[static-analysis] Report - 2026-04-09

[github-actions]

Analysis Summary

⚠️ Scan Status: Static analysis could not run today. The workflow's --runner-guard flag is not supported by the deployed gh-aw MCP version, and Docker is unavailable in the runner environment (required by zizmor, poutine, and actionlint). This is the 4th+ consecutive failure (2026-04-08 ×2, 2026-04-09 ×2). Data below is from the last successful scan on 2026-04-04.

• Tools Used: zizmor, poutine, actionlint (runner-guard: not available)
• Total Findings (2026-04-04 baseline): 9,956
• Workflows Compiled (syntax-only today): 187 (all valid)
• Workflows Fully Scanned (2026-04-04): 181
• Scan Failures: 4+ consecutive days due to infrastructure issues

Findings by Tool (2026-04-04 baseline)

Tool	Total	Critical	High	Medium	Low	Info
zizmor (security)	4,924	—	1,117	3,703	22	82
poutine (supply chain)	65	—	—	—	—	—
actionlint (linting)	4,967	—	—	—	—	—
runner-guard (taint analysis)	N/A	—	—	—	—	—

---

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Notes
secrets-outside-env	Medium	3,703+	Affects virtually all workflows
unpinned-uses	High	2,182	All 181 workflows via github/gh-aw-actions/setup@v0.65.6
template-injection	High	~214	~20 affected workflows (see list below)
obfuscation	Low	44	Base64-encoded data in steps
artipacked	Medium	6	Artifact poisoning risk
secrets-inherit	Medium	2	Secrets inherited by called workflows
github-env	High	2	Dangerous GITHUB_ENV usage in dev-hawk

Workflows with template-injection findings

• audit-workflows
• auto-triage-issues
• contribution-check
• copilot-pr-nlp-analysis
• copilot-session-insights
• copilot-token-audit
• daily-code-metrics
• daily-copilot-token-report
• daily-doc-updater
• daily-firewall-report
• daily-integrity-analysis
• daily-issues-report
• daily-multi-device-docs-tester
• daily-news
• daily-performance-summary
• daily-repo-chronicle
• deep-report
• discussion-task-miner
• docs-noob-tester
• github-mcp-structural-analysis

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Workflows
untrusted_checkout_exec	Error	34	smoke-workflow-call, smoke-workflow-call-with-inputs (most with poutine:ignore)
default_permissions_on_risky_events	Warning	14	Various workflows
github_action_from_unverified_creator_used	Warning	9	Various workflows
unverified_script_exec	Warning	4	Various workflows
unpinnable_action	Warning	2	Various workflows
pr_runs_on_self_hosted	Warning	2	dev, smoke-copilot-arm

Actionlint Linting Issues

Issue Type	Count	Description
SC2086 (shellcheck)	4,680	Missing quotes around ${RUNNER_TEMP}/... variables
SC2129 (shellcheck)	176	Inefficient individual output redirects
permissions	85	Unknown copilot-requests permission scope
runner-label	12	Unrecognized runner labels
expression	13	Expression evaluation issues

Runner-Guard Taint Analysis

Runner-guard is not yet available in the deployed environment. No findings to report.

---

Top Priority Issues

1. Template Injection — High Severity

• Tool: zizmor
• Count: ~214 findings across 20 workflows
• Severity: High
• Description: User-controlled data (e.g., PR titles, issue bodies, branch names) flows directly into run: step shell commands via ${{ github.event.pull_request.title }} syntax. An attacker can inject arbitrary shell commands by crafting a malicious PR title or issue body.
• Impact: Remote code execution on the GitHub Actions runner; potential secret exfiltration
• Reference: (docs.zizmor.sh/redacted)

2. Unpinned Actions — High Severity (All Workflows)

• Tool: zizmor
• Count: 2,182 findings — all 181 workflows affected
• Severity: High
• Root cause: github/gh-aw-actions/setup@v0.65.6 uses a mutable tag instead of SHA pin
• Impact: Supply chain attack — a compromised or replaced tag can inject malicious code into every workflow run
• Reference: (docs.zizmor.sh/redacted)

3. Secrets Outside Environment — Medium Severity (Pervasive)

• Tool: zizmor
• Count: 3,703+ findings (affects virtually all workflows)
• Severity: Medium
• Description: Secrets like ${{ secrets.GITHUB_TOKEN }} referenced directly in step run: blocks instead of dedicated env: variables
• Impact: Secrets may appear in debug logs, error messages, or be passed to subshells unexpectedly
• Reference: (docs.zizmor.sh/redacted)

---

Fix Suggestion for Template Injection

Issue: Expression injection via GitHub Actions template expansion
Severity: High
Affected Workflows: ~20 workflows

Prompt to Copilot Agent:

You are fixing a security vulnerability identified by zizmor in GitHub Actions workflows.

