🔍 Static Analysis Report - November 3, 2025

[github-actions[bot]]

🔍 Static Analysis Report - November 3, 2025

Executive Summary

Comprehensive static analysis scan of 67 agentic workflows using three industry-standard security and code quality tools: zizmor (security), poutine (supply chain security), and actionlint (linting).

Key Findings:

• Total Issues: 1,736 findings across all workflows
• Security Issues: 33 low-severity (zizmor) + 83 supply chain warnings (poutine)
• Code Quality Issues: 1,620 shellcheck/actionlint warnings
• Critical Security Risk: 35 workflows run PR-triggered jobs on self-hosted runners
• Most Common Issue: SC2086 (unquoted variables) - 1,420 occurrences

Analysis Summary

Tool	Total Findings	Unique Rules	Most Common Issue
zizmor (security)	33	11	template-injection (Low)
poutine (supply chain)	83	4	pr_runs_on_self_hosted (Warning)
actionlint (linting)	1,620	10	SC2086 (Info)
TOTAL	1,736	25	-

Findings by Severity

Severity	Count	Percentage
Critical	0	0%
High	0	0%
Medium	0	0%
Low	33	1.9%
Warning	83	4.8%
Info/Style	1,620	93.3%

Top Priority Issues

1. 🔴 Self-Hosted Runners on PR Workflows (Security Risk)

Tool: Poutine
Rule: pr_runs_on_self_hosted
Severity: ⚠️ Warning (Security)
Count: 35 occurrences
Affected Workflows: 8 workflows

Workflows:

• smoke-claude, smoke-codex, smoke-copilot, smoke-copilot.firewall, smoke-opencode
• changeset, q, scout

Risk: Running pull request workflows on self-hosted runners allows untrusted code to execute on your infrastructure, potentially leading to:

• Secret exposure
• Lateral movement within your network
• Persistent backdoors
• Data exfiltration

Recommended Action:

1. Immediate: Switch smoke test workflows to GitHub-hosted runners (ubuntu-latest)
2. Short-term: Add manual approval gates for interactive workflows
3. Long-term: Use ephemeral, isolated runners if self-hosted is required

Fix Template: Available in /tmp/gh-aw/cache-memory/fix-templates/poutine-pr-self-hosted-fix.md

---

2. 💬 SC2086: Unquoted Variables (Code Quality)

Tool: Actionlint (shellcheck)
Rule: SC2086
Severity: ℹ️ Info
Count: 1,420 occurrences
Affected Workflows: All 67 workflows

Issue: Variables used without double quotes can cause unexpected behavior with spaces or glob characters.

Common Patterns:

# Problem
find $SOME_PATH -type f -print
git log -5 $DEFAULT_BRANCH

# Solution
find "$SOME_PATH" -type f -print
git log -5 "$DEFAULT_BRANCH"

Impact:

• Potential bugs with file paths containing spaces
• Word splitting issues
• Glob expansion vulnerabilities

Recommended Action: Add double quotes around all variable references

Fix Template: Available in /tmp/gh-aw/cache-memory/fix-templates/actionlint-sc2086-fix.md

---

3. 📝 SC2129: Use Grouped Redirects (Code Style)

Tool: Actionlint (shellcheck)
Rule: SC2129
Severity: Style
Count: 102 occurrences
Affected Workflows: All 67 workflows

Issue: Multiple echo commands redirect to the same file inefficiently.

Current Pattern (in every workflow):

echo "<details>" >> "$GITHUB_STEP_SUMMARY"
echo "<summary>Generated Prompt</summary>" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"

Better Pattern:

{
  echo "<details>"
  echo "<summary>Generated Prompt</summary>"
  echo ""
} >> "$GITHUB_STEP_SUMMARY"

Root Cause: This is generated by the workflow compiler template. Fixing the template once will fix all 102 occurrences.

Recommended Action: Update the workflow compiler template's "Generate Prompt" step

Fix Template: Available in /tmp/gh-aw/cache-memory/fix-templates/actionlint-sc2129-fix.md

---

4. 🔐 Template Injection (Low Severity)

Tool: Zizmor
Rule: template-injection
Severity: 🟡 Low
Count: 33 occurrences (11 unique instances)
Affected Workflows: duplicate-code-detector, mcp-inspector, smoke-codex

Issue: Code injection via template expansion in GitHub Actions expressions.

