🔍 Static Analysis Report - November 5, 2025

[github-actions[bot]]

🔍 Static Analysis Report - November 5, 2025

Today's automated static analysis scan of all agentic workflows has been completed using three industry-standard security and code quality tools: zizmor, poutine, and actionlint.

Analysis Summary

• Tools Used: zizmor (security), poutine (supply chain), actionlint (linting)
• Total Findings: 116
• Workflows Scanned: 72
• Workflows Affected: 21

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info/Note
zizmor (security)	2	0	0	0	1	1
poutine (supply chain)	6	0	0	0	0	6
actionlint (linting)	108	0	0	0	0	108
TOTAL	116	0	0	0	1	115

Key Findings

Good news: No critical, high, or medium severity security issues were found. All findings are either Low severity or Informational/Note level, indicating code quality improvements rather than urgent security vulnerabilities.

1. Zizmor Security Findings (2 findings)

template-injection

• Severity: Low / Informational
• Count: 2 occurrences
• Description: Code injection via template expansion
• Reference: (redacted)#template-injection

Affected Workflows:

• .github/workflows/copilot-session-insights.lock.yml
• .github/workflows/mcp-inspector.lock.yml

Analysis: Both findings involve template expressions that reference other step outputs or environment variables. The risk is Low/Informational because:

• copilot-session-insights uses ${{ steps.install-extension.outputs.EXTENSION_INSTALLED }} in a warning message
• mcp-inspector uses ${{ env.SENTRY_HOST }} in MCP server configuration

These are internal references within the same workflow and not directly controllable by external attackers. However, it's good practice to be aware of template injection risks.

2. Poutine Supply Chain Findings (6 findings)

unpinnable_action (3 occurrences)

• Level: Note
• Title: Unpinnable CI component used
• Description: These GitHub Actions depend on other mutable supply chain components, making pinning less effective

Affected Files:

• .github/actions/daily-perf-improver/build-steps/action.yml
• .github/actions/daily-test-improver/coverage-steps/action.yml
• pkg/workflow/js/node_modules/@actions/github-script/.github/actions/install-dependencies/action.yml

Analysis: These are local composite actions that reference other actions. Since they're part of our repository, the risk is minimal.

github_action_from_unverified_creator_used (3 occurrences)

• Level: Note
• Title: GitHub Action from Unverified Creator used
• Description: Actions from owners who are not verified creators on GitHub

Affected Actions:

• astral-sh/setup-uv (Python package manager tooling)
• cli/gh-extension-precompile (GitHub CLI extension)
• golangci/golangci-lint-action (Go linting)

Analysis: While these actions are from unverified creators, they are:

• Widely used in the community
• Open source and auditable
• Pinned to specific commit SHAs in our workflows
• From reputable organizations (Astral for Python tooling, golangci for Go linting)

The risk is Low as we pin to specific commits and these are well-maintained projects.

3. Actionlint Linting Issues (108 findings)

shellcheck - SC2086: Unquoted Variables

• Count: 108 occurrences
• Severity: Info
• Issue: Variables without double quotes can cause word splitting and glob expansion

Most Common Patterns:

1. ${GITHUB_WORKSPACE}/scripts/ci/cleanup.sh - unquoted variable in path (52 occurrences)
2. Unquoted variables in Docker build scripts (MCP setup workflows)
3. Single quotes preventing variable expansion (SC2016)
4. Redirect inefficiencies (SC2129)

Affected Workflows (19 total):

• artifacts-summary, changeset, cli-version-checker
• copilot-pr-nlp-analysis, copilot-pr-prompt-analysis
• daily-firewall-report, daily-news, daily-repo-chronicle
• dev.firewall, firewall, mcp-inspector
• python-data-charts, research
• shared/mcp/arxiv, shared/mcp/context7, shared/mcp/opencode
• smoke-copilot, technical-doc-writer, weekly-issue-summary

Example Issues:

# Before (unquoted)
${GITHUB_WORKSPACE}/scripts/ci/cleanup.sh || true

# After (quoted)
"${GITHUB_WORKSPACE}"/scripts/ci/cleanup.sh || true

Detailed Fix Suggestion: Shellcheck SC2086

The most common issue (93% of all findings) is SC2086: unquoted shell variables. I've created a comprehensive fix template for this issue.