**Vulnerability**: Template/Expression Injection
**Rule**: template-injection — (docs.zizmor.sh/redacted)

**Current Issue**:
Workflow `run:` steps directly interpolate GitHub context values (e.g., PR title, issue body,
branch name, actor) into shell commands using `${{ }}` syntax. This allows an attacker to
craft a PR title or issue body containing shell metacharacters or commands that execute on
the runner.

Example of vulnerable pattern:
```yaml
- name: Process PR
  run: |
    echo "Processing: ${{ github.event.pull_request.title }}"
    gh issue comment ${{ github.event.issue.number }} --body "${{ github.event.issue.title }}"
```

**Required Fix**:
Move untrusted context values into environment variables and reference them via `$ENV_VAR`
instead of `${{ context.value }}` directly in shell commands.

Step 1 — Add an `env:` block to the affected step:
```yaml
- name: Process PR
  env:
    PR_TITLE: ${{ github.event.pull_request.title }}
    ISSUE_NUMBER: ${{ github.event.issue.number }}
    ISSUE_TITLE: ${{ github.event.issue.title }}
  run: |
    echo "Processing: $PR_TITLE"
    gh issue comment "$ISSUE_NUMBER" --body "$ISSUE_TITLE"
```

Step 2 — For each affected step, identify all `${{ github.event.* }}`, `${{ github.actor }}`,
`${{ github.head_ref }}`, etc. usages inside `run:` blocks and move them to `env:`.

Step 3 — Verify: after the fix, no `${{ ... }}` expressions should appear inside `run:` blocks
(except for non-user-controlled values like `${{ github.sha }}` or `${{ runner.os }}`).

Please apply this fix to all affected workflows:
- audit-workflows.md
- auto-triage-issues.md
- contribution-check.md
- copilot-pr-nlp-analysis.md
- copilot-session-insights.md
- copilot-token-audit.md
- daily-code-metrics.md
- daily-copilot-token-report.md
- daily-doc-updater.md
- daily-firewall-report.md
- daily-integrity-analysis.md
- daily-issues-report.md
- daily-multi-device-docs-tester.md
- daily-news.md
- daily-performance-summary.md
- daily-repo-chronicle.md
- deep-report.md
- discussion-task-miner.md
- docs-noob-tester.md
- github-mcp-structural-analysis.md

---

Historical Trends

Date	Total Findings	Zizmor	Poutine	Actionlint	Workflows	Status
2026-03-29	7,383	3,455	6	3,928	178	✅
2026-03-30	8,520	3,953	6	4,561	178	✅
2026-03-31	8,562	3,977	19	4,566	178	✅
2026-04-01	8,601	3,992	19	4,590	179	✅
2026-04-02	8,600	3,762	19	4,819	179	✅
2026-04-03	9,757	4,789	39	4,929	183	✅
2026-04-04	9,956	4,924	65	4,967	181	✅
2026-04-08	—	—	—	—	0	❌ compile failed
2026-04-09	—	—	—	—	0	❌ compile failed

Trend (Mar 29 → Apr 4): +35% total findings over 6 days (+2,573 findings)

Key observations:

• poutine findings grew 10× (6 → 65) as new workflows were added triggering supply chain checks
• unpinned-uses spiked from 5 → 2,182 between Apr 2–4 when github/gh-aw-actions/setup@v0.65.6 was introduced
• template-injection High findings stable at ~24 across ~20 workflows — persistent unresolved issue
• SC2086 (missing quotes) dominates actionlint with 4,680 of 4,967 findings

Infrastructure Issue: The --runner-guard flag is not recognized by the deployed gh-aw MCP server, causing 4+ consecutive scan failures since Apr 8. Docker is also unavailable on this runner. Both issues must be resolved to resume fresh daily scans.

---

Recommendations

1. Immediate — Unblock the scanner: Fix --runner-guard flag support in the workflow or ensure Docker is available so zizmor/poutine/actionlint can run. Without working scans, the trend data is stale.
2. High — Fix template injection: Apply the fix prompt above to the 20 affected workflows to prevent RCE via crafted PR titles/issue bodies.
3. High — Pin github/gh-aw-actions/setup: Replace @v0.65.6 with a SHA-pinned reference to prevent supply chain attacks across all 181 workflows.
4. Medium — Move secrets to env vars: Audit all workflows to move ${{ secrets.* }} out of run: blocks into env: sections.
5. Low — Fix SC2086: Add quotes around ${RUNNER_TEMP}/... and other variable references (4,680 occurrences).

Next Steps

• Investigate and fix --runner-guard flag issue (ensure PR Add --runner-guard to compile; wire into static-analysis-report workflow #25281 is merged or remove the flag from the workflow)
• Ensure Docker is available on the static analysis runner
• Apply template injection fix to 20 affected workflows
• Pin github/gh-aw-actions/setup to a SHA
• Address poutine untrusted_checkout_exec findings in smoke workflows

References:

• §24212559135 — Current run (compile failed)
• §24210057204 — Previous run today (compile failed)
• §23986109480 — Last successful full scan (2026-04-04)

Generated by Static Analysis Report · ● 183K · ◷

• expires on Apr 16, 2026, 8:54 PM UTC