Reference: (redacted)#template-injection

Recommended Action: Review affected workflows and sanitize template inputs where user-controlled data is used.

---

5. 📋 SC2046: Quote Command Substitution

Tool: Actionlint (shellcheck)
Rule: SC2046
Severity: ⚠️ Warning
Count: 67 occurrences
Affected Workflows: All 67 workflows

Issue: Command substitution should be quoted to prevent word splitting.

Recommended Action: Quote command substitutions: $(command) → "$(command)"

---

All Findings by Tool

Zizmor Security Findings (33 total)

Template Injection (Low Severity)

Workflow	Count	Description
duplicate-code-detector	15	Code injection via template expansion
mcp-inspector	3	Code injection via template expansion
smoke-codex	15	Code injection via template expansion

Reference: (redacted)#template-injection

These are low-severity findings that should be reviewed but are not critical security vulnerabilities.

Poutine Supply Chain Findings (83 total)

1. Self-Hosted PR Runners (35 occurrences) ⚠️ HIGH PRIORITY

Severity: Warning (Security Risk)
Workflows: changeset, q, scout, smoke-claude, smoke-codex, smoke-copilot, smoke-copilot.firewall, smoke-opencode

Risk: Untrusted code execution on self-hosted infrastructure

2. Unpinnable Actions (43 occurrences)

Severity: Note
Description: Some GitHub Actions depend on mutable supply chain components and cannot be effectively pinned.

Affected:

• .github/actions/daily-perf-improver/build-steps/action
• .github/actions/daily-test-improver/coverage-steps/action
• Various node_modules actions

3. Unverified Creator Actions (3 occurrences)

Severity: Note
Description: GitHub Actions from unverified creators are in use.

4. Injection Vulnerabilities (2 occurrences)

Severity: Warning
Workflow: create-branch
Description: Potential injection into bash/JavaScript with user input.

Actionlint Linting Findings (1,620 total)

Rule	Count	Severity	Description
SC2086	1,420	Info	Double quote to prevent globbing and word splitting
SC2129	102	Style	Use grouped redirects
SC2046	67	Warning	Quote command substitution
SC2012	19	Info	Use find instead of ls
SC2002	5	Style	Useless cat
SC2162	2	Info	read without -r will mangle backslashes
SC2016	2	Info	Expressions don't expand in single quotes
SC2236	1	Style	Use -n instead of ! -z
SC2010	1	Warning	Don't use ls | grep
expression	1	Error	Property not defined in object type

Most Common Locations

SC2086 appears in:

• "Setup agent output environment variable" steps (find commands)
• Git operations in PR creation steps
• Diagnostic/debugging scripts

SC2129 appears in:

• "Generate Prompt" step (every workflow)

SC2046 appears in:

• Cleanup steps with $(find ...) patterns

Fix Priority and Impact

Priority 1: Security Issues (Immediate Action)

1. Self-hosted PR runners (35 occurrences) - Security risk

   • Impact: Critical security vulnerability
   • Effort: Medium (test runner compatibility)
   • Timeline: 1-2 days

2. Injection vulnerabilities (2 occurrences) - Security risk

   • Impact: High security vulnerability
   • Effort: Low (sanitize inputs)
   • Timeline: 1 day

Priority 2: High-Volume Quality Issues (Template Fix)

3. SC2129 grouped redirects (102 occurrences) - Code style
   • Impact: Performance and maintainability
   • Effort: Low (one template change)
   • Timeline: 1 hour + recompile

Priority 3: Code Quality (Moderate Effort)

4. SC2086 quoted variables (1,420 occurrences) - Code robustness

   • Impact: Prevent subtle bugs
   • Effort: High (many locations, but can be semi-automated)
   • Timeline: 1-2 weeks

5. SC2046 quoted command substitution (67 occurrences) - Code quality

   • Impact: Prevent word splitting issues
   • Effort: Medium
   • Timeline: 2-3 days

