Static Analysis Report - 2026-03-23

[github-actions[bot]]

Analysis Summary

Daily static analysis scan completed for 177 workflows using zizmor, poutine, and actionlint. All workflows compiled successfully (0 errors, 21 warnings).

Notable change today: zizmor template-injection findings spiked from 3 → 49 (+46), now affecting 23 workflows — the most significant new finding compared to yesterday's baseline.

Metric	Today	Yesterday	Delta
Workflows scanned	177	177	—
Compiler warnings	21	21	0
Actionlint issues	3,927	3,904	+23
Zizmor findings	3,894	3,848	+46
Poutine findings	19	19	0

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Informational
zizmor (security)	3,894	0	10	3,815	20	49
poutine (supply chain)	19	0	0	0	1	10
actionlint (linting)	3,927	—	—	—	—	—

---

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Change	Affected Workflows
secrets-outside-env	Medium	3,813	0	All 177
template-injection	Informational	49	+46	23 workflows
obfuscation	Low	20	0	Multiple
github-env	High	8	0	ci-doctor, dev-hawk
unpinned-uses	High	2	0	daily-cli-performance, issue-monster
secrets-inherit	Medium	1	0	1 workflow
artipacked	Medium	1	0	1 workflow

Poutine Supply Chain Findings

Issue Type	Severity	Count	Status
untrusted_checkout_exec	Error	6	⚠️ Day 9 unresolved
github_action_from_unverified_creator_used	Note	8	Stable
unverified_script_exec	Note	2	Stable
unpinnable_action	Note	2	Stable
pr_runs_on_self_hosted	Warning	1	Stable

Actionlint Linting Issues

Issue Type	Count	Change
shellcheck (SC2086 double-quoting)	3,885	+23
permissions	41	0
expression	1	0

---

Top Priority Issues

1. Poutine: untrusted_checkout_exec — Day 9 Unresolved ⚠️

• Tool: poutine
• Severity: Error (highest poutine severity)
• Count: 6 findings
• Affected: smoke-workflow-call, smoke-workflow-call-with-inputs
• Description: Workflows triggered by untrusted PRs execute bash commands using runner-temp scripts. Poutine flags this as Arbitrary Code Execution from Untrusted Code Changes.
• Impact: An attacker with PR access could potentially influence the runner environment during PR-triggered workflow execution.
• Unresolved since: 2026-03-14 (9 days)
• Reference: (boostsecurityio.github.io/redacted)

2. Zizmor: template-injection Spike (+46 new findings) 🆕

• Tool: zizmor
• Severity: Informational
• Count: 49 findings across 23 workflows (was 3 yesterday)
• Affected workflows: contribution-check, daily-issues-report, discussion-task-miner, grumpy-reviewer, issue-arborist, issue-monster, issue-triage-agent, org-health-report, plan, pr-triage-agent, q, refiner, scout, smoke-agent-all-merged, smoke-agent-all-none, smoke-agent-public-approved, smoke-agent-public-none, smoke-agent-scoped-approved, stale-repo-identifier, weekly-blog-post-writer, weekly-issue-summary, weekly-safe-outputs-spec-review, workflow-generator
• Description: GitHub Actions expressions ($\{\{ ... }}) used directly in run: scripts without intermediate env variables, enabling potential code injection if untrusted data reaches the expression.
• Reference: (docs.zizmor.sh/redacted)

3. Zizmor: github-env (High) — Persistent ⚠️

• Tool: zizmor
• Severity: High
• Count: 8 findings
• Affected: ci-doctor, dev-hawk
• Description: Dangerous use of GITHUB_ENV or GITHUB_OUTPUT environment files with potentially user-controlled content. Writing attacker-controlled values to these files can lead to environment variable injection or step output poisoning.
• Reference: (docs.zizmor.sh/redacted)

---

Fix Suggestion: template-injection

Issue: Code injection via template expansion
Severity: Informational
Affected Workflows: 23 workflows (49 findings)

Prompt to Copilot Agent:

You are fixing a security vulnerability identified by zizmor in GitHub Actions workflows.

**Vulnerability**: template-injection — code injection via template expansion
**Rule**: template-injection — (docs.zizmor.sh/redacted)
**Severity**: Informational

**Current Issue**:
GitHub Actions `$\{\{ ... }}` expressions used directly in `run:` shell scripts can allow
code injection if the expression evaluates to attacker-controlled content (e.g., issue titles,
PR body text, user names). Example of vulnerable pattern:

```yaml
- name: Process issue
  run: |
    echo "Processing $\{\{ github.event.issue.title }}"
    gh issue comment $\{\{ github.event.issue.number }} --body "Done"
```

**Required Fix**:
Move all `$\{\{ ... }}` expressions from `run:` scripts into the `env:` block, then reference
them as environment variables in the shell script. This prevents the expression value from
being interpreted as shell code.

