🔍 Static Analysis Report - November 5, 2025

[github-actions[bot]]

🔍 Static Analysis Report - November 5, 2025

This comprehensive static analysis scan analyzed all 68 agentic workflows using three security tools: zizmor (security), poutine (supply chain), and actionlint (linting). The scan identified 9 low-severity template injection findings across 3 workflows, with no critical, high, or medium severity security issues detected.

Executive Summary

• ✅ All Critical/High/Medium severity checks passed
• ⚠️ 9 Low severity findings from zizmor (template-injection)
• ✅ 0 findings from poutine (supply chain security)
• ✅ 0 findings from actionlint (linting)
• 📊 Security posture: Good overall with minor improvements needed
• 📈 Trend: Stable compared to previous scans

Full Analysis Report

Scan Details

• Date: November 5, 2025
• Repository: githubnext/gh-aw
• Workflows Scanned: 68
• Workflows with Findings: 3
• Tools Used: zizmor v1.x, poutine v1.x, actionlint v1.x
• Total Findings: 9 (all Low severity)

Findings by Tool

Tool	Total	Critical	High	Medium	Low
zizmor (security)	9	0	0	0	9
poutine (supply chain)	0	0	0	0	0
actionlint (linting)	0	-	-	-	-

Zizmor Security Findings

🔸 template-injection (Low Severity)

Description: Code injection via template expansion

Count: 9 occurrences across 3 workflows

Reference: (redacted)#template-injection

Affected Workflows

Workflow	Occurrences	Location	Step Name
duplicate-code-detector	4	Line 1045, Col 9	Setup MCPs
mcp-inspector	1	Line 1121, Col 9	Setup MCPs
smoke-codex	4	Line 1027, Col 9	Setup MCPs

Root Cause

The vulnerability occurs in the "Setup MCPs" step where GitHub Actions template expressions (like ${{ secrets.TOKEN }} or ${{ env.VAR }}) are embedded directly in TOML/JSON configuration files created with heredocs.

Example vulnerable pattern:

- name: Setup MCPs
  run: |
    cat > /tmp/gh-aw/mcp-config/config.toml << EOF
    [mcp_servers.github.env]
    GITHUB_PERSONAL_ACCESS_TOKEN = "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}"
    EOF

Security Impact: Template expressions are evaluated before the script runs, making them potentially vulnerable to injection attacks if workflow inputs or contexts are manipulated.

Poutine Supply Chain Security

✅ No findings - All supply chain security checks passed.

Actionlint Linting

✅ No findings - All workflow syntax and linting checks passed.

Compile-Time Warnings (Non-Security)

The compilation process also identified 13 non-security warnings:

Network Firewalling (8 workflows)

⚠️ Claude engine workflows specify network restrictions, but Claude doesn't support network firewalling. Affected workflows:

• audit-workflows
• blog-auditor
• copilot-agent-analysis
• copilot-session-insights
• daily-doc-updater
• instructions-janitor
• prompt-clustering-analysis
• unbloat-docs

Web Search Tool (3 workflows)

⚠️ Copilot workflows using web-search tool (not supported by Copilot):

• ci-doctor
• daily-perf-improver
• daily-test-improver

Missing Permissions (1 workflow)

⚠️ example-permissions-warning: Missing required permissions (contents, issues, pull-requests write)

PyPI Package Validation (3 workflows)

⚠️ markitdown-mcp package validation failed in:

• mcp-inspector
• pdf-summary
• scout

---

Fix Recommendation for Template-Injection

Priority: Medium (Low severity but affects multiple workflows)

Issue: template-injection vulnerability in "Setup MCPs" steps

Affected: 3 workflows (9 total occurrences)

Recommended Fix

Replace direct template expressions in heredocs with environment variable references:

Current (Vulnerable):

- name: Setup MCPs
  env:
    GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
  run: |
    cat > /tmp/config.toml << EOF
    GITHUB_PERSONAL_ACCESS_TOKEN = "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}"
    EOF

Fixed (Secure):

- name: Setup MCPs
  env:
    GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
  run: |
    cat > /tmp/config.toml << 'EOF'
    GITHUB_PERSONAL_ACCESS_TOKEN = "${GITHUB_MCP_SERVER_TOKEN}"
    EOF

Key Changes:

1. ✅ Quote the EOF delimiter: << 'EOF' instead of << EOF
2. ✅ Use environment variables: ${VAR_NAME} instead of ${{ expression }}
3. ✅ Define all values in the env section
4. ✅ Let shell expand variables at runtime, not GitHub Actions at parse time

Implementation Notes

Since this pattern appears in auto-generated "Setup MCPs" steps from the gh-aw compiler, the fix should be applied to the compiler itself rather than individual workflow files. This will ensure all future compiled workflows use the secure pattern.

