Static Analysis Report - 2026-03-29

[github-actions[bot]]

Analysis Summary

Daily static analysis scan of all agentic workflows using zizmor, poutine, and actionlint. Of 178 workflows scanned, 157 compiled successfully and 21 failed (all due to a missing shared import file). Total findings: 7,383 issues across the three tools.

• Tools Used: zizmor (security), poutine (supply chain), actionlint (linting)
• Workflows Scanned: 178
• Workflows Successfully Compiled: 157 (21 failed — see below)
• Scan Date: 2026-03-29
• Previous Scan: None (first scan — no historical baseline)
• Workflow Run: §23717358907

---

Compilation Failures

21 workflows failed to compile — all due to the same missing import:

import file not found: shared/mcp/serena-go.md

View 21 Failed Workflows

Workflow
archie
cloclo
daily-compiler-quality
daily-file-diet
daily-function-namer
daily-testify-uber-super-expert
developer-docs-consolidator
duplicate-code-detector
glossary-maintainer
go-fan
mcp-inspector
q
repository-quality-improver
semantic-function-refactor
sergo
smoke-claude
smoke-codex
smoke-copilot-arm
smoke-copilot
terminal-stylist
typist

Root cause: All reference shared/mcp/serena-go.md which does not exist in the repository. This is likely a recently added shared component not yet committed, or a renamed/moved file.

---

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info
zizmor (security)	3,455	0	30	3,359	19	47
poutine (supply chain)	~20	0	0	0	6 errors	~14 notes
actionlint (linting)	3,928	—	—	—	—	3,928 errors
Total	7,403	0	30	3,359	19	47+

---

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
secrets-outside-env	Medium	3,357	157 (all compiled)
template-injection	High	24	24
template-injection	Informational	47	many
unpinned-uses	High	5	daily-fact (all 5)
github-env	High	1	dev-hawk
obfuscation	Low	19	~10
secrets-inherit	Medium	1	1
artipacked	Medium	1	1

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Workflows
untrusted_checkout_exec	error	6	smoke-workflow-call, smoke-workflow-call-with-inputs
pr_runs_on_self_hosted	warning	2	dev, smoke-copilot-arm
github_action_from_unverified_creator_used	note	~6	smoke-codex, super-linter, copilot-setup-steps, daily-copilot-token-report, mcp-inspector, link-check
unverified_script_exec	note	2	copilot-setup-steps, daily-copilot-token-report
unpinnable_action	note	2	daily-perf-improver/build-steps, daily-test-improver/coverage-steps

Actionlint Linting Issues

Issue Type	Count	Root Cause
shellcheck (SC2086)	3,873	Unquoted \$\{RUNNER_TEMP} in generated run steps
permissions	37	Permission definition issues
runner-label	10	Unknown/invalid runner labels
expression	8	GitHub Actions expression syntax errors

---

Top Priority Issues

1. Template Injection (High Severity) — 24 Workflows

• Tool: zizmor
• Severity: High
• Count: 24 occurrences
• Reference: (docs.zizmor.sh/redacted)

These workflows use GitHub Actions expression syntax ($\{\{ ... }}) inside run: blocks, which can allow an attacker to inject arbitrary shell commands if the expression value is controlled by untrusted input (e.g., issue titles, PR body, user-supplied data).

View 24 Affected Workflows

Workflow
audit-workflows
copilot-pr-nlp-analysis
copilot-session-insights
daily-code-metrics
daily-copilot-token-report
daily-firewall-report
daily-integrity-analysis
daily-issues-report
daily-multi-device-docs-tester
daily-news
daily-performance-summary
daily-repo-chronicle
deep-report
docs-noob-tester
github-mcp-structural-analysis
org-health-report
poem-bot
portfolio-analyst
python-data-charts
stale-repo-identifier
technical-doc-writer
unbloat-docs
weekly-editors-health-check
weekly-issue-summary

2. Secrets Outside Environment Variables — 157 Workflows (3,357 occurrences)

• Tool: zizmor
• Severity: Medium
• Count: 3,357
• Reference: (docs.zizmor.sh/redacted)

Every compiled workflow references secrets directly in step definitions rather than mapping them through the env: block. This means secrets can appear in logs, error messages, or be accessed by other steps more broadly than intended. This appears to be a systemic pattern generated by the compiler.

