🔍 Static Analysis Report - 2026-02-01

[github-actions[bot]]

Analysis Summary

Daily static analysis scan completed across all agentic workflow files using three security and code quality tools:

• Tools Used: zizmor (security), poutine (supply chain), actionlint (linting)
• Total Findings: 462 issues detected
• Workflows Scanned: 148 workflows
• Workflows Affected: 148 workflows (100%)

Findings by Tool

Tool	Purpose	Total	Critical	High	Medium	Low	Notes
zizmor	Security scanner	444	0	0	2	127	+315 shellcheck
poutine	Supply chain security	14	0	0	0	0	Informational
actionlint	Workflow linting	4	0	0	0	0	Warnings

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Description	Reference
obfuscation	Low	126	Literal strings unnecessarily wrapped in ${{ }} template syntax	[docs]((docs.zizmor.sh/redacted)
shellcheck	Various	315	Shell script quality issues (SC1003, SC2129, etc.)	[docs]((docs.zizmor.sh/redacted)
artipacked	Medium	2	Credential persistence through GitHub Actions artifacts	[docs]((docs.zizmor.sh/redacted)
template-injection	Low	1	Code injection via template expansion	[docs]((docs.zizmor.sh/redacted)

Workflows with Most Issues:

• typist.lock.yml - 21 issues
• semantic-function-refactor.lock.yml - 13 issues
• go-logger.lock.yml - 13 issues
• step-name-alignment.lock.yml - 11 issues
• glossary-maintainer.lock.yml - 11 issues

Poutine Supply Chain Findings

Issue Type	Severity	Count	Description
default_permissions_on_risky_events	Warning	5	Default permissions used on risky trigger events
github_action_from_unverified_creator_used	Note	4	Actions from unverified creators
unpinnable_action	Note	3	Actions that cannot be pinned to specific versions
unverified_script_exec	Note	2	Execution of unverified scripts

Affected Workflows:

• q.lock.yml, scout.lock.yml, grumpy-reviewer.lock.yml, pr-nitpick-reviewer.lock.yml, plan.lock.yml

Actionlint Linting Issues

Issue Type	Count	Affected Workflows
missing_required_permissions	4	Test/example workflows

Affected Workflows:

• example-permissions-warning.md
• test-dispatcher.md
• test-project-url-default.md
• test-yaml-import.md

Top Priority Issues

1. Obfuscation - Unnecessary Template Wrapping (126 instances)

• Tool: zizmor
• Severity: Low
• Affected: All 148 workflows
• Description: Literal string values unnecessarily wrapped in GitHub Actions template syntax ${{ }}
• Impact: Reduces code clarity, flags potential obfuscation attempts, makes auditing harder
• Example Pattern: GH_AW_CACHE_DESCRIPTION: ${{ '' }} and GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }}
• Reference: (docs.zizmor.sh/redacted)

2. Shellcheck Issues (315 instances)

• Tool: zizmor (via shellcheck)
• Severity: Various (info, style)
• Affected: Multiple workflows with inline shell scripts
• Common Issues: SC1003 (single quote escaping), SC2129 (redirect suggestions)
• Impact: Code quality, potential edge-case bugs
• Reference: (www.shellcheck.net/redacted)

3. Artipacked - Credential Persistence (2 instances)

• Tool: zizmor
• Severity: Medium
• Affected: hourly-ci-cleaner.lock.yml, test-yaml-import.lock.yml
• Description: Potential for credentials to persist through GitHub Actions artifacts
• Impact: Security risk if sensitive data is inadvertently stored in artifacts
• Reference: (docs.zizmor.sh/redacted)

Fix Suggestion for Obfuscation Issue

Issue: Unnecessary template syntax wrapping literal values
Severity: Low
Affected Workflows: 126 instances across all workflows

Problem Explanation

Zizmor flags template expressions containing literal strings as obfuscated because:

1. They don't need template syntax - ${{ 'value' }} is the same as just 'value'
2. This pattern can hide malicious values from static analysis
3. It reduces code readability and makes auditing more difficult

Current Pattern (Problematic)

env:
  GH_AW_CACHE_DESCRIPTION: ${{ '' }}
  GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }}

