🔍 Static Analysis Report - November 4, 2025

[github-actions[bot]]

🔍 Static Analysis Report - November 4, 2025

Executive Summary

Comprehensive static analysis scan completed on 68 workflows using three industry-standard security and code quality tools: zizmor, poutine, and actionlint. The analysis identified 36 findings across security vulnerabilities and code quality issues, including 1 High-severity security vulnerability that requires immediate attention.

Key Findings:

• 1 High-severity security issue: Dangerous workflow trigger in smoke-detector
• 3 Medium-severity issues: Excessive permissions in test workflow
• 8 Low-severity security issues: Template injection vulnerabilities
• 24 Code quality issues: Shell scripting best practices violations

Analysis Summary

Tools Used

• zizmor v0.8.2 - GitHub Actions security scanner
• poutine v0.18.0 - Supply chain security analyzer
• actionlint v1.7.4 - GitHub Actions workflow linter

Scan Results

Tool	Total	Critical	High	Medium	Low	Info/Warning
zizmor	12	0	1	3	8	-
poutine	0	0	0	0	0	-
actionlint	24	-	-	-	-	24
Total	36	0	1	3	8	24

Workflows Scanned: 68
Workflows with Findings: 11
Compilation Success Rate: 100%

---

Findings by Tool and Type

🔴 Zizmor Security Findings

High Severity Issues

Issue Type	Severity	Count	Affected Workflows
dangerous-triggers	High	1	smoke-detector.lock.yml

Description: Use of fundamentally insecure workflow_run trigger
Reference: (redacted)#dangerous-triggers

Security Impact: The workflow_run trigger allows untrusted code from pull requests to execute with elevated permissions in the context of the base branch. This can lead to:

• Secret extraction
• Repository compromise
• Malicious code injection
• CI/CD pipeline tampering

Medium Severity Issues

Issue Type	Severity	Count	Affected Workflows
excessive-permissions	Medium	3	test-claude-oauth-workflow.lock.yml (2 occurrences in workflow + job level)

Description: Overly broad permissions (permissions: read-all)
Reference: (redacted)#excessive-permissions

Security Impact: Granting excessive permissions violates the principle of least privilege and increases attack surface.

Low Severity Issues

Issue Type	Severity	Count	Affected Workflows
template-injection	Low	8	duplicate-code-detector.lock.yml (4)(br)mcp-inspector.lock.yml (1)(br)smoke-codex.lock.yml (4)

Description: Code injection via template expansion
Reference: (redacted)#template-injection

Locations: All occurrences in "Setup MCPs" step

---

🟡 Actionlint Code Quality Findings

Shellcheck Issues

Rule	Description	Severity	Count	Workflows Affected
SC2086	Double quote to prevent globbing and word splitting	info	15	9 workflows
SC2162	read without -r will mangle backslashes	info	2	2 workflows
SC2012	Use find instead of ls for non-alphanumeric filenames	info	1	1 workflow
SC2010	Don't use ls | grep, use glob or for loop	warning	1	1 workflow
SC2016	Expressions don't expand in single quotes	info	2	1 workflow

Workflows with Shell Issues:

• copilot-session-insights.lock.yml (9 issues)
• daily-perf-improver.lock.yml (2 issues)
• daily-test-improver.lock.yml (2 issues)
• duplicate-code-detector.lock.yml (2 issues)
• prompt-clustering-analysis.lock.yml (4 issues)
• smoke-codex.lock.yml (2 issues)
• smoke-opencode.lock.yml (4 issues)
• test-post-steps.lock.yml (1 issue)
• video-analyzer.lock.yml (1 issue)

---

🟢 Poutine Supply Chain Findings

No supply chain security issues detected ✓

Poutine analyzed all workflows for supply chain vulnerabilities and found no concerning patterns related to:

• Dependency confusion attacks
• Unpinned action references (already handled by compilation)
• Suspicious external dependencies
• Artifact poisoning risks

---

Top Priority Issues

🚨 #1: Dangerous Workflow Trigger (HIGH)

Issue: workflow_run trigger in smoke-detector
Severity: High
Affected: smoke-detector.lock.yml
Security Risk: Critical - allows untrusted code execution with elevated permissions

Current Implementation:

on:
  workflow_run:
    branches:
      - copilot/*
    types:
      - completed
    workflows:
      - Smoke Claude
      - Smoke Codex
      - Smoke Copilot

Recommended Fix: Replace with workflow_call pattern or repository dispatch. See detailed fix guide below.

---

⚠️ #2: Excessive Permissions (MEDIUM)

Issue: Broad permissions: read-all in test-claude-oauth-workflow
Severity: Medium
Affected: test-claude-oauth-workflow.lock.yml
Security Risk: Medium - violates least privilege principle

Recommended Fix: Replace with explicit minimal permissions:

permissions:
  contents: read
  issues: write
  pull-requests: write

---

ℹ️ #3: Template Injection (LOW)

Issue: Template expansion in "Setup MCPs" step
Severity: Low
Count: 8 occurrences across 3 workflows
Affected: duplicate-code-detector, mcp-inspector, smoke-codex

Recommended Fix: Validate template inputs and use intermediate variables:

- name: Setup MCPs
  env:
    VALIDATED_INPUT: ${{ inputs.value }}
  run: |
    # Use $VALIDATED_INPUT instead of direct template expansion

---

🐚 #4: Shell Quoting Issues (INFO)

Issue: Unquoted variables in shell scripts (SC2086)
Count: 15 occurrences across 9 workflows
Risk: Low - potential issues with spaces in paths

Recommended Fix: Add double quotes around variables:

# Before
echo $GITHUB_OUTPUT

# After  
echo "$GITHUB_OUTPUT"

---

Detailed Fix Guide for High Priority Issue

Fix Template: Dangerous Triggers (workflow_run)

Vulnerability Details

The workflow_run trigger is fundamentally insecure because it runs in the context of the base branch with full repository permissions, even when triggered by code from forks or untrusted branches.