Fix Template for SC2086 (Click to expand)

Problem

Unquoted variables can lead to:

• Word splitting: Variables with spaces split into multiple arguments
• Glob expansion: Variables with *, ?, [] expand as patterns
• Unexpected behavior: Subtle bugs in production

Solution

Add double quotes around all variable expansions:

# ❌ Before - Unquoted
${GITHUB_WORKSPACE}/scripts/ci/cleanup.sh

# ✅ After - Quoted
"${GITHUB_WORKSPACE}"/scripts/ci/cleanup.sh

Automated Fix Script

#!/bin/bash
# Fix SC2086 by quoting GITHUB_WORKSPACE variable

WORKFLOWS=(
  artifacts-summary changeset cli-version-checker
  copilot-pr-nlp-analysis copilot-pr-prompt-analysis
  daily-firewall-report daily-news daily-repo-chronicle
  dev.firewall firewall mcp-inspector
  python-data-charts research smoke-copilot
  technical-doc-writer weekly-issue-summary
)

for workflow in "${WORKFLOWS[@]}"; do
  FILE=".github/workflows/${workflow}.md"
  if [ -f "$FILE" ]; then
    echo "Fixing $FILE..."
    sed -i 's|\${GITHUB_WORKSPACE}/|"${GITHUB_WORKSPACE}"/|g' "$FILE"
    echo "✓ Fixed $FILE"
  fi
done

# Also fix shared workflows
for file in .github/workflows/shared/**/*.md; do
  if [ -f "$file" ]; then
    echo "Fixing $file..."
    sed -i 's|\${GITHUB_WORKSPACE}/|"${GITHUB_WORKSPACE}"/|g' "$file"
    echo "✓ Fixed $file"
  fi
done

echo "Done! Recompile workflows with: gh aw compile --actionlint"

Testing Steps

1. Apply fixes to workflow markdown files
2. Recompile: gh aw compile --actionlint
3. Verify: docker run --rm -v "$(pwd):/workdir" -w /workdir rhysd/actionlint:latest .github/workflows/*.lock.yml
4. Test affected workflows in a feature branch

Reference

• Shellcheck SC2086: (redacted)
• Bash Quoting Guide: (redacted)
• Full fix template available in cache: /tmp/gh-aw/cache-memory/fix-templates/actionlint-shellcheck-sc2086.md

Recommendations

🟢 Low Priority (Information & Notes)

These findings don't represent security vulnerabilities but are code quality improvements:

1. Quote Shell Variables (108 occurrences)

   • Fix Type: Code quality improvement
   • Impact: Prevents potential bugs from word splitting
   • Effort: Low - mostly automated with sed script
   • Timeline: Next maintenance cycle

2. Review Unverified Actions (3 actions)

   • Fix Type: Due diligence
   • Impact: Validate we're using trusted community actions
   • Effort: Low - review and document decision
   • Timeline: Next security review cycle

3. Template Injection Awareness (2 occurrences)

   • Fix Type: Security awareness
   • Impact: Minimal - already using internal references safely
   • Effort: Low - document as reviewed and accepted
   • Timeline: Document in security review

✅ No Immediate Action Required

• Zero critical, high, or medium severity issues
• All findings are informational or low severity
• No active security vulnerabilities detected

Historical Context

This is the first automated static analysis scan tracked in the cache memory system. Future scans will include:

• Trend analysis (improving vs. regressing)
• New issues vs. resolved issues
• Security posture over time

Next Steps

1. Review this report and prioritize fixes
2. Consider running gh aw compile --actionlint after fixing shell quoting issues
3. Schedule quarterly static analysis reviews
4. Consider adding pre-commit hooks for actionlint

Cache Storage

All scan data has been stored in /tmp/gh-aw/cache-memory/security-scans/ for historical tracking and trend analysis:

• Scan Results: 2025-11-05.json
• Scan Index: index.json
• Fix Templates: /fix-templates/actionlint-shellcheck-sc2086.md

---

Scan Metadata:

• Date: 2025-11-05
• Tools: zizmor (v0.x), poutine (v0.x), actionlint (v1.x)
• Workflows Scanned: 72
• Total Findings: 116
• Execution Time: ~3 minutes

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

✅ Agentic Plan Command completed successfully.

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.