No changes from yesterday. The dev-hawk github-env High finding (deriving GH_HOST from GITHUB_SERVER_URL and writing to $GITHUB_ENV) continues to warrant review.
Unchanged. The smoke-workflow-call and smoke-workflow-call-with-inputs workflows continue to have untrusted_checkout_exec errors despite # poutine:ignore comments (these appear to be partially-suppressed findings).
You are fixing a security vulnerability identified by runner-guard (RGS-008).
**Vulnerability**: Secret Directly Interpolated in run Block
**Rule**: RGS-008 — https://github.com/Vigilant-LLC/runner-guard
**Current Issue**:
In many workflows, secrets are interpolated directly into `run:` blocks using
`$\{\{ secrets.SOME_SECRET }}` syntax. This embeds the secret as plain text in the
shell script source before execution, exposing it to:
- Error messages and debug output
- Shell history and /proc filesystem
- Log masking bypass via side channels
- Amplified impact of any expression injection vulnerability
**Required Fix**:
Move all `$\{\{ secrets.* }}` expressions from inside `run:` blocks to the `env:`
mapping of that step. Reference them in the script via environment variable syntax.
**Example**:
Before (insecure):
```yaml
- name: Call API
run: |
curl -H "Authorization: Bearer $\{\{ secrets.API_TOKEN }}" (api.example.com/redacted)
<details>
<summary>View All Findings Details</summary>
#### Zizmor — github-env (High)
- `dev-hawk.lock.yml:1402`: A step derives `GH_HOST` from `GITHUB_SERVER_URL` and writes it to `$GITHUB_ENV`. The `GITHUB_SERVER_URL` is controlled by GitHub infrastructure but in GHES environments could be manipulated. Step has a comment indicating intentional GHES support behavior. [Carried over from 2026-04-24]
#### Zizmor — secrets-inherit (Medium)
- `smoke-call-workflow.lock.yml:945`: Calls `.github/workflows/smoke-workflow-call.lock.yml` with `secrets: inherit`, propagating all secrets to the called workflow. Consider using explicit secret passing instead.
#### Zizmor — template-injection (Informational, 85 instances)
Affecting 29 workflows: `ai-moderator`, `auto-triage-issues`, `contribution-check`, `daily-doc-updater`, `daily-issues-report`, `daily-token-consumption-report`, `discussion-task-miner`, `grumpy-reviewer`, `issue-arborist`, `issue-monster`, `issue-triage-agent`, `org-health-report`, `plan`, `pr-triage-agent`, `q`, `refiner`, `scout`, `smoke-agent-all-merged`, `smoke-agent-all-none`, `smoke-agent-public-approved`, `smoke-agent-public-none`, `smoke-agent-scoped-approved`, `smoke-copilot`, `smoke-service-ports`, `stale-repo-identifier`, `weekly-blog-post-writer`, `weekly-issue-summary`, `weekly-safe-outputs-spec-review`, `workflow-generator`
#### Zizmor — obfuscation (Low, 23 instances)
All 23 relate to the `GH_AW_WIKI_NOTE: $\{\{ '' }}` pattern — an intentional empty-string placeholder used for wiki note configuration. Not a real security concern; the pattern is by design.
#### Actionlint — Unknown Permission Scopes (103 errors)
`copilot-requests: write` appears in 51+ workflows. This is a GitHub-internal/preview permission scope not yet in actionlint's schema. Also `vulnerability-alerts: read` in `dependabot-go-checker`. These are false positives from actionlint's outdated schema.
#### Actionlint — Undefined Expression Properties (11 errors)
- `ace-editor`: `needs.activation.outputs.activated`
- `smoke-claude`: `needs.activation.outputs.artifact_prefix` (×2)
- `smoke-workflow-call`, `smoke-workflow-call-with-inputs`: `job.workflow_repository`, `job.workflow_sha`, `job.workflow_ref`, `job.workflow_file_path` — GitHub-internal `job` context properties
#### Poutine — Unverified Actions (9 notes)
- `astral-sh/setup-uv@08807647...` / `@eac588ad...` in `mcp-inspector`, `copilot-token-audit`, `agentic-optimization-kit`, `copilot-setup-steps`
- `gaurav-nelson/github-action-markdown-link-check@5c5dfc0...` in `link-check.yml`
- `super-linter/super-linter@9e863354e3ff...` in `super-linter`
- `actions-ecosystem/action-add-labels@c96b68fe...` in `smoke-codex`
#### Poutine — Unverified Script Execution (6 notes)
`curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash` in `copilot-setup-steps.yml`, `copilot-token-optimizer`, `copilot-token-audit`, `agentic-optimization-kit` — downloading and executing unverified scripts from the main branch without SHA pinning.
