle dozens of language linters and incidentally include actionlint - they are heavyweight wrappers, not focused workflow analyzers. We have separate honest comparisons for each.
About this comparison
Written 2026-04-28 by the maintainer of ci-doctor. zizmor's docs for upstream information. If anything here is incorrect or outdated, open an issue at depmedicdev-byte/ci-doctor/issues and I will fix it. We do not pay for placement and we do not accept paid placement.
Other comparisons: vs actionlint · vs super-linter · vs MegaLinter · vs octoscan