Skip to content

[plan] Enable Docker environment for static analysis tools #7994

New issue
New issue
Closed
#8022
Closed
[plan] Enable Docker environment for static analysis tools#7994
#8022
Assignees
mnkiefercopilot-swe-agent
Labels
ai-generatedinfrastructureplansecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Dec 28, 2025

Objective

Set up Docker environment in CI to enable automated static analysis tools (zizmor and poutine) for GitHub Actions security scanning.

Context

The static analysis report shows that zizmor and poutine were unavailable due to Docker environment constraints. These tools provide comprehensive security scanning for GitHub Actions workflows but require Docker to run.

Approach

Step 1: Enable Docker in CI workflow

Update the static analysis workflow to include Docker services:

# In .github/workflows/static-analysis.md or equivalent
services:
  docker:
    image: docker:latest

Step 2: Pre-pull Docker images

Add setup step to pull required Docker images:

- name: Pull static analysis Docker images
  run: |
    docker pull ghcr.io/woodruffw/zizmor:latest
    docker pull ghcr.io/boostsecurityio/poutine:latest

Step 3: Test tool availability

Add verification step:

- name: Verify static analysis tools
  run: |
    docker run --rm ghcr.io/woodruffw/zizmor:latest --version
    docker run --rm ghcr.io/boostsecurityio/poutine:latest --version

Step 4: Integrate tools into analysis workflow

Update the static analysis command to use Docker:

- name: Run static analysis
  run: |
    # Run zizmor
    docker run --rm -v $(pwd):/workspace ghcr.io/woodruffw/zizmor:latest /workspace/.github/workflows
    
    # Run poutine
    docker run --rm -v $(pwd):/workspace ghcr.io/boostsecurityio/poutine:latest analyze /workspace

Files to Modify

  • .github/workflows/static-analysis.md (or create if doesn't exist)
  • Corresponding .lock.yml after recompilation

Acceptance Criteria

  • Docker service configured in CI workflow
  • zizmor Docker image can be pulled and run
  • poutine Docker image can be pulled and run
  • Both tools successfully analyze workflows
  • Static analysis workflow completes without Docker-related errors
  • Analysis results include output from both tools

Estimated Effort

1-2 hours
Related to #7992

AI generated by Plan Command for discussion #7983

Metadata

Metadata

Assignees

Labels

ai-generatedinfrastructureplansecurity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions