🔍 Static Analysis Report - November 28, 2025

[github-actions[bot]]

Analysis Summary

Daily static analysis scan of all agentic workflows using zizmor (security), poutine (supply chain), and actionlint (linting).

• Tools Used: zizmor, poutine, actionlint, shellcheck
• Total Workflows Scanned: 94
• Workflows with Findings: 14
• Compilation Success Rate: 100%

Findings Overview

Tool	Total	Critical	High	Medium	Low	Info
zizmor (security)	12	0	6	1	1	2
actionlint (linting)	1	-	-	-	-	1
shellcheck (code quality)	11	-	-	-	-	11

🚨 High Priority Security Issues

1. Template Injection (High Severity) - 2 workflows

Affected Workflows: ci-doctor.md, close-old-discussions.md
Severity: High
Impact: Code injection via template expansion could allow attackers to extract secrets or modify workflow behavior

Zizmor detected template injection vulnerabilities where GitHub Actions template expressions could be exploited if they process untrusted input (issue titles, PR descriptions, etc.).

Reference: (redacted)#template-injection

2. Cache Poisoning (High Severity) - 1 workflow

Affected Workflow: release.md (2 occurrences)
Severity: High
Impact: Runtime artifacts potentially vulnerable to cache poisoning attack

The release workflow uses caching in a way that could be exploited to poison the cache and affect subsequent workflow runs.

Reference: (redacted)#cache-poisoning

3. Unpinned Action (High Severity) - 1 workflow

Affected Workflow: release.md
Severity: High
Impact: Using unpinned action reference cli/gh-extension-precompile@v2

The workflow uses a mutable tag reference instead of a pinned SHA, which could be exploited if the action is compromised.

Reference: (redacted)#unpinned-uses

4. Excessive Permissions (High Severity) - 1 workflow

Affected Workflow: test-firewall-escape.md
Severity: High
Impact: Workflow has overly broad issues: write permission

The workflow grants write access to issues which may not be necessary for its operation, violating the principle of least privilege.

Reference: (redacted)#excessive-permissions

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
template-injection	High	2	ci-doctor.md, close-old-discussions.md
cache-poisoning	High	2	release.md (same workflow)
unpinned-uses	High	1	release.md
excessive-permissions	High	1	test-firewall-escape.md
artipacked	Medium	1	release.md
template-injection	Low	1	mcp-inspector.md
template-injection	Informational	2	changeset.md, release.md

Actionlint Linting Issues

Issue Type	Count	Affected Workflows
syntax-check	1	cloclo.md

Details: Unexpected key "names" for "issues" section in workflow trigger configuration.

ShellCheck Code Quality Issues

Issue Type	Severity	Count	Affected Workflows
SC2086	info	11	daily-doc-updater.md, github-mcp-tools-report.md, go-pattern-detector.md, q.md, release.md, security-fix-pr.md, technical-doc-writer.md, tidy.md

Details: Variables used without double quotes. While low severity, this violates shell scripting best practices and could cause issues with values containing spaces or special characters.

Priority Workflow: release.md

The release.md workflow has the most security findings:

• 2x High: cache-poisoning
• 1x High: unpinned-uses
• 1x Medium: artipacked
• 1x Informational: template-injection
• Multiple shellcheck warnings

This workflow handles sensitive release operations and should be prioritized for security fixes.

Fix Recommendations

Immediate Actions (High Severity)

1. Fix template injection in ci-doctor.md and close-old-discussions.md

   • Move untrusted input to environment variables
   • Use toJSON() for complex data structures
   • Avoid template expressions in step names with untrusted input

2. Pin action in release.md

   • Replace cli/gh-extension-precompile@v2 with SHA-pinned version
   • Note: This action couldn't be pinned automatically during compilation

3. Review cache usage in release.md

   • Analyze cache poisoning risks
   • Implement cache validation if needed
   • Consider workflow_run event security implications

4. Reduce permissions in test-firewall-escape.md

   • Review if issues: write permission is actually needed
   • Apply principle of least privilege

Short-term Actions (Medium/Low)

5. Fix artipacked issue in release.md

   • Review artifact uploads for credential leakage
   • Ensure no secrets are persisted in artifacts

6. Fix syntax error in cloclo.md

   • Remove invalid "names" key from issues trigger
   • Follow proper workflow trigger syntax

7. Add quotes to shell variables

   • Apply shellcheck SC2086 fixes across 8 workflows
   • Quote all variable references: "$VAR" instead of $VAR

Long-term Improvements

8. Establish security scanning in CI/CD

   • Add pre-commit hooks for static analysis
   • Run zizmor/poutine/actionlint on all PRs
   • Block merges with High severity findings

9. Update workflow templates

   • Create secure workflow templates
   • Include security best practices by default
   • Document common pitfalls

10. Security training

    • Educate team on GitHub Actions security
    • Review zizmor documentation
    • Establish secure coding standards