Fixed Pattern (Correct)

env:
  GH_AW_CACHE_DESCRIPTION: ''
  GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory/

Automated Fix

This issue can be fixed across all workflows with a sed command:

# Remove unnecessary ${{ }} wrapping from literal strings
find .github/workflows -name "*.lock.yml" -type f -exec sed -i "s/\${{ '\([^']*\)' }}/'\1'/g" {} \;
find .github/workflows -name "*.lock.yml" -type f -exec sed -i 's/\${{ "\([^"]*\)" }}/"\1"/g' {} \;

Important: This only removes template syntax from literal values. Real template expressions like ${{ github.actor }} should remain unchanged.

Why This Matters

• Security: Reduces attack surface for obfuscation-based attacks
• Maintainability: Makes workflows easier to read and audit
• Best Practice: Follows GitHub Actions conventions
• No Breaking Changes: Purely a syntax change with identical runtime behavior

All Findings Details

View Obfuscation Issue Locations

The obfuscation warning appears in environment variable declarations across all workflows, primarily affecting these variables:

• GH_AW_CACHE_DESCRIPTION: ${{ '' }}
• GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }}

These appear in the agent execution step of every workflow file.

View Artipacked Issue Details

hourly-ci-cleaner.lock.yml:1082:9

Uses actions/checkout which could potentially persist credentials through artifacts.

test-yaml-import.lock.yml:466:9

Uses actions/checkout which could potentially persist credentials through artifacts.

Mitigation: Review artifact upload steps to ensure no sensitive data is included.

View Poutine Default Permissions Issues

Five workflows use default permissions on risky events (pull_request_target, issue_comment):

1. q.lock.yml
2. scout.lock.yml
3. grumpy-reviewer.lock.yml
4. pr-nitpick-reviewer.lock.yml
5. plan.lock.yml

Recommendation: Explicitly define minimal required permissions in workflow frontmatter.

View Shellcheck Findings Summary

Common shellcheck issues found:

• SC1003 (info): Single quote escaping suggestions - 4 instances
• SC2129 (style): Multiple redirects could be combined - numerous instances

These are primarily style and informational findings with low security impact.

Historical Trends

First Scan: This is the initial baseline scan for the repository.

Scan Data Stored: Results saved to /tmp/gh-aw/cache-memory/security-scans/2026-02-01.json for future trend analysis.

Recommendations

Immediate Actions

1. ✅ Fix Obfuscation Issues: Apply automated sed fix to remove unnecessary ${{ }} wrappers (126 instances)
2. ⚠️ Review Artipacked Warnings: Audit artifact upload steps in 2 affected workflows

Short-term Actions

3. 📝 Add Explicit Permissions: Define minimal permissions for 5 workflows flagged by poutine
4. 🔧 Address Shellcheck Issues: Review and fix shell script quality issues
5. ✏️ Fix Actionlint Warnings: Add missing permissions to 4 test/example workflows

Long-term Strategy

6. 🔄 Automated Scanning: Integrate static analysis into CI/CD pipeline
7. 📋 Workflow Templates: Update templates to avoid common issues
8. 📚 Documentation: Create workflow security best practices guide
9. 🎯 Pre-commit Hooks: Consider adding zizmor/poutine to pre-commit validation

Next Steps

Priority 1 - Quick Win: The obfuscation issue affects all workflows but is trivial to fix with the provided sed command. This would eliminate 126 of 462 findings (27%).

Priority 2 - Security Review: Investigate the 2 artipacked warnings to ensure no credential leakage through artifacts.

Priority 3 - Permission Hardening: Add explicit minimal permissions to workflows using risky event triggers.

Cache Memory

Scan results and fix templates have been stored in persistent cache memory for future reference:

• /tmp/gh-aw/cache-memory/security-scans/2026-02-01.json - Complete scan summary
• /tmp/gh-aw/cache-memory/fix-templates/zizmor-obfuscation.md - Detailed fix instructions

References:

• §21564574513

AI generated by Static Analysis Report

• expires on Feb 8, 2026, 2:39 PM UTC