Security Impact

Risk Level: HIGH

An attacker could:

• Extract repository secrets
• Modify repository contents
• Create malicious releases
• Compromise CI/CD pipelines
• Access sensitive workflow artifacts

Recommended Solution

Option 1: Use workflow_call (Recommended)

# .github/workflows/smoke-detector.yml
on:
  workflow_call:
    inputs:
      workflow_name:
        required: true
        type: string
      run_id:
        required: true
        type: string
      conclusion:
        required: true
        type: string

jobs:
  investigate:
    runs-on: ubuntu-latest
    permissions:
      contents: read      # Minimal permissions
      issues: write
    steps:
      - uses: actions/checkout@v4
      
      - name: Investigate failure
        if: inputs.conclusion == 'failure'
        env:
          RUN_ID: ${{ inputs.run_id }}
          WORKFLOW_NAME: ${{ inputs.workflow_name }}
        run: |
          # Investigation logic here - safe from untrusted input
          gh run view "$RUN_ID" --log-failed

Update smoke test workflows to call the detector:

# In smoke-claude.yml, smoke-codex.yml, etc.
jobs:
  smoke-test:
    # ... existing test steps ...
    
  investigate-on-failure:
    needs: smoke-test
    if: failure()
    uses: ./.github/workflows/smoke-detector.yml
    with:
      workflow_name: ${{ github.workflow }}
      run_id: ${{ github.run_id }}
      conclusion: failure
    permissions:
      contents: read
      issues: write

Option 2: Use repository_dispatch

on:
  repository_dispatch:
    types: [smoke-test-failed]

jobs:
  investigate:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
    steps:
      - uses: actions/checkout@v4
      
      - name: Investigate
        env:
          RUN_ID: ${{ github.event.client_payload.run_id }}
          WORKFLOW: ${{ github.event.client_payload.workflow }}
        run: |
          # Safe investigation with validated inputs
          gh run view "$RUN_ID"

Trigger from smoke tests:

- name: Notify detector on failure
  if: failure()
  uses: peter-evans/repository-dispatch@v2
  with:
    event-type: smoke-test-failed
    client-payload: |
      {
        "run_id": "${{ github.run_id }}",
        "workflow": "${{ github.workflow }}"
      }

Testing the Fix

1. Create a test PR from a fork
2. Verify workflow runs with read-only permissions
3. Confirm secrets are not exposed
4. Validate workflow achieves intended purpose

References

• GitHub Security Hardening Guide
• Zizmor dangerous-triggers audit
• Preventing pwn requests

---

Compilation Warnings (Non-Security)

Network Firewalling Not Supported

Count: 6 workflows
Impact: Low - informational only

Claude engine does not support network firewalling. Affected workflows specify network.allowed restrictions that may not be enforced:

• audit-workflows
• blog-auditor
• commit-changes-analyzer
• copilot-session-insights
• craft
• daily-doc-updater
• instructions-janitor
• prompt-clustering-analysis
• unbloat-docs

Missing Permissions Declarations

Count: 3 workflows
Impact: Low - permissions should be added for clarity

• example-permissions-warning.md
• python-data-charts.md
• test-secret-masking.md

---

Recommendations

Immediate Actions (High Priority)

1. Fix dangerous-triggers in smoke-detector (HIGH)

   • Replace workflow_run with workflow_call pattern
   • Update all smoke test workflows to use new pattern
   • Test thoroughly before deploying

2. Reduce excessive permissions (MEDIUM)

   • Replace permissions: read-all with explicit minimal permissions
   • Apply principle of least privilege

Short-term Actions (Medium Priority)

3. Address template injection issues (LOW)

   • Review all "Setup MCPs" steps
   • Add input validation
   • Use intermediate environment variables

4. Fix shell quoting issues (INFO)

   • Add double quotes around variable references
   • Use read -r for reading input
   • Replace ls | grep with proper glob patterns

Long-term Improvements

5. Establish automated static analysis

   • Add pre-commit hooks with zizmor, actionlint
   • Run static analysis in CI/CD pipeline
   • Block merges with High/Critical findings

6. Create secure workflow templates

   • Document secure patterns for common use cases
   • Provide examples of workflow_call usage
   • Include security checklist for new workflows

7. Security training and awareness

   • Share this report with the team
   • Document lessons learned
   • Update workflow creation guidelines

---

Historical Context

This is the first comprehensive static analysis scan using all three tools (zizmor, poutine, actionlint). Future scans will include trend analysis and regression tracking.

Baseline Established: November 4, 2025

• Total findings: 36
• High severity: 1
• Medium severity: 3
• Low severity: 8
• Code quality: 24

---

Next Steps

• Review and prioritize findings with security team
• Create GitHub issue for dangerous-triggers fix
• Implement workflow_call pattern for smoke-detector
• Add explicit permissions to test workflows
• Schedule follow-up scan after fixes (1 week)
• Update workflow security documentation

---

Scan Metadata

Scan Date: November 4, 2025
Scan Duration: ~3 minutes
Tools Used:

• zizmor v0.8.2
• poutine v0.18.0
• actionlint v1.7.4

Repository: githubnext/gh-aw
Workflows Analyzed: 68
Analysis Method: Automated compilation with static analysis flags

Cache Location: /tmp/gh-aw/cache-memory/security-scans/2025-11-04.json

---

Report Generated by: Static Analysis Report Agent (Claude)
Workflow Run: §19063271353

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

✅ Agentic Plan Command completed successfully.

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.