Fix Templates

Detailed fix instructions have been created for the top 3 issues:

1. poutine-pr-self-hosted-fix.md - Self-hosted runner security
2. actionlint-sc2086-fix.md - Unquoted variables
3. actionlint-sc2129-fix.md - Grouped redirects

Location: /tmp/gh-aw/cache-memory/fix-templates/

Each template includes:

• Problem explanation
• Security/performance impact
• Step-by-step fix instructions
• Before/after code examples
• Testing procedures
• Copilot agent prompts for automated fixing

Recommendations

Immediate Actions (This Week)

1. ✅ Fix self-hosted runner security risk

   • Update smoke test workflows to use ubuntu-latest
   • Test compatibility with GitHub-hosted runners
   • Add manual approval gates where self-hosted is required

2. ✅ Fix injection vulnerabilities in create-branch workflow

   • Sanitize user inputs
   • Use environment variables instead of inline interpolation

Short-Term Actions (Next 2 Weeks)

3. ✅ Fix SC2129 in compiler template

   • Update workflow compiler to use grouped redirects
   • Recompile all workflows
   • Single fix resolves 102 occurrences

4. ✅ Address template injection findings

   • Review zizmor findings in detail
   • Sanitize template inputs where needed
   • 33 low-severity findings to review

Long-Term Actions (Next Month)

5. ✅ Fix SC2086 across all workflows

   • Semi-automated approach using sed/awk
   • Manual review of fixes
   • Test workflows after changes

6. ✅ Establish automated security scanning in CI/CD

   • Add zizmor, poutine, actionlint to pre-commit hooks
   • Run scans on every commit to workflow files
   • Fail builds if critical issues are found

7. ✅ Update workflow creation guidelines

   • Document best practices for quoting variables
   • Provide secure templates
   • Include security review checklist

Historical Trends

First comprehensive scan with all three tools: This establishes a baseline for future comparisons.

Baseline Metrics (November 3, 2025):

• Total findings: 1,736
• Security warnings: 116 (zizmor + poutine)
• Code quality issues: 1,620 (actionlint)
• Workflows scanned: 67 of 103 total

Future Scans: Compare against this baseline to track:

• New vulnerabilities introduced
• Issues resolved
• Overall security posture trends

Verification Commands

After applying fixes, verify with:

# Recompile all workflows with static analysis
gh aw compile --zizmor --poutine --actionlint

# Check specific issue types
gh aw compile --poutine | grep pr_runs_on_self_hosted  # Should be 0
gh aw compile --actionlint | grep SC2129  # Should be 0 after template fix

Conclusion

This static analysis scan reveals 116 security-related findings and 1,620 code quality issues across 67 workflows. While most issues are informational (93.3%), there are important security risks that require immediate attention:

Critical Security Priority: 35 workflow jobs run on self-hosted runners with PR triggers, creating a significant security vulnerability. This should be addressed immediately.

Quick Wins: Fixing the SC2129 issue in the workflow compiler template will resolve 102 occurrences with a single change.

Long-Term Improvement: Implementing automated static analysis in CI/CD will prevent new issues and maintain security posture over time.

The detailed fix templates provide actionable guidance for addressing each issue category systematically.

---

Scan Metadata:

• Date: November 3, 2025
• Tools: zizmor (latest), poutine (latest), actionlint (latest)
• Workflows Scanned: 67 of 103 total
• Total Findings: 1,736
• Cache Location: /tmp/gh-aw/cache-memory/security-scans/2025-11-03.json

Fix Templates: /tmp/gh-aw/cache-memory/fix-templates/

• poutine-pr-self-hosted-fix.md
• actionlint-sc2086-fix.md
• actionlint-sc2129-fix.md

---

Next Steps:

1. Review and prioritize security findings
2. Apply fixes for self-hosted runner security risk
3. Update workflow compiler template for SC2129
4. Schedule work for SC2086 remediation
5. Establish automated scanning in CI/CD

AI generated by Static Analysis Report

[pelikhan]

/plan ignore self hosted runners.

[github-actions[bot]]

✅ Agentic Plan Command completed successfully.

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.