#### Runner-Guard — RGS-004 (High, 1,394 instances, 16 workflows)
Primarily `unbloat-docs.lock.yml` (majority of instances). Workflows triggered by `issue_comment` / `pull_request_review_comment` without verifying `author_association`. Tracked in #28156.
#### Runner-Guard — RGS-008 (High, 86 instances, 84 workflows)
Widespread across: `agentic-observability-kit`, `agentic-optimization-kit`, `api-consumption-report`, `audit-workflows`, `blog-auditor`, `claude-code-user-docs-review`, `copilot-agent-analysis`, `copilot-pr-merged-report`, `copilot-pr-nlp-analysis`, `copilot-pr-prompt-analysis`, `copilot-session-insights`, `copilot-token-audit`, `daily-*` (many), `smoke-*` (many), and others. Tracked in #28155.
#### Runner-Guard — RGS-018 (High, 40 instances, 35 workflows)
Affected: `agentic-optimization-kit`, `api-consumption-report`, `audit-workflows`, `changeset`, `ci-coach`, `cli-version-checker`, `cloclo`, `copilot-*`, `daily-*`, `deep-report`, `delight`, `discussion-task-miner`, `go-logger`, `issue-arborist`, `org-health-report`, `prompt-clustering-analysis`, `safe-output-health`, `scout`, `smoke-*`, `stale-repo-identifier`. Tracked in #28154.
#### Runner-Guard — RGS-005 (Medium, 46 instances)
Primarily `unbloat-docs.lock.yml` and `tidy.lock.yml` — write permissions on comment-triggered workflows without sufficient isolation.
#### Runner-Guard — RGS-006 (High, 2 instances)
- `copilot-token-audit.lock.yml:472`: `curl -fsSL .../install-gh-aw.sh | bash`
- `agentic-optimization-kit.lock.yml:474`: same pattern — downloading and executing remote scripts without integrity verification
#### Runner-Guard — RGS-012 (High, 1 instance) — NEW ISSUE
- `docs-noob-tester.lock.yml:445`: "Wait for server readiness" step uses `curl (localhost/redacted) in a job context with secrets access. The localhost target limits direct risk, but the pattern is dangerous if URL ever becomes influenced by external input. Tracked in #28488.
</details>
### Historical Trends
| Metric | 2026-04-23 | 2026-04-24 | 2026-04-25 | Δ (today) |
|--------|-----------|-----------|-----------|-----------|
| Workflows Scanned | 200 | 201 | 202 | +1 |
| Total Findings | 1,785 | ~1,817 | ~1,818 | +1 |
| Runner-guard Total | ~1,522 | 1,569 | 1,569 | 0 |
| Actionlint Issues | 114 | 116 | 115 | -1 |
| Zizmor Total | 110 | 110 | 110 | 0 |
| Poutine Total | 24 | 24 | 24 | 0 |
**Trend**: Findings are stable (+1 net, from +1 workflow, -1 actionlint). The RGS-012 shifted from `daily-fact` (yesterday, tracked in #28328) to `docs-noob-tester` (today, new issue). All runner-guard High counts are unchanged from yesterday.
