GitHub Actions Security: Hardening zizmor Against YAML Anchor and pull_request_target Abuse

In March 2026, the security community witnessed a severe supply-chain compromise when attackers exploited a pull_request_target misconfiguration within the popular aquasecurity/trivy-action. By leveraging this specific workflow trigger, threat actors successfully exfiltrated organization secrets and utilized those credentials to publish unauthorized packages to LiteLLM on PyPI.

This incident highlighted a critical blind spot in static analysis. When GitHub added native support for YAML anchors in September 2025, many workflows adopted this syntax for DRY (Don't Repeat Yourself) configuration. However, the leading static analyzer for GitHub Actions, zizmor, was unable to fully parse these structures, leaving a high-value attack surface open to obfuscation and misconfiguration.

Thanks to a collaboration between Trail of Bits and zizmor maintainers, the analyzer has been hardened to fully support YAML anchors. Defenders must immediately upgrade their tooling and audit workflows to catch these evasion techniques before they are weaponized.

Technical Analysis

Affected Products & Platforms:

• Tool: zizmor (Versions prior to the May 2026 hardening)
• Platform: GitHub Actions (specifically workflows using YAML anchors)
• Trigger: pull_request_target

Vulnerability & Attack Chain: While not a CVE in the traditional library sense, this is a Configuration Security weakness enabling CI/CD Injection.

1. The Vector: The pull_request_target trigger grants the workflow write permissions to the target repository (including secrets) but runs code from the PR branch context if checkout is misconfigured.
2. The Evasion: Attackers (or malicious insiders) began using YAML anchors to hide the context of pull_request_target usage or the injection of secrets into untrusted steps. Prior to the update, zizmor would crash or perform a "best-effort" parse, missing these fatal flaws.
3. Exploitation: In the March 2026 Trivy incident, the attacker injected code that exfiltrated GITHUB_TOKEN and other organizational secrets. These tokens were then used in a separate session to authenticate against PyPI and compromise the litellm package.

Exploitation Status:

• Confirmed Active Exploitation: Yes (March 2026 Trivy-action incident).
• Weaponization: Publicly documented by Trail of Bits; attackers are actively looking for pull_request_target misconfigurations.

Detection & Response

Defending against this requires a two-pronged approach: runtime monitoring for anomalous behavior (like the PyPI access seen in the Trivy breach) and static scanning of repository workflows.

SIGMA Rules

Detect potential CI/CD compromise by monitoring runner processes for unauthorized network connections to package repositories like PyPI, which should generally be restricted or tightly controlled in build environments.

---
title: GitHub Actions Runner Suspected PyPI Connection
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects GitHub Runner processes (Node/Python) initiating connections to PyPI. This may indicate a supply chain attack attempting to exfiltrate data or publish malicious packages, similar to the Trivy-action incident in March 2026.
references:
  - https://blog.trailofbits.com/2026/05/22/we-hardened-zizmors-github-actions-static-analyzer/
author: Security Arsenal
date: 2026/05/22
tags:
  - attack.execution
  - attack.t1059.001
  - attack.exfiltration
  - attack.t1567.002
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains: 'pypi.org'
    Image|endswith:
      - '\node.exe'
      - '\python.exe'
  condition: selection
falsepositives:
  - Legitimate build and publish workflows
level: high
---
title: Git Workflow Modification With Pull Request Target
id: 9b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects modifications to GitHub Actions workflow files that include the string 'pull_request_target', often indicating a change in workflow trust boundaries.
references:
  - https://blog.trailofbits.com/2026/05/22/we-hardened-zizmors-github-actions-static-analyzer/
author: Security Arsenal
date: 2026/05/22
tags:
  - attack.persistence
  - attack.t1059.001
logsource:
  category: file_change
  product: windows
detection:
  selection:
    TargetFilename|contains: '\.github\workflows\'
    TargetFilename|endswith:
      - '.yml'
      - '.yaml'
falsepositives:
  - Legitimate CI/CD maintenance
level: medium

KQL (Microsoft Sentinel / Defender)

Hunt for GitHub Audit Logs indicating the creation or modification of workflows, specifically looking for the risky pull_request_target event trigger. Requires GitHub Audit Log connector.

// Hunt for workflow creations or updates using pull_request_target
GitHubAudit
| where Action in ("workflow_create", "workflow_update")
| extend Details = parse_(ActionDetails)
| where Details.workflow has "pull_request_target"
| project TimeGenerated, Actor, Repository, Action, Details.workflow
| sort by TimeGenerated desc

Velociraptor VQL

Use Velociraptor to hunt locally for YAML files in the .github/workflows directory that contain the dangerous pull_request_target keyword or utilize YAML anchors (& or *) which may have been previously obfuscated from scanners.

-- Hunt for GitHub Actions workflows using pull_request_target or YAML Anchors
SELECT FullPath, Mtime, Size,
       read_file(filename=FullPath, length=1000) AS SampleContent
FROM glob(globs="/**/.github/workflows/*.yml")
WHERE SampleContent =~ "pull_request_target"
   OR SampleContent =~ "^\s*&[a-zA-Z]"
   OR SampleContent =~ "\\*\\w+"

Remediation Script (Bash)

This script installs the latest version of zizmor (hardened against anchor evasion) and scans the current repository for misconfigurations.

#!/bin/bash

# Install zizmor (using cargo is the primary method)
echo "[*] Installing zizmor..."
cargo install zizmor

# Check if we are in a git repository
if [ ! -d ".git" ]; then
    echo "[!] Error: Current directory is not a git repository."
    exit 1
fi

# Run zizmor scan against the repository
# Focus on secrets handling and injection vectors
echo "[*] Scanning repository for GitHub Actions misconfigurations..."
zizmor . --verbose

# Exit code check
if [ $? -eq 0 ]; then
    echo "[+] Scan completed. No issues found."
else
    echo "[!] Scan completed. Issues detected. Please review the output above."
    echo "[!] Recommendation: Audit any workflow using 'pull_request_target' immediately."
fi

Remediation

1. Update Static Analysis Tools: Ensure your instance of zizmor is updated to the version released on or after May 22, 2026. This version includes full support for YAML anchors and resolves the parsing crashes that previously prevented detection.
2. Audit pull_request_target Usage: Conduct an immediate audit of all workflows utilizing pull_request_target. Ensure that:
   • actions/checkout is called with persist-credentials: false if checking out PR code.
   • Secrets are not explicitly passed to untrusted steps.
3. Review YAML Anchor Usage: While anchors are valid syntax, review workflows that heavily use them to ensure they are not being used to obscure security-relevant configurations from human reviewers.
4. Token Rotation: If you were using aquasecurity/trivy-action prior to the patch in March 2026, or if you rely heavily on pull_request_target, rotate your GitHub organization secrets and any external tokens (e.g., PyPI API keys) that may have been accessible to your workflows.
5. Vendor Reference: Review the official Trail of Bits Blog Post and the Trivy Post-Mortem for specific indicators of compromise (IOCs) related to the March 2026 incident.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub