[static-analysis] Report - 2026-04-08

[github-actions]

Analysis Summary

⚠️ Compilation Failed Today: The pre-compile step failed with ✗ unknown flag: --runner-guard. This flag was introduced by PR #25281 but is not yet available in the deployed gh-aw CLI version. Docker was also unavailable in this environment. This report is based on the last successful scan (2026-04-04) plus all available historical trend data.

• Tools Used: zizmor, poutine, actionlint (runner-guard: not yet deployed)
• Total Findings (last scan 2026-04-04): 9,956
• Workflows Scanned: 181
• Workflows Affected: 181 (all)
• Scan Date: 2026-04-04 (run §23986109480)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info
zizmor (security)	4,924	—	1,117	3,703	22	82
poutine (supply chain)	65	—	—	—	—	—
actionlint (linting)	4,967	—	—	—	—	—
runner-guard (taint analysis)	N/A	N/A	N/A	N/A	N/A	N/A

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Description
secrets-outside-env	Medium	~3,700	Secrets used directly in steps instead of env vars
unpinned-uses	High	2,182	Action refs not pinned to SHA (all workflows via setup action)
template-injection	High	214	Expression injection in run: steps
obfuscation	Low	44	Base64-encoded data in workflow steps
artipacked	Medium	6	Artifact poisoning risk via upload-artifact
github-env	High	2	Dangerous use of GITHUB_ENV file
secrets-inherit	Medium	2	Secrets inherited by called workflows

Poutine Supply Chain Findings

Issue Type	Severity	Count	Description
untrusted_checkout_exec	Error	34	Exec from untrusted code changes
default_permissions_on_risky_events	Warning	14	Risky events with default permissions
github_action_from_unverified_creator_used	Warning	9	Actions from unverified creators
unverified_script_exec	Warning	4	Unverified script execution
unpinnable_action	Warning	2	Actions that cannot be pinned
pr_runs_on_self_hosted	Warning	2	PRs running on self-hosted runners

Actionlint Linting Issues

Issue Type	Count	Description
shellcheck SC2086	4,680	Unquoted variables — globbing/word splitting risk
shellcheck SC2129	176	Multiple redirects should use { } grouping
permissions	85	Unknown copilot-requests permission scope
runner-label	12	Invalid runner label references
expression	13	Undefined properties in step outputs

Runner-Guard Taint Analysis Findings

Status: Not available — --runner-guard flag was introduced in PR #25281 but is not yet recognized by the deployed gh-aw CLI version (✗ unknown flag: --runner-guard). No runner-guard data to report; no issues created.

Top Priority Issues

1. Unpinned Action References (affects ALL workflows)

• Tool: zizmor
• Count: 2,182 findings across all 181 workflows
• Severity: High
• Root Cause: All workflows use github/gh-aw-actions/setup@v0.65.6 (semver tag, not SHA)
• Impact: Mutable tag can be silently redirected to malicious code — supply chain attack surface
• Reference: (docs.zizmor.sh/redacted)

2. Template Injection in Run Steps

• Tool: zizmor
• Count: 214 findings (24 High, rest informational) across ~47 workflows
• Severity: High
• Affected: audit-workflows, auto-triage-issues, contribution-check, copilot-pr-nlp-analysis, copilot-session-insights, daily-issues-report, deep-report, and 40+ others
• Impact: Attacker can inject shell commands via crafted issue/PR/comment payloads
• Reference: (docs.zizmor.sh/redacted)

3. Secrets Outside Env (~3,700 findings)

• Tool: zizmor
• Count: ~3,700 across all workflows
• Severity: Medium
• Impact: Secrets appear in shell command lines, may be logged or exposed
• Reference: (docs.zizmor.sh/redacted)

4. SC2086 — Unquoted Shell Variables (4,680 findings)

• Tool: actionlint (shellcheck)
• Count: 4,680 — most common single finding
• Root Cause: Compiler generates bash ${RUNNER_TEMP}/... without quoting — a compiler-level fix is needed, not per-workflow
• Reference: (www.shellcheck.net/redacted)

Fix Suggestion for Template Injection (Highest-Impact Security Issue)

Issue: GitHub Actions template expressions used directly in run: steps
Severity: High
Affected Workflows: ~47 workflows with 214 total findings

Prompt to Copilot Agent:

You are fixing a High-severity security vulnerability (template-injection) identified by zizmor in GitHub Actions workflows in the `github/gh-aw` repository.

**Vulnerability**: template-injection — Expression Injection via `${{ }}` in `run:` steps  
**Rule**: `template-injection` — (docs.zizmor.sh/redacted)  
**Severity**: High

### What's Wrong

GitHub Actions allows `${{ expression }}` syntax inside `run:` scripts. When user-controlled values
(e.g. `github.event.issue.title`, `github.event.comment.body`, `github.head_ref`) are interpolated
directly into shell scripts, an attacker can inject arbitrary shell commands by crafting a malicious
issue title, comment, or branch name.

### Required Fix

Replace every direct `${{ ... }}` expression inside a `run:` block with an environment variable.
Pass the value through `env:` and reference it as a normal shell variable.