#### New Issues
- RGS-012 in `docs-noob-tester` — localhost curl in secrets-accessible job (new tracking issue created)
#### Resolved Issues
- RGS-012 in `daily-fact` appears to no longer flag (was #28328 yesterday) — verify if fixed or rotated
### Recommendations
1. **Immediate**: Verify `daily-fact` RGS-012 fix (#28328) — confirm the daily-fact finding was intentionally resolved
2. **Immediate**: Investigate `docs-noob-tester` RGS-012 — confirm `localhost:4321` cannot be influenced by user input (#28488)
3. **Ongoing**: Apply RGS-008 fix pattern (move secrets to `env:` block) across 84 affected workflows (#28155)
4. **Ongoing**: Continue work on RGS-004 (#28156) and RGS-018 (#28154)
5. **Short-term**: Fix RGS-006 in `copilot-token-audit` and `agentic-optimization-kit` — pin script hash instead of `curl | bash`
6. **Short-term**: Review `dev-hawk` github-env High zizmor finding — consider alternative to writing `GH_HOST` to `$GITHUB_ENV`
### Next Steps
- [ ] Confirm `daily-fact` RGS-012 resolved (#28328) — check if it needs to be closed
- [ ] Review `docs-noob-tester` RGS-012 (#28488) — assess localhost curl isolation
- [ ] Continue RGS-008 remediation (#28155) — 86 instances across 84 workflows
- [ ] Continue RGS-004 remediation (#28156) — 1,394 instances across 16 workflows
- [ ] Fix RGS-006 `curl|bash` pattern in `copilot-token-audit` and `agentic-optimization-kit`
**References:**
- [§24939030960](https://github.com/github/gh-aw/actions/runs/24939030960)
- Previous report: #28329 (2026-04-24)
> Generated by [Static Analysis Report](https://github.com/github/gh-aw/actions/runs/24939030960/agentic_workflow) · ● 510.1K · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw+is%3Aissue+%22gh-aw-workflow-call-id%3A+github%2Fgh-aw%2Fstatic-analysis-report%22&type=issues)
> - [x] expires <!-- gh-aw-expires: 2026-05-02T19:49:53.136Z --> on May 2, 2026, 7:49 PM UTC
<!-- gh-aw-agentic-workflow: Static Analysis Report, engine: claude, model: auto, id: 24939030960, workflow_id: static-analysis-report, run: https://github.com/github/gh-aw/actions/runs/24939030960 -->
<!-- gh-aw-workflow-id: static-analysis-report -->
<!-- gh-aw-workflow-call-id: github/gh-aw/static-analysis-report -->
Analysis Summary
Static analysis scan completed on 2026-04-25 using four tools against all 202 agentic workflow files in this repository. All 202 workflows compiled successfully (0 errors, 8 warnings).
Findings by Tool
Runner-Guard Taint Analysis
Issues created for Critical/High findings (avoiding duplicates from #28154, #28155, #28156, #28328):
docs-noob-tester(workflow shifted fromdaily-fact)Clustered Findings by Tool
Actionlint Linting Issues
copilot-requestsunknown permission scopeChange: shellcheck dropped from 2 to 1. The
copilot-requests: writepermission scope remains unrecognized by actionlint — this is a GitHub-internal/preview permission scope not yet in actionlint's schema.Zizmor Security Findings
$\{\{ '' }})dev-hawksmoke-call-workflowNo changes from yesterday. The
dev-hawkgithub-env High finding (derivingGH_HOSTfromGITHUB_SERVER_URLand writing to$GITHUB_ENV) continues to warrant review.Poutine Supply Chain Findings
Unchanged. The
smoke-workflow-callandsmoke-workflow-call-with-inputsworkflows continue to haveuntrusted_checkout_execerrors despite# poutine:ignorecomments (these appear to be partially-suppressed findings).Top Priority Issues
1. RGS-004: Comment-Triggered Workflow Without Author Authorization Check (tracked: #28156)
unbloat-docs,ace-editor,ai-moderator,tidy,plan,q,scout,brave,cloclo,dev-hawk,grumpy-reviewer,pdf-summary,pr-nitpick-reviewer,security-review,archie,mergefest2. RGS-008: Secret Directly Interpolated in run Block (tracked: #28155)
agentic-observability-kit,smoke-codex,daily-issues-report,daily-secrets-analysis,sergo,daily-safe-output-optimizer3. RGS-012: Secret Exfiltration via Outbound HTTP Request (new: #28488)
docs-noob-tester.lock.yml:445)curl localhost:4321in a job with secrets access; low direct risk but dangerous patternFix Suggestion for RGS-008 (Most Actionable)
Issue: Secrets Directly Interpolated in
run:BlocksSeverity: High
Affected Workflows: 84 workflows (86 instances)
Prompt to Copilot Agent:
After (secure):
Steps:
$\{\{ secrets.patterns insiderun:blocksenv:block with a suitable name$\{\{ secrets.NAME }}in the run script with$NAME$\{\{ github.token }}and$\{\{ env.GITHUB_TOKEN }}used inside run blocksPlease apply this fix to all affected workflows in
.github/workflows/.Primary files to check:
agentic-observability-kit.md,smoke-codex.md,daily-issues-report.md,daily-secrets-analysis.md,sergo.md,daily-safe-output-optimizer.md, and ~78 others flagged by runner-guard RGS-008.