**Example**:

Before (vulnerable):
```yaml
- name: Process issue
  run: |
    echo "Processing $\{\{ github.event.issue.title }}"
    gh issue comment $\{\{ github.event.issue.number }} --body "Done"
```

After (fixed):
```yaml
- name: Process issue
  env:
    ISSUE_TITLE: $\{\{ github.event.issue.title }}
    ISSUE_NUMBER: $\{\{ github.event.issue.number }}
  run: |
    echo "Processing $ISSUE_TITLE"
    gh issue comment "$ISSUE_NUMBER" --body "Done"
```

**Instructions**:
1. Search each affected workflow's `.md` source file for `run:` blocks containing `$\{\{ ... }}` expressions
2. For each such expression, create a matching `env:` entry with a descriptive variable name
3. Replace the `$\{\{ ... }}` expression in the shell script with the `$ENV_VAR_NAME` reference
4. Ensure all shell variable references are double-quoted to prevent word splitting
5. Test that the workflow logic is unchanged

Please apply this fix to all 23 affected workflows:
contribution-check, daily-issues-report, discussion-task-miner, grumpy-reviewer,
issue-arborist, issue-monster, issue-triage-agent, org-health-report, plan,
pr-triage-agent, q, refiner, scout, smoke-agent-all-merged, smoke-agent-all-none,
smoke-agent-public-approved, smoke-agent-public-none, smoke-agent-scoped-approved,
stale-repo-identifier, weekly-blog-post-writer, weekly-issue-summary,
weekly-safe-outputs-spec-review, workflow-generator

---

All Findings Details

Zizmor High Severity Findings

ci-doctor — github-env (High)

• Findings: Lines 324 and 1224 in ci-doctor.lock.yml
• Description: Dangerous use of GitHub environment file
• Reference: (docs.zizmor.sh/redacted)

dev-hawk — github-env (High)

• Findings: Lines 308 and 1160 in dev-hawk.lock.yml
• Description: Dangerous use of GitHub environment file
• Reference: (docs.zizmor.sh/redacted)

daily-cli-performance — unpinned-uses (High)

• Finding: Line 1254 in daily-cli-performance.lock.yml
• Description: Unpinned action reference (should use SHA pinning)
• Reference: (docs.zizmor.sh/redacted)

issue-monster — unpinned-uses (High)

• Finding: Line 1431 in issue-monster.lock.yml
• Description: Unpinned action reference
• Reference: (docs.zizmor.sh/redacted)

Poutine Findings Detail

smoke-workflow-call & smoke-workflow-call-with-inputs — untrusted_checkout_exec (Error)

• Count: 3 findings each (6 total)
• Lines: 172, 277, 281 (smoke-workflow-call-with-inputs); 175, 277, 281 (smoke-workflow-call)
• Description: Bash scripts run during workflows triggered by untrusted PR events
• Day unresolved: 9
• Reference: (boostsecurityio.github.io/redacted)

copilot-setup-steps & daily-copilot-token-report — unverified_script_exec (Note)

• Description: curl ... | bash pattern fetching from raw.githubusercontent.com
• Recommendation: Pin the script to a specific commit SHA

smoke-copilot-arm — pr_runs_on_self_hosted (Warning)

• Description: PR workflow job runs on self-hosted ARM runner (ubuntu-24.04-arm)
• Risk: Self-hosted runners can be compromised by malicious PRs

Compiler Warnings Summary

Warning Type	Count
Missing vulnerability-alerts: read permission (uses dependabot toolset)	7
Schedule uses fixed time (suggest fuzzy schedule)	7
Experimental rate-limit feature	3
push-to-pull-request-branch target warnings	2
Copilot engine doesn't support web-search tool	2
Experimental dependencies (APM) feature	1
Discussion category normalized to lowercase	1
Total	21

---

Historical Trends

Date	Actionlint	Zizmor	Poutine	Notable
2026-03-09	41	3,545	9	First zizmor mass scan (secrets-outside-env)
2026-03-14	43	3,746	12	+8 workflows
2026-03-15	43	3,744	18	NEW CRITICAL: poutine untrusted_checkout_exec
2026-03-19	3,871	3,839	18	CRITICAL REGRESSION: untrusted_checkout_exec re-emerged
2026-03-21	3,884	3,816	19	NEW: unpinned-uses in daily-cli-performance
2026-03-22	3,904	3,848	19	Stable baseline
2026-03-23	3,927	3,894	19	SPIKE: template-injection +46

Persistent unresolved issue: poutine untrusted_checkout_exec in smoke-workflow-call variants — unresolved for 9 consecutive days.

---

Recommendations

1. Immediate: Investigate and fix poutine untrusted_checkout_exec in smoke-workflow-call and smoke-workflow-call-with-inputs (day 9 unresolved — highest severity poutine finding).
2. Short-term: Apply the template-injection fix prompt above to the 23 affected workflows using a Copilot agent.
3. Short-term: Fix github-env (High) issues in ci-doctor and dev-hawk.
4. Short-term: Pin the two unpinned action references in daily-cli-performance and issue-monster.
5. Long-term: Add vulnerability-alerts: read permission to the 7 workflows using the dependabot toolset.
6. Long-term: Consider fuzzy schedules for 7 workflows with fixed-time cron schedules.

Next Steps

• Fix poutine untrusted_checkout_exec in smoke-workflow-call variants (critical, day 9)
• Apply template-injection env-variable fix to 23 affected workflows
• Fix github-env High findings in ci-doctor and dev-hawk
• Pin unpinned actions in daily-cli-performance and issue-monster
• Add missing vulnerability-alerts: read permissions to 7 workflows

References:

• §23424788603
• [zizmor audits documentation]((docs.zizmor.sh/redacted)
• [poutine rules]((boostsecurityio.github.io/redacted)

AI generated by Static Analysis Report · history

• expires on Mar 24, 2026, 6:47 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-24T06:47:16.945Z.

Closed by Workflow