🔍 Static Analysis Report - February 3, 2026 (Environment Constraints)

[github-actions[bot]]

Executive Summary

Status: ⚠️ Static analysis scan blocked due to environment constraints
Date: 2026-02-03
Workflows: 149 total (.md files), 149 compiled (.lock.yml files)
Tools Attempted: zizmor, poutine, actionlint

The automated static analysis scan could not be completed due to Docker and network environment limitations in the GitHub Actions runner. This report provides context on the blocking issues, historical scan data for comparison, and recommendations for resolution.

---

Analysis Outcome

🚫 Blocking Issues

Component	Status	Error Details
MCP agentic_workflows server	❌ Failed	"docker images not ready"
gh-aw binary build	❌ Failed	Network firewall blocking proxy.golang.org
Static analysis tools	⚠️ Not Available	Cannot run zizmor, poutine, actionlint without infrastructure

Environment Details

• Compilation output file: /tmp/gh-aw/compile-output.txt contained error: "No such file or directory" for ./gh-aw
• Build attempt: Failed with "Forbidden" errors accessing Go package proxy
• MCP server: Docker images not pre-loaded in runner environment
• Workflows scanned: 0 (blocked before execution)

---

Historical Context

Based on repository search, I identified recent static analysis scans to provide trend context:

Recent Scan History

Date	Issue #	Total Findings	Workflows Affected	Highest Severity
2026-01-14	#9990	688	124	High (1), Medium (2)
2026-01-13	#9885	564	119	Critical priority (120 unverified scripts)
2026-01-06	#9122	45	Unknown	High severity
2025-12-27	#7896	114	41	Code quality (no security)
2025-12-11	#6188	1	109	Info (excellent security)

Common Recurring Issues

Based on historical scans, these issue types appear frequently:

Security Issues (from zizmor):

• Unverified script execution: 120+ occurrences (curl-to-bash patterns)
• Template injection: 117-119 informational warnings (mitigated by safe-inputs)
• Unpinned actions: High severity (actions not pinned to commit SHAs)
• Credential persistence: Medium severity (credentials in artifacts)
• Excessive permissions: Medium severity

Code Quality Issues (from actionlint):

• SC2155 shellcheck: 195+ occurrences (masked return values in shell scripts)
• SC2012 shellcheck: 72 occurrences (using ls instead of find)
• SC2086 shellcheck: 10 occurrences (missing quotes in shell scripts)
• Expression errors: 20-27 occurrences (undefined property references)

---

Recommendations

Immediate Actions

1. Fix Environment Setup

Problem: Docker images not available, build tools blocked by network

Solutions:

• Pre-load Docker images for zizmor and poutine in GitHub Actions runner setup
• Pre-build gh-aw binary and cache it in the runner environment
• Configure network access to proxy.golang.org for Go module downloads
• Add build step before static analysis that handles dependencies

Implementation:

# In daily-static-analysis workflow
- name: Setup static analysis environment
  run: |
    # Pre-pull Docker images
    docker pull ghcr.io/woodruffw/zizmor:latest
    docker pull ghcr.io/boostsecurityio/poutine:latest
    
    # Or pre-build gh-aw if not cached
    make build

2. Alternative: Use Pre-built Tools

Instead of relying on gh-aw MCP server, call tools directly:

- name: Run zizmor directly
  run: |
    docker run --rm -v $(pwd):/workspace \\
      ghcr.io/woodruffw/zizmor:latest \\
      /workspace/.github/workflows/*.lock.yml

- name: Run actionlint directly
  run: |
    bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
    ./actionlint .github/workflows/*.lock.yml

- name: Run poutine directly
  run: |
    docker run --rm -v $(pwd):/workspace \\
      ghcr.io/boostsecurityio/poutine:latest \\
      analyze /workspace

Long-term Improvements

3. Based on Historical Patterns

Since we can't scan today, here are the top priorities based on recurring issues:

Priority 1: Unverified Script Execution (120+ instances historically)

• Issue: curl | bash patterns without verification
• Fix: Download, verify checksum/signature, then execute
• Impact: High security risk - arbitrary code execution vulnerability

Priority 2: SC2155 Shellcheck Warnings (195+ instances)

• Issue: local var=$(command) masks return values
• Fix: Split into two lines: local var; var=$(command)
• Impact: Can hide errors and cause silent failures

Priority 3: Expression Errors (20-27 instances)

• Issue: Undefined property references in workflow expressions
• Fix: Correct property paths or add null checks
• Impact: Workflow runtime failures

Priority 4: Template Injection Warnings (117-119 instances)

• Status: Likely mitigated by safe-inputs configuration
• Action: Verify safe-inputs is properly configured
• Impact: Low (if safe-inputs is active)

---

Fix Templates

Based on historical remediation patterns, here are fix templates for the most common issues:

Fix Template: Unverified Script Execution

Issue: Unverified Script Execution

Severity: High
Count: 120+ occurrences (from Jan 13, 2026 scan)
Rule: Zizmor security finding

Vulnerability:
Workflows download and execute scripts directly using patterns like curl | bash or curl -o script.sh && bash script.sh without verifying integrity.

