🔍 Static Analysis Report - November 27, 2025

[github-actions[bot]]

Analysis Summary

Static analysis completed on 87 agentic workflows using three complementary tools: zizmor (security scanner), poutine (supply chain security), and actionlint (linting). The scan identified 28 findings across 14 workflows, with most issues being code quality improvements rather than critical security vulnerabilities.

Key Findings

• Total Findings: 28
• Workflows Affected: 14 out of 87 (16%)
• High Severity Issues: 7 (primarily in release workflow)
• Most Common Issue: ShellCheck SC2086 (missing quotes) - 18 occurrences

Full Static Analysis Report

Findings by Tool and Severity

Summary Statistics

Tool	Total	Critical	High	Medium	Low	Informational
zizmor (security)	9	0	5	1	1	2
actionlint (linting)	19	0	0	0	0	19
poutine (supply chain)	0	0	0	0	0	0
Total	28	0	5	1	1	21

---

Detailed Findings by Tool

🔒 Zizmor Security Findings

1. Template Injection (4 occurrences)

Description: Code injection risk via GitHub Actions template expansion
Reference: (redacted)#template-injection

Workflow	Line	Severity	Notes
close-old-discussions	350:9	High	Direct template usage in step
changeset	6318:9	Informational	Git credentials configuration
release	459:9	Informational	Environment setup step
mcp-inspector	1390:9	Low	MCP setup step

Impact: The High severity instance in close-old-discussions should be reviewed to ensure no untrusted input flows into template expressions.

2. Cache Poisoning (2 occurrences)

Description: Runtime artifacts vulnerable to cache poisoning attacks
Reference: (redacted)#cache-poisoning
Severity: High

Workflow	Line	Details
release	318:1	Workflow triggered on push: tags: with artifact caching
release	318:1	Duplicate instance

Impact: The release workflow uses caching and artifacts in a context where cache poisoning could affect release builds.

3. Unpinned Action (1 occurrence)

Description: Action reference not pinned to commit SHA
Reference: (redacted)#unpinned-uses
Severity: High

Workflow	Line	Action	Notes
release	5426:9	cli/gh-extension-precompile@v2	Unable to pin (resolution failed)

Impact: Using unpinned actions allows supply chain attacks via action repository compromise.

4. Artipacked (1 occurrence)

Description: Credential persistence through GitHub Actions artifacts
Reference: (redacted)#artipacked
Severity: Medium

Workflow	Line	Details
release	5421:9	Checkout step in artifact-using job

Impact: Potential for credentials to leak through artifacts if not properly sanitized.

5. Excessive Permissions (1 occurrence)

Description: Overly broad workflow permissions
Reference: (redacted)#excessive-permissions
Severity: High

Workflow	Line	Permission	Notes
test-firewall-escape	265:3	issues: write	Test workflow has broad write access

Impact: Test workflows should use minimal permissions. This workflow is specifically testing firewall escape scenarios, but the permission scope should be reviewed.

---

⚙️ Actionlint Linting Findings

1. ShellCheck SC2086 - Missing Quotes (18 occurrences)

Description: Variables used without double quotes, risking word splitting and glob expansion
Reference: (redacted)
Severity: Informational

Workflow	Line	Variable Pattern
daily-doc-updater	5164:9	$PR_NUMBER in gh api call
github-mcp-tools-report	6181:9	$PR_NUMBER in gh api call
go-pattern-detector	3903:9	Variable in install script
poem-bot	7828:9	$PR_NUMBER in gh api call
q	7191:9	$PR_NUMBER in gh api call
release	462:9	Multiple variables in long script
release	5432:9	$RELEASE_TAG in gh api call
security-fix-pr	5090:9	$PR_NUMBER in gh api call
technical-doc-writer	6747:9	$PR_NUMBER in gh api call
tidy	5739:9	$PR_NUMBER in gh api call

Common Pattern: Most occurrences follow the same pattern - requesting PR reviews using gh api:

gh api --method POST /repos/${{ github.repository }}/pulls/$PR_NUMBER/requested_reviewers

Fix: Add quotes around $PR_NUMBER:

gh api --method POST /repos/${{ github.repository }}/pulls/"$PR_NUMBER"/requested_reviewers

Impact: Low security risk (PR_NUMBER comes from trusted GitHub Actions output), but improves code robustness.

2. Syntax Error (1 occurrence)

Description: Invalid workflow syntax
Severity: Error

Workflow	Line	Issue
cloclo	372:5	Unexpected key "names" for "issues" section

Impact: This workflow may fail to trigger correctly due to invalid syntax.

---

🔗 Poutine Supply Chain Findings

Result: No findings from poutine scanner.

All workflows passed poutine's supply chain security checks, indicating good dependency and action pinning practices (except where explicitly noted by zizmor).

