Static Analysis Report - 2026-03-30

[github-actions[bot]]

Analysis Summary

Daily static analysis scan completed for 178 workflows using zizmor, poutine, and actionlint. All 178 workflows compiled successfully today (up from 157 yesterday — the shared/mcp/serena-go.md import issue is resolved). Total findings increased from 7,383 to 8,520, largely explained by 21 additional workflows now being scanned.

• Tools Used: zizmor, poutine, actionlint
• Total Findings: 8,520
• Workflows Scanned: 178
• Workflows Compiled: 178 (✅ all compiled, up from 157 on 2026-03-29)
• Workflow Run: §23764185139

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info
zizmor (security)	3,953	0	30	3,854	20	49
poutine (supply chain)	6	0	6	0	0	0
actionlint (linting)	4,561	—	—	—	—	—
Total	8,520	—	—	—	—	—

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Δ vs Yesterday	Notes
secrets-outside-env	Medium	3,851	+494	Systemic — affects all workflows
template-injection (high)	High	24	0	24 specific workflows
template-injection (info)	Info	49	+2	Many workflows
obfuscation	Low	20	+1	Base64 in steps
unpinned-uses	High	5	0	daily-fact workflow only
github-env	High	1	0	dev-hawk workflow only
artipacked	Medium	1	0	Artifact poisoning risk
secrets-inherit	Medium	1	0	Inherited secrets in called workflow

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Workflows
untrusted_checkout_exec	Error	6	smoke-workflow-call, smoke-workflow-call-with-inputs

Actionlint Linting Issues

Issue Type	Count	Δ vs Yesterday	Description
shellcheck/SC2086	4,284	+485	Unquoted \$\{RUNNER_TEMP}/... vars
shellcheck/SC2129	173	+99	Multiple redirects — use { }>>
permissions	81	+44	Unknown copilot-requests scope
runner-label	12	+2	Unknown runner labels
expression	11	+3	Undefined output properties

Top Priority Issues

1. Template Injection (High Severity) — 24 Workflows

• Tool: zizmor
• Count: 24 High + 49 Informational
• Severity: High
• Description: User-controlled data (GitHub event context like PR titles, issue bodies, branch names) is directly interpolated into run: scripts via $\{\{ }} expressions. This allows an attacker to inject arbitrary shell commands by crafting a malicious PR title or issue body.
• Impact: Remote code execution in the CI runner with access to repository secrets
• Reference: (docs.zizmor.sh/redacted)

Affected Workflows (template-injection/high)

audit-workflows, copilot-pr-nlp-analysis, copilot-session-insights, daily-code-metrics, daily-copilot-token-report, daily-firewall-report, daily-integrity-analysis, daily-issues-report, daily-multi-device-docs-tester, daily-news, daily-performance-summary, daily-repo-chronicle, deep-report, docs-noob-tester, github-mcp-structural-analysis, org-health-report, poem-bot, portfolio-analyst, python-data-charts, stale-repo-identifier, technical-doc-writer, unbloat-docs, weekly-editors-health-check, weekly-issue-summary

2. Secrets Outside Environment (Medium Severity) — All 178 Workflows

• Tool: zizmor
• Count: 3,851 occurrences
• Severity: Medium
• Description: Secrets are referenced directly in workflow steps (e.g., $\{\{ secrets.TOKEN }}) rather than being passed via environment variables. This exposes secret values in runner diagnostic logs.
• Impact: Secret values may appear in verbose/debug logs, increasing credential exposure risk
• Reference: (docs.zizmor.sh/redacted)

3. Untrusted Checkout Exec (Supply Chain — Error)

• Tool: poutine
• Count: 6 errors
• Severity: Error
• Affected: smoke-workflow-call, smoke-workflow-call-with-inputs
• Description: Code execution occurs from an untrusted checkout — content from a PR could influence what gets executed
• Impact: Supply chain attack vector in smoke test workflows

4. Unknown copilot-requests Permission Scope — 81 Workflows

• Tool: actionlint
• Count: 81 errors
• Description: Workflows declare copilot-requests: write which is not recognized by actionlint's permission schema
• Impact: Linting noise; not a security risk per se, but indicates actionlint's schema needs updating for this custom permission

Fix Suggestion: Template Injection

Issue: Template injection via GitHub Actions expression interpolation
Severity: High
Affected Workflows: 24 workflows

Prompt to Copilot Agent:

You are fixing a High-severity security vulnerability identified by zizmor.

**Vulnerability**: Template Injection
**Rule**: template-injection
**Reference**: (docs.zizmor.sh/redacted)

**Current Issue**:
Workflows directly interpolate GitHub Actions expressions (e.g., `$\{\{ github.event.pull_request.title }}`,
`$\{\{ github.event.issue.body }}`, `$\{\{ github.head_ref }}`) into `run:` script steps.
An attacker can craft a malicious PR title, branch name, or issue body to inject arbitrary
shell commands that execute in the CI runner with access to repository secrets.

**Required Fix**:
1. Identify all `run:` steps that use `$\{\{ ... }}` expressions referencing user-controlled data
   (anything from `github.event.pull_request.*`, `github.event.issue.*`, `github.head_ref`,
   `github.event.comment.body`, etc.)
2. Extract those values into environment variables at the step level
3. Reference the environment variable (via `$VAR`) in the script instead of the expression

**Example**:
Before (vulnerable):
```yaml
- name: Process PR
  run: |
    echo "Processing: $\{\{ github.event.pull_request.title }}"
    gh pr comment $\{\{ github.event.pull_request.number }} --body "Done"

After (safe):

- name: Process PR
  env:
    PR_TITLE: $\{\{ github.event.pull_request.title }}
    PR_NUMBER: $\{\{ github.event.pull_request.number }}
  run: |
    echo "Processing: \$\{PR_TITLE}"
    gh pr comment "\$\{PR_NUMBER}" --body "Done"

Please apply this fix to all affected workflows:
audit-workflows, copilot-pr-nlp-analysis, copilot-session-insights, daily-code-metrics,
daily-copilot-token-report, daily-firewall-report, daily-integrity-analysis, daily-issues-report,
daily-multi-device-docs-tester, daily-news, daily-performance-summary, daily-repo-chronicle,
deep-report, docs-noob-tester, github-mcp-structural-analysis, org-health-report, poem-bot,
portfolio-analyst, python-data-charts, stale-repo-identifier, technical-doc-writer, unbloat-docs,
weekly-editors-health-check, weekly-issue-summary

<details>
<summary><b>All Findings Details — Actionlint Summary</b></summary>

Actionlint scanned 178 workflow files and found **4,561 issues** (all reported as errors):

- **shellcheck (4,457)**: Predominantly SC2086 (4,284 occurrences) — unquoted `\$\{RUNNER_TEMP}` variable references in `bash \$\{RUNNER_TEMP}/gh-aw/actions/*.sh` patterns. These are in compiled lock files and reflect a systemic pattern in the harness action scripts.
- **permissions (81)**: `copilot-requests: write` permission not in actionlint's known permission scopes. This is a valid GitHub permission for the Copilot API that actionlint's schema doesn't yet include.
- **runner-label (12)**: Unknown runner labels (custom runner configurations).
- **expression (11)**: Properties like `outputs.activated` referenced but not declared in the job outputs type definition.

</details>

### Historical Trends

| Metric | 2026-03-29 | 2026-03-30 | Change |
|--------|-----------|-----------|--------|
| Workflows compiled | 157 | **178** | +21 ✅ |
| Zizmor total | 3,455 | 3,953 | +498 |
| Poutine errors | 6 | 6 | 0 |
| Actionlint total | 3,928 | 4,561 | +633 |
| **Grand total** | **7,383** | **8,520** | **+1,137** |

**Context**: The increase in findings is primarily due to 21 additional workflows now compiling successfully (the `shared/mcp/serena-go.md` import error that blocked compilation is resolved). Normalizing for the 21 new workflows, per-workflow finding rates are stable.

#### New Since Yesterday
- All 21 previously-failing workflows now scan cleanly: archie, cloclo, daily-compiler-quality, daily-file-diet, daily-function-namer, daily-testify-uber-super-expert, developer-docs-consolidator, duplicate-code-detector, glossary-maintainer, go-fan, mcp-inspector, q, repository-quality-improver, semantic-function-refactor, sergo, smoke-claude, smoke-codex, smoke-copilot-arm, smoke-copilot, terminal-stylist, typist

#### Resolved Since Yesterday
- The `shared/mcp/serena-go.md` import compilation error is gone — all 178 workflows compile

### Recommendations

1. **Immediate (High Priority)**: Fix `template-injection` in the 24 affected workflows — use the Copilot agent prompt above
2. **Short-term**: Address `unpinned-uses` in `daily-fact` (pin action SHAs) and `github-env` in `dev-hawk`
3. **Medium-term**: Migrate secrets to environment variables (`secrets-outside-env`) — systemic but lower risk
4. **Low-priority**: SC2086 shellcheck warnings in lock files are in generated harness scripts — address in the harness template, not in individual workflows
5. **Maintenance**: Update actionlint schema or add suppression for the `copilot-requests` permission scope to reduce noise

### Next Steps

- [ ] Apply template-injection fix prompt to 24 affected workflows
- [ ] Pin action SHAs in `daily-fact` (5 unpinned-uses)
- [ ] Review `github-env` usage in `dev-hawk`
- [ ] Suppress `copilot-requests` permission false-positive in actionlint config
- [ ] Consider adding secrets-outside-env fixes incrementally, starting with high-value workflows

**References:**
- [§23764185139](https://github.com/github/gh-aw/actions/runs/23764185139)


> AI generated by [Static Analysis Report](https://github.com/github/gh-aw/actions/runs/23764185139) · [history](https://github.com/search?q=repo%3Agithub%2Fgh-aw+%22gh-aw-workflow-call-id%3A+github%2Fgh-aw%2Fstatic-analysis-report%22&type=discussions)
> - [x] expires <!-- gh-aw-expires: 2026-03-31T19:51:24.686Z --> on Mar 31, 2026, 7:51 PM UTC

<!-- gh-aw-workflow-id: static-analysis-report -->
<!-- gh-aw-workflow-call-id: github/gh-aw/static-analysis-report -->

[github-actions[bot]]

This discussion has been marked as outdated by Static Analysis Report.

A newer discussion is available at Discussion #23763.