Shared tool detection for security scanning pipelines.
Installed as a pinned devDependency (ecc-agentshield in pnpm-workspace.yaml catalog).
Run via: pnpm exec agentshield scan
No install step needed — available after pnpm install.
Not an npm package. Installed via pnpm run setup which downloads the pinned version
from GitHub releases with SHA256 checksum verification (see bundle-tools.json).
The binary is cached at .cache/external-tools/zizmor/{version}-{platform}/zizmor.
Detection order:
command -v zizmor(if already on PATH, e.g. via brew).cache/external-tools/zizmor/*/zizmor(frompnpm run setup)
Run via the full path if not on PATH:
ZIZMOR="$(find .cache/external-tools/zizmor -name zizmor -type f 2>/dev/null | head -1)"
if [ -z "$ZIZMOR" ]; then ZIZMOR="$(command -v zizmor 2>/dev/null)"; fi
if [ -n "$ZIZMOR" ]; then "$ZIZMOR" .github/; else echo "zizmor not installed — run pnpm run setup"; fiIf not available:
- Warn: "zizmor not installed — run
pnpm run setupto install" - Skip the zizmor phase (don't fail the pipeline)
Optional. Used for dependency scanning in the updating and security-scan pipelines.
Detection: command -v socket
If not available:
- Skip socket-scan phases gracefully
- Note in report: "Socket CLI not available — dependency scan skipped"