---

Workflows Requiring Attention

High Priority (High Severity Issues)

1. release.md - 5 high/medium severity issues

   • Cache poisoning (2x)
   • Unpinned action
   • Artipacked credential risk
   • Multiple shellcheck issues

2. close-old-discussions.md - High severity template injection

3. test-firewall-escape.md - Excessive permissions

Medium Priority (Multiple Issues)

4. cloclo.md - Syntax error (workflow may not trigger correctly)

Low Priority (Code Quality)

5-14. Nine workflows with ShellCheck SC2086 (missing quotes) - easy automated fix

---

Fix Recommendations

Immediate Actions (High Severity)

1. Review close-old-discussions.md template injection at line 350

   • Audit template expressions for untrusted input
   • Consider using intermediate variables

2. Fix release.md workflow security issues

   • Pin cli/gh-extension-precompile to commit SHA (if possible)
   • Review cache poisoning risk - consider using artifact isolation
   • Audit credential usage in artifact steps
   • Add quotes to all shell variables

3. Reduce test-firewall-escape.md permissions

   • Minimize issues: write permission if not strictly necessary
   • Consider using permissions: {} and granting only what's needed

4. Fix cloclo.md syntax error

   • Remove or correct the names: key under issues: section

Short-term Actions (Code Quality)

5. Apply ShellCheck SC2086 fixes across 9 workflows
   • Automated pattern: $PR_NUMBER → "$PR_NUMBER"
   • Review and test each change
   • See detailed fix template below

---

Fix Template: ShellCheck SC2086

Issue

Missing double quotes around bash variables causes potential word splitting and glob expansion.

Affected Workflows (9)

• daily-doc-updater
• github-mcp-tools-report
• go-pattern-detector
• poem-bot
• q
• release
• security-fix-pr
• technical-doc-writer
• tidy

Common Pattern

Before:

- name: Request PR review
  env:
    PR_NUMBER: ${{ steps.create_pull_request.outputs.pull_request_number }}
  run: |
    gh api --method POST /repos/${{ github.repository }}/pulls/$PR_NUMBER/requested_reviewers \
      -f 'reviewers[]=copilot-pull-request-reviewer[bot]'

After:

- name: Request PR review
  env:
    PR_NUMBER: ${{ steps.create_pull_request.outputs.pull_request_number }}
  run: |
    gh api --method POST /repos/${{ github.repository }}/pulls/"$PR_NUMBER"/requested_reviewers \
      -f 'reviewers[]=copilot-pull-request-reviewer[bot]'

Fix Steps

1. Search for pattern: pulls/$PR_NUMBER/
2. Replace with: pulls/"$PR_NUMBER"/
3. Similarly fix $GITHUB_ENV and $RELEASE_TAG references
4. Test compilation with gh aw compile to verify

Full fix template available at: /tmp/gh-aw/cache-memory/fix-templates/actionlint-SC2086.md

---

Trends and Historical Context

This is the first comprehensive static analysis scan with all three tools (zizmor, poutine, actionlint) enabled. Future scans will track:

• New vs. resolved issues
• Issue trends over time
• Workflow security posture improvements

Baseline established: November 27, 2025

• 87 workflows scanned
• 28 findings (16% of workflows affected)
• 5 high severity, 1 medium, 22 informational/low

---

Recommendations for Prevention

1. Pre-commit Hooks

Consider adding static analysis to pre-commit hooks:

gh aw compile --zizmor --actionlint --strict

2. CI/CD Integration

Add static analysis checks to pull request workflows to catch issues before merge.

3. Workflow Templates

Create secure workflow templates with:

• Properly quoted shell variables
• Minimal permissions
• Pinned actions
• Safe template usage patterns

4. Regular Scans

Schedule this static analysis report to run weekly to catch security issues early.

5. Security Training

Share common vulnerability patterns with workflow authors:

• Template injection risks
• Shell quoting best practices
• Principle of least privilege for permissions
• Action pinning for supply chain security

---

Tool Effectiveness Summary

Tool	Purpose	Findings	Effectiveness
zizmor	GitHub Actions security	9	⭐⭐⭐⭐⭐ Excellent - found critical security issues
actionlint	Workflow linting & syntax	19	⭐⭐⭐⭐ Very Good - caught syntax errors and code quality issues
poutine	Supply chain security	0	⭐⭐⭐ Good - validated secure dependency practices

---

Next Steps

• Create issues for high-severity findings
• Apply ShellCheck SC2086 fixes across affected workflows
• Review and fix cloclo.md syntax error
• Audit close-old-discussions.md for template injection risk
• Comprehensive security review of release.md workflow
• Reduce permissions in test-firewall-escape.md
• Schedule weekly static analysis scans
• Document secure workflow patterns for team

---

Scan Metadata

• Date: November 27, 2025
• Repository: githubnext/gh-aw
• Workflows Scanned: 87
• Tools: zizmor v0.x, poutine v0.x, actionlint v1.x
• Analysis Duration: ~5 minutes
• Workflow Run: §19730791438

Cache Location: Static analysis results stored in /tmp/gh-aw/cache-memory/security-scans/ for historical trending.

AI generated by Static Analysis Report