**Before (vulnerable)**:
```yaml
- name: Process issue
  run: |
    echo "Title: ${{ github.event.issue.title }}"
    gh issue comment ${{ github.event.issue.number }} --body "done"
```

**After (safe)**:
```yaml
- name: Process issue
  env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
    ISSUE_NUMBER: ${{ github.event.issue.number }}
  run: |
    echo "Title: ${ISSUE_TITLE}"
    gh issue comment "${ISSUE_NUMBER}" --body "done"
```

### Affected Workflows to Fix

Audit the following compiled lock files for template-injection findings (run zizmor on each):
audit-workflows, auto-triage-issues, contribution-check, copilot-pr-nlp-analysis,
copilot-session-insights, copilot-token-audit, daily-code-metrics, daily-copilot-token-report,
daily-doc-updater, daily-firewall-report, daily-integrity-analysis, daily-issues-report,
daily-multi-device-docs-tester, daily-news, daily-performance-summary, daily-repo-chronicle,
deep-report, discussion-task-miner, docs-noob-tester, github-mcp-structural-analysis,
and ~27 additional workflows flagged by zizmor.

Focus on the **source `.md` workflow files** (not the compiled `.lock.yml` files).
Fix the template expressions in the markdown workflows and recompile.

View Detailed Findings by Type

Zizmor secrets-outside-env — Medium (~3,700 findings)

All workflows reference secrets like ${{ secrets.GITHUB_TOKEN }} directly in run: steps. These should be passed through env: to avoid potential log exposure.

Zizmor unpinned-uses — High (2,182 findings)

The root cause is github/gh-aw-actions/setup@v0.65.6 used in all workflows. Fix: resolve the tag to its commit SHA and pin with a comment, e.g.:

uses: github/gh-aw-actions/setup@<SHA>  # v0.65.6

Poutine untrusted_checkout_exec — Error (34 findings)

Workflows smoke-workflow-call and smoke-workflow-call-with-inputs execute code from untrusted checkout paths. Historical context: most instances have poutine:ignore annotations as false positives.

Poutine default_permissions_on_risky_events — Warning (14 findings)

14 workflows triggered on risky events (e.g. pull_request_target) without explicit minimal permissions.

Actionlint SC2086 — Info (4,680 findings)

The gh-aw compiler generates bash ${RUNNER_TEMP}/... without quoting. This is a compiler-level issue — fix in the compiler's action templates, not individual workflow files.

Historical Trends

Date	Total	Zizmor	Poutine	Actionlint	Workflows
2026-03-29	7,383	3,455	6	3,928	178
2026-03-30	8,520	3,953	6	4,561	178
2026-03-31	8,562	3,977	19	4,566	178
2026-04-01	8,601	3,992	19	4,590	179
2026-04-02	8,600	3,762	19	4,819	179
2026-04-03	9,757	4,789	39	4,929	183
2026-04-04	9,956	4,924	65	4,967	181
2026-04-08	⚠️ Failed	—	—	—	—

Trend observations:

• Total findings increased +34.8% from 2026-03-29 to 2026-04-04 (7,383 → 9,956), primarily driven by new workflows being added
• unpinned-uses jumped from 5 to 1,047+ on 2026-04-03 — a new version of github/gh-aw-actions/setup was introduced using a tag
• Poutine findings grew from 6 to 65, reflecting expanded supply chain checks
• Template injection (High) has been stable at 24 High-severity findings across ~47 workflows — a persistent, unresolved issue

New Issues Since Last Week

• default_permissions_on_risky_events (poutine): 14 new findings
• github_action_from_unverified_creator_used (poutine): 9 new findings
• Significant growth in unpinned-uses (5 → 2,182) due to new setup action version

Infrastructure Note (Today)

Today's scan could not be completed because:

1. The --runner-guard flag added by PR Add --runner-guard to compile; wire into static-analysis-report workflow #25281 is not yet recognized by the deployed gh-aw CLI
2. Docker is unavailable in this runner environment, blocking zizmor/poutine/actionlint

Recommendations

1. Immediate: Fix the --runner-guard deploy issue — merge the CLI update so the flag is available in the runner environment
2. High priority: Address the 24 High-severity template-injection findings across ~47 workflows
3. High priority: Pin github/gh-aw-actions/setup to a commit SHA instead of @v0.65.6
4. Medium: Resolve default_permissions_on_risky_events in the 14 affected workflows
5. Long-term: Fix SC2086 at the compiler level (quote ${RUNNER_TEMP} in generated lock files)

Next Steps

• Fix --runner-guard CLI deployment so tomorrow's scan can run fully
• Apply template-injection fix using the Copilot Agent prompt above
• Pin github/gh-aw-actions/setup@v0.65.6 to its commit SHA
• Add explicit minimal permissions to the 14 risky-event workflows
• Fix SC2086 quoting at the compiler template level

References:

• §23986109480 — Last successful scan (2026-04-04)
• §24140699076 — This run (compile failed)
• PR #25281 — Add --runner-guard to compile

Generated by Static Analysis Report · ● 176.4K · ◷

• expires on Apr 15, 2026, 2:33 PM UTC