🔍 Static Analysis Report - November 3, 2025

[github-actions[bot]]

🔍 Static Analysis Report - November 3, 2025

Analysis Summary

Comprehensive static analysis of all agentic workflows using three security and code quality tools: zizmor (security scanner), poutine (supply chain security), and actionlint (linting).

• Total Findings: 1,736
• Workflows Scanned: 67
• Workflows with Issues: 72

Findings by Tool

Tool	Category	Total Findings	Unique Rule Types	Severity Focus
zizmor	Security Vulnerabilities	33	11	Code injection risks
poutine	Supply Chain Security	83	4	CI/CD security issues
actionlint	Code Quality (Shellcheck)	1,620	10	Shell scripting best practices

Top Priority Issues

1. Unquoted Variables (SC2086) - 1,420 occurrences

• Tool: actionlint/shellcheck
• Severity: Info
• Affected: All 67 workflows
• Impact: Potential word splitting and globbing issues

Description: Variables like $GH_AW_PROMPT, $GITHUB_STEP_SUMMARY, and others are used without double quotes, which can lead to unexpected behavior if the variable contains spaces or special characters.

2. Multiple Redirect Operations (SC2129) - 102 occurrences

• Tool: actionlint/shellcheck
• Severity: Style
• Impact: Code readability and efficiency

Description: Multiple redirect operations to the same file should be grouped using { cmd1; cmd2; } >> file instead of individual redirects.

3. Unquoted Command Substitution (SC2046) - 67 occurrences

• Tool: actionlint/shellcheck
• Severity: Warning
• Affected: Most workflows
• Impact: Word splitting issues

Description: Command substitution $(dirname "$GH_AW_PROMPT") should be quoted to prevent word splitting.

4. Pull Requests on Self-Hosted Runners (pr_runs_on_self_hosted) - 35 occurrences

• Tool: poutine
• Severity: Warning
• Impact: Security risk from untrusted PR code

Description: Jobs that run on self-hosted runners (ubuntu-slim) in workflows triggered by pull request events. This can be a security risk if PRs from forks can execute code on your infrastructure.

5. Code Injection Risk (injection) - 2 occurrences

• Tool: poutine
• Severity: Warning
• File: .github/workflows/create-branch.yml
• Impact: Critical security risk

Description: User input from github.event.inputs.name is used in bash scripts without proper sanitization, creating injection vulnerability.

6. Template Injection (template-injection) - 11 locations

• Tool: zizmor
• Severity: Low
• Confidence: High
• Affected Workflows: duplicate-code-detector, mcp-inspector, others
• Impact: Code injection via template expansion
• Reference: (redacted)#template-injection

Full Report Details

Detailed Findings by Tool

Zizmor Security Findings

Zizmor found 33 template injection risks across 11 workflow locations:

Rule	Severity	Confidence	Workflows Affected	Occurrences
template-injection	Low	High	3 workflows	33

Affected workflows:

• duplicate-code-detector
• mcp-inspector
• smoke-codex

Poutine Supply Chain Security Findings

Poutine identified 83 supply chain security issues across 4 rule types:

Rule ID	Severity	Description	Count
unpinnable_action	note	Unpinnable CI component used...	43
pr_runs_on_self_hosted	warning	Pull Request Runs on Self-Hosted GitHub Actions Ru...	35
github_action_from_unverified_creator_used	note	Github Action from Unverified Creator used...	3
injection	warning	Injection with Arbitrary External Contributor Inpu...	2

Most Critical: pr_runs_on_self_hosted (35 occurrences)

Workflows using self-hosted runners with PR triggers:

• changeset
• q
• scout
• smoke-claude
• smoke-codex
• smoke-copilot
• smoke-copilot.firewall
• smoke-opencode

Actionlint (Shellcheck) Linting Issues

Actionlint/Shellcheck found 1,620 shell scripting issues across 10 rule types:

Rule	Type	Description	Count
SC2086	info	Double quote to prevent globbing and word splitting...	1420
SC2129	style	Consider using { cmd1; cmd2; } >> file instead of individual...	102
SC2046	warning	Quote this to prevent word splitting...	67
SC2012	info	Use find instead of ls to better handle non-alphanumeric fil...	19
SC2002	style	Useless cat. Consider 'cmd < file	..' or 'cmd file
SC2162	info	read without -r will mangle backslashes...	2
SC2016	info	Expressions don't expand in single quotes, use double quotes...	2
SC2236	style	Use -n instead of ! -z...	1
expression	unknown	string}...	1
SC2010	warning	Don't use ls	grep. Use a glob or a for loop with a conditi...

All 67 workflows have actionlint findings, primarily related to unquoted variables and suboptimal shell scripting patterns.

Fix Suggestion: SC2086 - Unquoted Variables

Issue: The most common issue (1,420 occurrences) is unquoted variables in shell scripts, particularly $GH_AW_PROMPT and $GITHUB_STEP_SUMMARY.

Why it matters: While these specific variables are unlikely to contain spaces in practice, following shellcheck best practices improves code reliability and prevents potential bugs.

Recommended Fix:

# Before (current)
cat >> $GH_AW_PROMPT << 'PROMPT_EOF'
...
EOF

echo "<details>" >> $GITHUB_STEP_SUMMARY

# After (fixed)
cat >> "$GH_AW_PROMPT" << 'PROMPT_EOF'
...
EOF

echo "<details>" >> "$GITHUB_STEP_SUMMARY"

Implementation Strategy:

1. These issues originate from the workflow compilation process (gh-aw compiler)
2. Fix should be applied to the compiler templates, not individual workflows
3. After fixing compiler, recompile all workflows to propagate the fix
4. Estimated impact: ~1,420 issues resolved across all workflows

Recommendations

Immediate Priority (Critical/High)

1. Fix code injection vulnerability in create-branch.yml (poutine)
2. Address unquoted command substitution SC2046 (67 occurrences)
3. Review self-hosted runner usage for PR-triggered workflows (35 occurrences)

Short-term (Medium)

4. Fix unquoted variables SC2086 in workflow compiler templates (1,420 occurrences)
5. Consolidate redirect operations SC2129 for better performance (102 occurrences)
6. Review template injection risks identified by zizmor (11 locations)

Long-term (Maintenance)

7. Pin unpinnable actions or document the risk (3 occurrences)
8. Integrate static analysis into CI/CD - run these tools on every workflow change
9. Update workflow creation guidelines to prevent common patterns
10. Consider pre-commit hooks for workflow files

Historical Trends

This is the first automated static analysis scan. Future scans will track:

• New vs. resolved issues
• Trends by tool and severity
• Workflow security posture over time

Next Steps

• Critical: Fix injection vulnerability in create-branch.yml
• High: Apply SC2086 fix to workflow compiler templates
• Medium: Review self-hosted runner security for PR workflows
• Low: Address template injection risks per zizmor guidance
• Process: Add static analysis to workflow compilation pipeline

---

Scan Details:

• Date: 2025-11-03T16:00:02.655121
• Tools: zizmor v1.16.2, poutine v1.0.4, actionlint with shellcheck
• Workflows Analyzed: 67 compiled .lock.yml files
• Analysis Method: Batch scan of all workflows with JSON output aggregation

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

✅ Agentic Plan Command completed successfully.

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.