🔍 Static Analysis Report - December 1, 2025

[github-actions[bot]]

🔍 Static Analysis Report - December 1, 2025

Comprehensive security and code quality analysis of all agentic workflows using zizmor, poutine, and actionlint static analysis tools.

Executive Summary

Analysis completed successfully on 87 compiled workflows out of 91 total workflows. The scan identified 27 total findings across security vulnerabilities and code quality issues, with 6 High-severity security findings requiring immediate attention.

Key Findings

• 6 High-severity security issues (zizmor)
• 1 Medium-severity security issue (zizmor)
• 13 code quality issues (actionlint)
• 2 workflow syntax errors (actionlint)
• 0 supply chain issues (poutine)

Most Critical Issues

1. Template Injection (High) - 2 workflows at high risk of code injection attacks
2. Cache Poisoning (High) - 2 instances in release workflow vulnerable to cache attacks
3. Unpinned Actions (High) - 1 workflow using unpinned action references
4. Excessive Permissions (High) - 1 workflow with overly broad permissions

Analysis Statistics

Metric	Value
Workflows Scanned	91
Workflows Compiled	87
Workflows with Issues	15
Total Findings	27
Tools Used	zizmor, poutine, actionlint

Findings by Severity

Severity	Count	Tool
High	6	zizmor
Medium	1	zizmor
Low	1	zizmor
Informational	3	zizmor
Info/Warning	16	actionlint

Findings by Tool

Tool	Total Findings	Critical/High	Medium	Low/Info
zizmor (security)	11	6	1	4
poutine (supply chain)	0	0	0	0
actionlint (linting)	16	0	0	16

Detailed Findings

Zizmor Security Findings

1. Template Injection (High Priority)

Count: 6 occurrences
Severity: High (2), Low (1), Informational (3)
Reference: (redacted)#template-injection

Code injection vulnerability via template expansion in GitHub Actions expressions.

Workflow	Severity	Line	Location
ci-doctor.lock.yml	High	1097	Setup Safe Outputs Collector MCP step
close-old-discussions.lock.yml	High	546	Environment variable setup
mcp-inspector.lock.yml	Low	1777	Setup MCPs step
changeset.lock.yml	Informational	6226	Configure Git credentials
release.lock.yml	Informational	459	Environment setup

Security Impact: Attackers could inject malicious code through issue titles, PR descriptions, or workflow inputs that gets executed with workflow permissions.

Fix Required: Move all ${{ github.event.* }} expressions to environment variables instead of direct interpolation in shell scripts.

---

2. Cache Poisoning (High Priority)

Count: 2 occurrences
Severity: High
Reference: (redacted)#cache-poisoning

Runtime artifacts potentially vulnerable to cache poisoning attacks.

Workflow	Occurrences	Location
release.lock.yml	2	Line 318 (workflow level)

Security Impact: Attackers could poison the build cache, leading to compromised build artifacts or supply chain attacks.

Fix Required: Implement cache key validation and restrict cache access scope.

---

3. Unpinned Actions (High Priority)

Count: 1 occurrence
Severity: High
Reference: (redacted)#unpinned-uses

Unpinned action reference allows potential supply chain attacks.

Workflow	Action	Line
release.lock.yml	cli/gh-extension-precompile@v2	5846

Security Impact: Using floating tags like @v2 instead of commit SHAs allows actions to be updated maliciously without detection.

Fix Required: Pin all actions to specific commit SHAs (e.g., @abc123def456...).

---

4. Credential Persistence (Medium Priority)

Count: 1 occurrence
Severity: Medium
Reference: (redacted)#artipacked

Workflow	Issue	Line
release.lock.yml	Artipacked - credential persistence through artifacts	5841

Security Impact: Credentials could be inadvertently stored in workflow artifacts, leading to exposure.

Fix Required: Ensure artifacts don't contain secrets or credentials.

---

5. Excessive Permissions (High Priority)

Count: 1 occurrence
Severity: High
Reference: (redacted)#excessive-permissions

Workflow	Permission	Line
test-firewall-escape.lock.yml	issues: write	265

Security Impact: Overly broad permissions increase attack surface if workflow is compromised.

Fix Required: Follow principle of least privilege - reduce to minimum required permissions.

Actionlint Code Quality Findings

1. Shellcheck SC2086 - Missing Quotes (Most Common)

Count: 13 occurrences
Issue: Double quote to prevent globbing and word splitting

Pattern: $PR_NUMBER used without quotes in gh api command

Affected Workflows:

• security-fix-pr.lock.yml (Line 5515)
• daily-doc-updater.lock.yml (Line 5587)
• go-pattern-detector.lock.yml (Line 4401)
• tidy.lock.yml (Line 6144)
• q.lock.yml (Line 7742)
• poem-bot.lock.yml (Line 10190)
• technical-doc-writer.lock.yml (Line 7356)
• github-mcp-tools-report.lock.yml (Line 6955)
• release.lock.yml (Lines 462, 5852 - multiple instances)

Common Code Pattern:

gh api --method POST /repos/${{ github.repository }}/pulls/$PR_NUMBER/requested_reviewers

Fix: Add quotes around variable:

gh api --method POST /repos/${{ github.repository }}/pulls/"$PR_NUMBER"/requested_reviewers

---

2. Syntax Check Error

Count: 1 occurrence
Workflow: cloclo.lock.yml (Line 370)

Error: Unexpected key "names" for "issues" section. Expected one of "branches", "branches-ignore", "paths", "paths-ignore", "tags", "tags-ignore", "types", "workflows"

Fix Required: Remove invalid "names" key from issues trigger configuration.