Detailed Findings by Workflow

Workflows with Security Findings

changeset.md

• Informational: template-injection at line 6430
  • Severity: Informational
  • Reference: (redacted)#template-injection

ci-doctor.md

• High: template-injection at line 1082
  • Severity: High
  • Description: Code injection via template expansion
  • Reference: (redacted)#template-injection

cloclo.md

• Error: syntax-check at line 377
  • Description: Unexpected key "names" for "issues" section
  • Expected keys: branches, branches-ignore, paths, paths-ignore, tags, tags-ignore, types, workflows

close-old-discussions.md

• High: template-injection at line 543
  • Severity: High
  • Description: Code injection via template expansion
  • Reference: (redacted)#template-injection

daily-doc-updater.md

• Info: shellcheck SC2086 at line 5220
  • Description: Double quote to prevent globbing and word splitting
  • Line: run: |

github-mcp-tools-report.md

• Info: shellcheck SC2086 at line 6237
  • Description: Double quote to prevent globbing and word splitting

go-pattern-detector.md

• Info: shellcheck SC2086 at line 3959
  • Description: Double quote to prevent globbing and word splitting

mcp-inspector.md

• Low: template-injection at line 1367
  • Severity: Low
  • Description: Code injection via template expansion
  • Reference: (redacted)#template-injection

q.md

• Info: shellcheck SC2086 at line 7384
  • Description: Double quote to prevent globbing and word splitting

release.md

• High: unpinned-uses at line 5483

  • Severity: High
  • Description: Unpinned action reference
  • Action: cli/gh-extension-precompile@v2
  • Reference: (redacted)#unpinned-uses

• High: cache-poisoning at line 318 (2 occurrences)

  • Severity: High
  • Description: Runtime artifacts potentially vulnerable to a cache poisoning attack
  • Reference: (redacted)#cache-poisoning

• Medium: artipacked at line 5478

  • Severity: Medium
  • Description: Credential persistence through GitHub Actions artifacts
  • Reference: (redacted)#artipacked

• Informational: template-injection at line 459

  • Severity: Informational
  • Reference: (redacted)#template-injection

• Multiple shellcheck SC2086 warnings at lines: 462 (multiple), 5489

  • Description: Double quote to prevent globbing and word splitting

security-fix-pr.md

• Info: shellcheck SC2086 at line 5146
  • Description: Double quote to prevent globbing and word splitting

technical-doc-writer.md

• Info: shellcheck SC2086 at line 6911
  • Description: Double quote to prevent globbing and word splitting

test-firewall-escape.md

• High: excessive-permissions at line 265
  • Severity: High
  • Description: Overly broad permissions
  • Permission: issues: write
  • Reference: (redacted)#excessive-permissions

tidy.md

• Info: shellcheck SC2086 at line 5796
  • Description: Double quote to prevent globbing and word splitting

Fix Template: ShellCheck SC2086

The most common issue is shellcheck SC2086 (unquoted variables), affecting 8 workflows with 11 total occurrences.

Quick Fix Example

Before:

env:
  PR_NUMBER: ${{ steps.create_pull_request.outputs.pull_request_number }}
run: |
  gh api --method POST /repos/${{ github.repository }}/pulls/$PR_NUMBER/requested_reviewers \
    -f 'reviewers[]=copilot-pull-request-reviewer[bot]'

After:

env:
  PR_NUMBER: ${{ steps.create_pull_request.outputs.pull_request_number }}
run: |
  gh api --method POST /repos/${{ github.repository }}/pulls/"$PR_NUMBER"/requested_reviewers \
    -f 'reviewers[]=copilot-pull-request-reviewer[bot]'

Why: Quoting variables prevents word splitting and glob expansion, following shell scripting best practices.

Automated Fix: This can be fixed with a simple search/replace:

• $PR_NUMBER → "$PR_NUMBER"
• $RELEASE_TAG → "$RELEASE_TAG"
• Review all $VAR references in shell scripts

Full fix documentation: /tmp/gh-aw/cache-memory/fix-templates/shellcheck-sc2086.md

Fix Template: Template Injection (High Severity)

For the 2 High severity template injection issues in ci-doctor.md and close-old-discussions.md:

Mitigation Strategy

Use environment variables as a security boundary - GitHub Actions treats environment variables as literal strings, preventing template injection.

Before (Vulnerable):

- name: Process ${{ github.event.issue.title }}
  run: |
    echo "Processing: ${{ github.event.issue.title }}"

After (Secure):

- name: Process issue
  env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
  run: |
    echo "Processing: $ISSUE_TITLE"

Key Principles

1. Never use untrusted input directly in template expressions
2. Always pass untrusted input through environment variables
3. Use toJSON() for complex objects
4. Avoid template expressions in step names when using untrusted input

Full fix documentation: /tmp/gh-aw/cache-memory/fix-templates/zizmor-template-injection.md

Scan Metadata

• Date: 2025-11-28
• Duration: ~2 minutes
• Workflows Scanned: 94/94 (100%)
• Tools: zizmor, poutine, actionlint (via gh-aw MCP)
• Cache: Results stored in /tmp/gh-aw/cache-memory/security-scans/2025-11-28.json

Next Steps

1. Review and prioritize High severity findings
2. Create fix PRs for security issues
3. Update workflow templates with security best practices
4. Schedule follow-up scan after fixes
5. Consider adding static analysis to PR checks

Historical Context

This is a baseline scan. Future scans will include:

• Trend analysis (improvement/regression tracking)
• Comparison with previous scans
• New vs. recurring issues
• Fix effectiveness metrics

---

Generated: 2025-11-28
Agent: static-analysis-report (claude)
Workflow Run: §19758992611

AI generated by Static Analysis Report

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 3 days ago.