Files to update in gh-aw compiler:

• Look for the code that generates "Setup MCPs" steps
• Modify the heredoc template generation to use quoted EOF delimiters
• Convert direct template expressions to environment variable references

---

Historical Trends

Comparison with Previous Scans

Date	Total Findings	High	Medium	Low
2025-11-04 (evening)	14	0	1	9
2025-11-05 (morning)	5	0	0	5
2025-11-05 (current)	9	0	0	9

Trend Analysis

• Overall: +4 findings since morning scan (+80%)
• Severity: All findings are Low severity
• Status: Stable - no new vulnerability types introduced
• High/Medium Issues: Remain at 0 (excellent!)

Key Insights

1. ✅ No critical or high-severity issues across all 68 workflows
2. ✅ Supply chain security (poutine) shows no vulnerabilities
3. ✅ Linting (actionlint) shows no errors
4. ⚠️ Template injection is the only security finding (Low severity)
5. 📊 The increase from 5 to 9 findings is due to running all tools vs. actionlint-only

---

Recommendations

Immediate Actions (This Week)

1. ✅ Fix template-injection in gh-aw compiler - Update the MCP setup code generation to use secure heredoc patterns
2. 📝 Document the secure pattern - Add guidance for workflow authors about heredoc security
3. 🧪 Recompile affected workflows - Run gh aw compile after fixing the compiler

Short-term Actions (Next 2 Weeks)

1. 🔧 Address compile warnings - Review and fix non-security warnings:

   • Update workflows to not rely on unsupported features (network firewalling, web-search)
   • Fix permission declarations in example-permissions-warning
   • Verify PyPI package availability or provide alternatives

2. 📊 Establish baseline - Document current security posture as the baseline for future comparisons

Long-term Actions (Next Month)

1. 🤖 Automate static analysis - Add zizmor, poutine, and actionlint to CI/CD pipeline
2. 📚 Create security guidelines - Document secure coding patterns for agentic workflows
3. 🔄 Regular scans - Continue daily static analysis scans to detect regressions early
4. 🛡️ Pre-commit hooks - Consider adding static analysis tools to pre-commit hooks

---

Detailed Findings by Workflow

duplicate-code-detector.lock.yml

Total Findings: 4 (all Low severity)

Finding 1-4: template-injection

• Severity: Low
• Location: Line 1045, Column 9
• Step: Setup MCPs
• Description: Code injection via template expansion
• Reference: (redacted)#template-injection
• Fix: Apply heredoc security pattern (see Fix Recommendation section)

mcp-inspector.lock.yml

Total Findings: 1 (Low severity)

Finding 1: template-injection

• Severity: Low
• Location: Line 1121, Column 9
• Step: Setup MCPs
• Description: Code injection via template expansion
• Reference: (redacted)#template-injection
• Fix: Apply heredoc security pattern (see Fix Recommendation section)

smoke-codex.lock.yml

Total Findings: 4 (all Low severity)

Finding 1-4: template-injection

• Severity: Low
• Location: Line 1027, Column 9
• Step: Setup MCPs
• Description: Code injection via template expansion
• Reference: (redacted)#template-injection
• Fix: Apply heredoc security pattern (see Fix Recommendation section)

---

Conclusion

The static analysis scan reveals a healthy security posture with only minor improvements needed:

✅ Strengths:

• Zero critical, high, or medium severity security issues
• Clean supply chain security (poutine)
• No linting errors (actionlint)
• 65 of 68 workflows have zero security findings

⚠️ Areas for Improvement:

• Fix Low severity template-injection in 3 workflows
• Address compile-time warnings in workflow configurations

📈 Overall Grade: A- (Excellent security with minor issues)

The template-injection findings, while Low severity, should be addressed as part of security best practices. Since they occur in auto-generated code, fixing the compiler will resolve all occurrences automatically.

---

References:

• Workflow Run: §19096672054

AI generated by Static Analysis Report

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.