🔍 Static Analysis Report - 2026-01-29

[github-actions[bot]]

Analysis Summary

Daily static analysis scan of agentic workflows completed successfully using three security and code quality tools.

Scan Overview:

• Tools Used: zizmor (security), poutine (supply chain), actionlint (linting)
• Total Findings: 304 issues
• Workflows Scanned: 143
• Compilation Status: ✅ All workflows compiled successfully (0 errors, 20 warnings)

Findings by Tool

Tool	Purpose	Total	Critical	High	Medium	Low/Info
zizmor	Security linter	14	0	0	0	14 warnings
poutine	Supply chain security	2	0	0	0	2 notes
actionlint	Code quality/linting	288	0	0	0	288 style
Total		304	0	0	0	304

Key Findings

🔐 Security Issues (Zizmor - 14 warnings)

Issue Type: default_permissions_on_risky_events

• Severity: Warning
• Count: 14 workflows
• Risk: Workflows triggered by risky events use default (overly broad) permissions
• Impact: Violates principle of least privilege, increases attack surface

Affected Workflows:

• ai-moderator
• archie
• brave
• cloclo
• grumpy-reviewer
• mergefest
• pdf-summary
• plan
• pr-nitpick-reviewer
• q
• scout
• security-review
• tidy
• unbloat-docs

Explanation: When workflows are triggered by events like issue_comment or pull_request_target, they run with the repository's full context and secrets. Using default permissions grants excessive access (contents: write, issues: write, etc.), which could be exploited if the workflow has vulnerabilities.

🔗 Supply Chain Issues (Poutine - 2 notes)

Issue Type: unverified_script_exec

• Severity: Info
• Count: 2 instances in 1 workflow
• Workflow: ubuntu-image-analyzer

Details:

1. curl -fsSL (redacted) | bash (.github/workflows/ubuntu-image-analyzer.lock.yml:489)
2. curl -fsSL (redacted) | sh (.github/workflows/ubuntu-image-analyzer.lock.yml:489)

Explanation: Downloading and executing scripts directly from URLs without verification creates supply chain risks. If these endpoints are compromised, malicious code could be injected.

📋 Code Quality Issues (Actionlint - 288 errors)

Issue Type	Count	Severity	Description
shellcheck:SC2129	~280+	style	"Consider using { cmd1; cmd2; } >> file instead of individual redirects"
shellcheck:SC2155	~5+	warning	"Declare and assign separately to avoid masking return values"
expression	2	error	Expression evaluation issues

Note: The majority (286/288) are shellcheck style suggestions (SC2129) for improving shell script formatting. These are low priority code quality improvements, not security vulnerabilities.

Historical Trends

Comparing with previous scan (2026-01-28):

Metric	Previous	Current	Change
Total Findings	755	304	↓ 451 (-60%) 🎉
Zizmor	126	14	↓ 112 (-89%) 🎉
Poutine	142	2	↓ 140 (-99%) 🎉
Actionlint	487	288	↓ 199 (-41%) 🎉

Major Improvement: The dramatic reduction in findings indicates significant security improvements, particularly the elimination of 126 obfuscation issues that were present in the previous scan.

Priority Recommendations

🔴 High Priority: Fix Default Permissions (14 workflows)

Add explicit minimal permissions to the 14 affected workflows. This is a straightforward fix with significant security benefit.

Example Fix:

---
name: My Workflow
on:
  issue_comment:
    types: [created]
permissions:
  contents: read
  issues: write
  pull-requests: write
---

Benefits:

• Reduces attack surface
• Follows principle of least privilege
• Limits damage from potential vulnerabilities

🟡 Medium Priority: Review Unverified Script Execution (1 workflow)

Review the ubuntu-image-analyzer workflow's use of piped curl commands. Consider:

1. Downloading scripts first and verifying checksums
2. Using Docker images with pre-installed tools
3. Pinning to specific versions with integrity checks