3. Unpinned Action References — daily-fact (5 occurrences)

• Tool: zizmor
• Severity: High
• Count: 5
• Reference: (docs.zizmor.sh/redacted)

The daily-fact workflow uses action references without pinning to a specific commit SHA, creating supply chain risk. Tags can be silently moved.

4. Missing Shared Import — 21 Workflows (compilation failure)

• Tool: Compiler
• Severity: Blocking (compilation error)

All 21 failed workflows import shared/mcp/serena-go.md which does not exist. These workflows cannot be compiled and their security posture cannot be assessed.

5. Dangerous GITHUB_ENV Usage — dev-hawk

• Tool: zizmor
• Severity: High
• Reference: (docs.zizmor.sh/redacted)

Writing to the $GITHUB_ENV file with untrusted data allows environment variable injection that persists across steps.

---

Fix Suggestion: Template Injection (Highest Priority)

Issue: Code injection via GitHub Actions expression template expansion
Severity: High
Affected Workflows: 24 workflows

Prompt to Copilot Agent:

You are fixing a High severity security vulnerability identified by zizmor in GitHub Actions workflows.

**Vulnerability**: Template Injection (code injection via template expansion)
**Rule**: template-injection
**Reference**: (docs.zizmor.sh/redacted)

**Current Issue**:
GitHub Actions expression syntax `$\{\{ expression }}` is being used inside `run:` script blocks.
If the expression evaluates to untrusted user input (e.g. from issue titles, PR body text, 
comments, or other external data), an attacker can inject shell commands that will execute
with the workflow's permissions.

**Required Fix**:
Move the GitHub Actions expression out of the `run:` block and into an `env:` block as an
intermediate environment variable. Then reference the env var with standard shell `$VAR` syntax
inside the script.

**Example**:

Before (vulnerable):
```yaml
- name: Process data
  run: |
    echo "Processing: $\{\{ github.event.issue.title }}"
    gh issue comment $\{\{ github.event.issue.number }} --body "Done"
```

After (safe):
```yaml
- name: Process data
  env:
    ISSUE_TITLE: $\{\{ github.event.issue.title }}
    ISSUE_NUMBER: $\{\{ github.event.issue.number }}
  run: |
    echo "Processing: \$\{ISSUE_TITLE}"
    gh issue comment "\$\{ISSUE_NUMBER}" --body "Done"
```

**Important notes**:
- The `$\{\{ }}` syntax is ONLY safe in the `env:` key block, NOT inside shell scripts
- Always quote the shell variable reference: `"\$\{VAR}"` not `$VAR`
- Look specifically for the step name "Write Safe Outputs Config" which appears in many affected workflows

**Apply this fix to all 24 affected workflows**:
audit-workflows, copilot-pr-nlp-analysis, copilot-session-insights, daily-code-metrics,
daily-copilot-token-report, daily-firewall-report, daily-integrity-analysis, daily-issues-report,
daily-multi-device-docs-tester, daily-news, daily-performance-summary, daily-repo-chronicle,
deep-report, docs-noob-tester, github-mcp-structural-analysis, org-health-report, poem-bot,
portfolio-analyst, python-data-charts, stale-repo-identifier, technical-doc-writer, unbloat-docs,
weekly-editors-health-check, weekly-issue-summary

---

All Findings Details

Zizmor — Full High Severity Findings

Template Injection (High) — 24 Workflows

All occur at the "Write Safe Outputs Config" step pattern.

Workflow	Line
audit-workflows.lock.yml	489
copilot-pr-nlp-analysis.lock.yml	452
copilot-session-insights.lock.yml	459
daily-code-metrics.lock.yml	430
daily-copilot-token-report.lock.yml	454
daily-firewall-report.lock.yml	456
daily-integrity-analysis.lock.yml	461
daily-issues-report.lock.yml	435
daily-multi-device-docs-tester.lock.yml	375
daily-news.lock.yml	501
daily-performance-summary.lock.yml	406
daily-repo-chronicle.lock.yml	398
deep-report.lock.yml	490
docs-noob-tester.lock.yml	356
github-mcp-structural-analysis.lock.yml	406
org-health-report.lock.yml	402
poem-bot.lock.yml	447
portfolio-analyst.lock.yml	467
python-data-charts.lock.yml	455
stale-repo-identifier.lock.yml	452
technical-doc-writer.lock.yml	464
unbloat-docs.lock.yml	484
weekly-editors-health-check.lock.yml	347
weekly-issue-summary.lock.yml	382

Unpinned Action References (High) — daily-fact

Line	Description
61	Unpinned action reference
326	Unpinned action reference
814	Unpinned action reference
915	Unpinned action reference
1072	Unpinned action reference

GITHUB_ENV Dangerous Use (High) — dev-hawk

• Line 1209: Dangerous use of GITHUB_ENV environment file

Poutine — Full Findings

Errors (Blocking)

untrusted_checkout_exec in smoke-workflow-call and smoke-workflow-call-with-inputs:

• Lines 179, 285, 290 in each workflow flagged despite having # poutine:ignore untrusted_checkout_exec comments
• These appear to be false positives where the ignore annotation isn't being applied correctly

Warnings

pr_runs_on_self_hosted:

• dev.lock.yml:1169 — runs-on: aw-gpu-runner-T4
• smoke-copilot-arm.lock.yml:369 — runs-on: ubuntu-24.04-arm

Informational Notes

• smoke-codex — uses actions-ecosystem/action-add-labels (unverified creator)
• super-linter — uses super-linter/super-linter (unverified creator)
• copilot-setup-steps, daily-copilot-token-report — execute unverified script via curl | bash from install-gh-aw.sh
• mcp-inspector, copilot-setup-steps, daily-copilot-token-report — use astral-sh/setup-uv (unverified creator)
• link-check — uses gaurav-nelson/github-action-markdown-link-check (unverified creator)

Actionlint — Summary by Type

SC2086 — Unquoted Variables (3,873 occurrences)

All instances follow the same pattern generated by the gh-aw compiler:

run: bash \$\{RUNNER_TEMP}/gh-aw/actions/some-script.sh

Should be:

run: bash "\$\{RUNNER_TEMP}/gh-aw/actions/some-script.sh"

This is a compiler-level issue — the fix should be applied in the template generation code, not in individual workflow .md files.

Permissions Issues (37 occurrences)

Workflow steps with permission-related actionlint violations.

Runner Label Issues (10 occurrences)

Steps referencing runner labels that actionlint cannot verify.

Expression Syntax Issues (8 occurrences)

GitHub Actions expression syntax errors in 8 locations.

---

Historical Trends

First scan — no baseline available. Future scans will compare against today's results.

Metric	2026-03-29
Workflows scanned	178
Compilation failures	21
Zizmor total	3,455
Poutine errors	6
Actionlint total	3,928

---

Recommendations

1. Immediate — Fix missing import: Investigate shared/mcp/serena-go.md — create or restore this shared file so 21 workflows can compile and be analyzed.

2. High Priority — Fix template injection: Apply environment variable indirection to the 24 workflows with High severity template-injection findings. The fix prompt above is ready for a Copilot coding agent.

3. High Priority — Pin actions in daily-fact: Pin all 5 action references in daily-fact to specific commit SHAs instead of tags.

4. High Priority — Review dev-hawk GITHUB_ENV: Audit the dangerous $GITHUB_ENV usage in dev-hawk at line 1209.

5. Medium — Compiler fix for SC2086: The gh-aw compiler should quote \$\{RUNNER_TEMP} in generated shell run: steps. This one compiler fix would eliminate 3,873 of 3,928 actionlint errors.

6. Medium — Compiler fix for secrets-outside-env: The secrets injection pattern used by the compiler triggers 3,357 Medium zizmor findings. Consider mapping secrets through env: blocks in generated YAML.

7. Long-term: Add all three static analysis tools to the CI pipeline's merge gates so issues are caught before compilation succeeds.

Next Steps

• Create or restore shared/mcp/serena-go.md to unblock 21 failed workflows
• Apply template-injection fix to 24 High-severity workflows (use Copilot agent prompt above)
• Pin unpinned action references in daily-fact
• Fix gh-aw compiler to quote \$\{RUNNER_TEMP} in generated shell steps
• Review poutine ignore annotations in smoke-workflow-call* workflows
• Schedule next scan to establish trend baseline

References:

• §23717358907

AI generated by Static Analysis Report · history

• expires on Mar 30, 2026, 7:44 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Static Analysis Report.

A newer discussion is available at Discussion #23579.