---

3. Expression Error

Count: 1 occurrence
Workflow: close-old-discussions.lock.yml (Line 547)

Error: Property "aw" is not defined in object type (github context)

Issue: Code references ${{ github.aw.inputs.count }} but aw is not a valid property of the github context.

Fix Required: Correct the expression to use valid GitHub context properties.

Poutine Supply Chain Findings

No supply chain security issues detected by poutine scanner.

All workflows appear to follow supply chain security best practices for the checks performed by poutine.

Top Priority Fixes

Priority 1: High Severity Security Issues (6 findings)

Immediate action required on these workflows:

1. release.lock.yml (4 High findings)

   • Cache poisoning vulnerability (2 instances)
   • Unpinned action reference
   • Template injection (Informational, but in critical workflow)

2. ci-doctor.lock.yml (1 High finding)

   • Template injection vulnerability

3. close-old-discussions.lock.yml (1 High finding)

   • Template injection vulnerability

4. test-firewall-escape.lock.yml (1 High finding)

   • Excessive permissions

Priority 2: Systematic Code Quality Issues

Shellcheck SC2086 affects 9 workflows with 13 total occurrences. This is a systematic issue that should be fixed across all workflows using a consistent pattern.

Recommended Approach: Create a PR that fixes all SC2086 issues by adding proper quoting to the common pattern in the PR reviewer request step.

Priority 3: Workflow Syntax Errors

Fix syntax errors in:

• cloclo.lock.yml (invalid "names" key)
• close-old-discussions.lock.yml (invalid github.aw.inputs reference)

Fix Suggestions

Template Injection Fix Guide

I've created a comprehensive fix guide for the most critical issue - template injection vulnerabilities.

Issue: Template injection via unsafe use of GitHub Actions expressions
Affected: 6 workflows (2 at High severity)
Tool: zizmor

Fix Strategy: Move all external/untrusted data to environment variables

Example Fix:

❌ Before (Vulnerable):

- name: Process issue
  run: |
    echo "Title: ${{ github.event.issue.title }}"

✅ After (Secure):

- name: Process issue
  env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
  run: |
    echo "Title: $ISSUE_TITLE"

Why This Works: Environment variables prevent code injection because the value is treated as a literal string rather than being evaluated as code.

Detailed Fix Guide: See /tmp/gh-aw/cache-memory/fix-templates/zizmor-template-injection.md in workflow artifacts for complete instructions.

Workflows Without Issues

72 workflows compiled successfully with no findings:

These workflows passed all static analysis checks from zizmor, poutine, and actionlint. Examples include:

• static-analysis-report.lock.yml
• audit-workflows.lock.yml
• smoke-claude.lock.yml
• lockfile-stats.lock.yml
• And 68 more...

Recommendations

Immediate Actions

1. Critical Security Fixes:

   • Fix 6 High-severity security issues in 4 workflows
   • Priority: release.lock.yml, ci-doctor.lock.yml, close-old-discussions.lock.yml, test-firewall-escape.lock.yml

2. Systematic Code Quality:

   • Create single PR to fix all 13 SC2086 shellcheck issues
   • Fix 2 workflow syntax errors

Short-Term Actions

3. Pin All Actions:

   • Pin cli/gh-extension-precompile to specific commit SHA
   • Review all other workflows for unpinned actions

4. Permission Review:

   • Audit all workflow permissions
   • Apply principle of least privilege

Long-Term Actions

5. Automated Static Analysis:

   • Add zizmor, poutine, and actionlint to CI/CD pipeline
   • Run static analysis on all PRs modifying workflows
   • Block merges with High-severity findings

6. Security Guidelines:

   • Document secure workflow patterns
   • Create workflow templates with security best practices
   • Training on GitHub Actions security

7. Regular Audits:

   • Schedule monthly static analysis scans
   • Track trends over time
   • Measure security posture improvements

Historical Context

This is the first comprehensive static analysis scan using all three tools (zizmor, poutine, actionlint). Baseline established on 2025-12-01.

Baseline Metrics:

• 87 workflows compiled successfully
• 27 total findings
• 6 High-severity security issues
• 15 workflows with issues (17.2%)

Future scans will track:

• New vulnerabilities introduced
• Issues resolved
• Trends in security posture
• Most common vulnerability patterns

Next Steps

1. Review High-Priority Findings: Security team should review all High-severity findings
2. Create Fix PRs: Create separate PRs for:
   • Template injection fixes (critical)
   • Cache poisoning and action pinning (release workflow)
   • Systematic SC2086 fixes (code quality)
3. Update Workflow Templates: Incorporate security fixes into workflow templates
4. Enable CI Checks: Add static analysis tools to workflow CI pipeline
5. Schedule Next Scan: Run monthly to track improvements

Analysis Artifacts

Scan results and analysis artifacts stored in workflow cache:

• Full scan results: /tmp/gh-aw/cache-memory/security-scans/2025-12-01.json
• Vulnerability database: /tmp/gh-aw/cache-memory/vulnerabilities/by-tool.json
• Fix template: /tmp/gh-aw/cache-memory/fix-templates/zizmor-template-injection.md
• Scan index: /tmp/gh-aw/cache-memory/security-scans/index.json

---

Analysis completed: 2025-12-01
Tools: zizmor (security), poutine (supply chain), actionlint (linting)
Workflows scanned: 91 total, 87 compiled
Total findings: 27 (6 High, 1 Medium, 20 Low/Info)

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

🎉 Yo ho ho! Plan Command found the treasure and completed successfully! ⚓💰

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 3 days ago.