🟢 Low Priority: Address Shellcheck Style Issues (143 workflows)

The 286 shellcheck SC2129 warnings are style suggestions for shell script formatting. These can be addressed in batches:

• Use { cmd1; cmd2; } >> file pattern for multiple redirects
• This is primarily for code cleanliness, not security

Detailed Fix Guide for Default Permissions

View Complete Fix Instructions

Understanding the Issue

When a workflow is triggered by risky events (issue_comment, pull_request_target, workflow_run), it runs with the repository's context and has access to secrets, even when triggered by untrusted forks. Default permissions grant:

• contents: write - Can modify repository code
• issues: write - Can modify issues
• pull-requests: write - Can modify PRs
• Plus other sensitive scopes

Fix Steps

Step 1: Review each workflow to determine what permissions it actually needs.

Step 2: Add a permissions: block to the YAML frontmatter with minimal scopes.

Step 3: Use the most restrictive permission level:

• read if only reading data
• write only if modifying data
• Omit permissions for unused resources

Common Permission Patterns

For Issue/PR Comment Bots:

permissions:
  contents: read
  issues: write
  pull-requests: write

For PR Review Bots:

permissions:
  contents: read
  pull-requests: write

For Read-Only Analysis:

permissions:
  contents: read

Testing

After adding permissions:

1. Trigger the workflow manually or via its event
2. Verify it still functions correctly
3. Check workflow logs for permission errors
4. Adjust permissions if needed (always prefer minimal)

Reference

• [Zizmor Documentation]((redacted)
• GitHub Permissions Documentation

All Findings by Workflow

View Detailed Breakdown

Zizmor Security Findings

All 14 workflows have the same issue: default_permissions_on_risky_events

1. ai-moderator.md - Line 1 - Warning
2. archie.md - Line 1 - Warning
3. brave.md - Line 1 - Warning
4. cloclo.md - Line 1 - Warning
5. grumpy-reviewer.md - Line 1 - Warning
6. mergefest.md - Line 1 - Warning
7. pdf-summary.md - Line 1 - Warning
8. plan.md - Line 1 - Warning
9. pr-nitpick-reviewer.md - Line 1 - Warning
10. q.md - Line 1 - Warning
11. scout.md - Line 1 - Warning
12. security-review.md - Line 1 - Warning
13. tidy.md - Line 1 - Warning
14. unbloat-docs.md - Line 1 - Warning

Poutine Supply Chain Findings

ubuntu-image-analyzer.lock.yml (2 instances):

• Line 489: curl -fsSL (redacted) | bash
• Line 489: curl -fsSL (redacted) | sh

Actionlint Findings Summary

• 286 shellcheck:SC2129 issues across ~143 workflows (style: prefer grouped redirects)
• ~5 shellcheck:SC2155 issues (warning: declare and assign separately)
• 2 expression evaluation issues

The shellcheck findings are primarily style and formatting recommendations rather than functional bugs or security issues.

Next Steps

• Apply default permissions fix to 14 affected workflows (HIGH PRIORITY)
• Review and harden ubuntu-image-analyzer script execution (MEDIUM PRIORITY)
• Consider batch fix for shellcheck SC2129 style issues (LOW PRIORITY)
• Update workflow creation templates to include explicit permissions
• Document permission patterns for common workflow types

Scan Metadata

• Scan Date: 2026-01-29 14:38:31 UTC
• Repository: githubnext/gh-aw
• Workflow Run: §21482190245
• Previous Scan: 2026-01-28
• Cache Location: /tmp/gh-aw/cache-memory/security-scans/2026-01-29.json
• Fix Templates: /tmp/gh-aw/cache-memory/fix-templates/

Resources

• Zizmor: (redacted)
• Poutine: (redacted)
• Actionlint: https://github.com/rhysd/actionlint
• GitHub Actions Security: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

AI generated by Static Analysis Report

• expires on Feb 5, 2026, 2:41 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-05T14:41:53.400Z.