Enable Docker for static analysis tools (zizmor, poutine) in CI

[Copilot]

Static analysis workflow uses gh-aw compile with zizmor: true and poutine: true flags, which run Docker-based security scanners. These images weren't pre-pulled, causing the tools to be unavailable during analysis.

Changes

• Pre-pull Docker images: Added step to pull ghcr.io/zizmorcore/zizmor:latest and ghcr.io/boostsecurityio/poutine:latest before agent execution
• Verify availability: Added version checks with graceful failure handling to confirm images are functional

Workflow Structure

steps:
  - name: Pull static analysis Docker images
    run: |
      docker pull ghcr.io/zizmorcore/zizmor:latest
      docker pull ghcr.io/boostsecurityio/poutine:latest
  
  - name: Verify static analysis tools
    run: |
      docker run --rm ghcr.io/zizmorcore/zizmor:latest --version || echo "Warning: zizmor version check failed"
      docker run --rm ghcr.io/boostsecurityio/poutine:latest --version || echo "Warning: poutine version check failed"

Steps execute after MCP server initialization but before agent runs, ensuring images are cached when gh-aw compile invokes the tools via Docker.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login -json GO111MODULE 0.1-go1.25.0.linux-amd64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 0.1-go1.25.0.linux-amd64/pkg/too-buildtags env -json GO111MODULE 0.1-go1.25.0.linux-amd64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 0.1-go1.25.0.lin--secure-storage (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login xterm-color l/linux_amd64/vet pkg/mod/golang.org/toolchain@v0.json -json GO111MODULE dff53907fa5c7ccd/tmp/validate-js-1877692519.cjs pkg/mod/golang.org/toolchain@v0...feature-branch (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login ithub/workflows -tests /usr/bin/git by/17639884a52c6git GO111MODULE ux-amd64/pkg/too--show-toplevel git rev-�� pload-artifact/git/ref/tags/v5 by/17639884a52c68ae4bc03eb2f373e2ecf30d515d1d4749f6d5f77e002c5ea2da /usr/bin/gh by/17639884a52c6/tmp/gh-aw-compile-integration-2962542308/gh-aw d5f77e002c5ea2damcp ux-amd64/pkg/tooadd gh (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Enable Docker environment for static analysis tools</issue_title>
<issue_description>## Objective

Set up Docker environment in CI to enable automated static analysis tools (zizmor and poutine) for GitHub Actions security scanning.

Context

The static analysis report shows that zizmor and poutine were unavailable due to Docker environment constraints. These tools provide comprehensive security scanning for GitHub Actions workflows but require Docker to run.

Approach

Step 1: Enable Docker in CI workflow

Update the static analysis workflow to include Docker services:

# In .github/workflows/static-analysis.md or equivalent
services:
  docker:
    image: docker:latest

Step 2: Pre-pull Docker images

Add setup step to pull required Docker images:

- name: Pull static analysis Docker images
  run: |
    docker pull ghcr.io/woodruffw/zizmor:latest
    docker pull ghcr.io/boostsecurityio/poutine:latest

Step 3: Test tool availability

Add verification step:

- name: Verify static analysis tools
  run: |
    docker run --rm ghcr.io/woodruffw/zizmor:latest --version
    docker run --rm ghcr.io/boostsecurityio/poutine:latest --version

Step 4: Integrate tools into analysis workflow

Update the static analysis command to use Docker:

- name: Run static analysis
  run: |
    # Run zizmor
    docker run --rm -v $(pwd):/workspace ghcr.io/woodruffw/zizmor:latest /workspace/.github/workflows
    
    # Run poutine
    docker run --rm -v $(pwd):/workspace ghcr.io/boostsecurityio/poutine:latest analyze /workspace

Files to Modify

• .github/workflows/static-analysis.md (or create if doesn't exist)
• Corresponding .lock.yml after recompilation

Acceptance Criteria

• Docker service configured in CI workflow
• zizmor Docker image can be pulled and run
• poutine Docker image can be pulled and run
• Both tools successfully analyze workflows
• Static analysis workflow completes without Docker-related errors
• Analysis results include output from both tools

Estimated Effort

1-2 hours
Related to #7992

AI generated by Plan Command for discussion #7983

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Enable Docker environment for static analysis tools #7994

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.