Security Risk:

• Arbitrary code execution if download is intercepted (MITM attack)
• Compromise if source is malicious
• No verification of script integrity

Required Fix:

Replace insecure download-execute patterns with download-verify-execute:

Before (Insecure):

curl -sSL (example.com/redacted) | bash

After (Secure):

# Download script
curl -sSL (example.com/redacted) -o /tmp/install.sh

# Verify checksum (obtain expected checksum from trusted source)
echo "EXPECTED_SHA256 /tmp/install.sh" | sha256sum -c -

# Execute only if verification passes
bash /tmp/install.sh

Alternative (Use actions instead of scripts):

# Instead of: run: curl -sSL (install.sh/redacted) | bash
# Use pinned GitHub Action:
- uses: vendor/setup-tool@abc123sha  # Pin to commit SHA

Affected Workflows (from historical data):
Check all workflows for patterns: curl.*|.*bash, wget.*|.*sh, curl.*-o.*&&.*bash

Fix Template: SC2155 Shellcheck Warning

Issue: SC2155 - Masked Return Values

Severity: Warning
Count: 195+ occurrences (from Jan 13, 2026 scan)
Rule: actionlint/shellcheck SC2155

Problem:
Combining variable declaration with command substitution masks the command's return value, causing error handling to fail.

Code Pattern:

local result=$(some_command)
# If some_command fails, $? will be 0 (from 'local'), not the command's exit code

Security/Reliability Impact:

• Silent failures - commands can fail without detection
• Error handling logic is bypassed
• Can lead to using undefined/incorrect values

Required Fix:

Split declaration and assignment into separate statements:

Before (Incorrect):

local output=$(gh api repos/owner/repo)
if [ $? -ne 0 ]; then
  echo "API call failed"  # This will never execute!
fi

After (Correct):

local output
output=$(gh api repos/owner/repo)
if [ $? -ne 0 ]; then
  echo "API call failed"  # Now this works correctly
  exit 1
fi

Alternative with set -e:

set -e  # Exit on error
local output
output=$(gh api repos/owner/repo)  # Will exit if this fails
# Continue only if successful

Reference: (www.shellcheck.net/redacted)

---

Next Steps

For Repository Maintainers

1. Fix Environment (Immediate):

   • Update daily-static-analysis workflow to pre-load Docker images
   • Add gh-aw binary build/cache step
   • Test static analysis runs successfully

2. Run Manual Scan (This Week):

   • Once environment is fixed, trigger manual scan
   • Compare findings against January 13-14 scans
   • Track progress on recurring issues

3. Address Recurring Issues (Ongoing):

   • Create sub-issues for top 3 recurring problems
   • Use fix templates provided above
   • Monitor trend: are we reducing findings over time?

4. Improve CI/CD (Long-term):

   • Add static analysis to PR checks (not just daily scans)
   • Block merges on High/Critical findings
   • Automate fix suggestions via bot comments

For This Workflow

Add environment setup before attempting compilation:

- name: Ensure Docker images available
  run: |
    docker pull ghcr.io/woodruffw/zizmor:latest || echo "Failed to pull zizmor"
    docker pull ghcr.io/boostsecurityio/poutine:latest || echo "Failed to pull poutine"

- name: Build gh-aw if needed
  run: |
    if ! which gh-aw; then
      make build || echo "Build failed, proceeding with available tools"
    fi

---

Comparison with Previous Scans

Since we couldn't run the scan today, here's what we would expect based on trends:

Expected Findings (Projection):

• Total: 400-700 findings (based on recent range)
• Unverified scripts: ~120 (if not yet addressed from Jan 13)
• SC2155 warnings: ~150-200
• Template injection: ~117 (informational, likely still present)
• Expression errors: 0-20 (should be decreasing if addressed)

Expected Trend:

• ✅ Fewer critical issues if recent remediation PRs merged
• ⚠️ Similar code quality issues (SC2155, SC2012) - these require systematic cleanup
• ✅ No new high-severity issues if CI checks are working

---

Resources

• Zizmor Documentation: (docs.zizmor.sh/redacted)
• Actionlint Documentation: https://github.com/rhysd/actionlint
• Shellcheck Wiki: (www.shellcheck.net/redacted)
• GitHub Actions Security: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

Previous Static Analysis Reports:

• #9990 - Jan 14, 2026 - 688 findings, remediation plan
• #9885 - Jan 13, 2026 - 564 findings, 5 sub-tasks
• #9122 - Jan 6, 2026 - 45 findings
• #7896 - Dec 27, 2025 - 114 code quality issues

---

References:

• §21648481141 - Current workflow run

AI generated by Static Analysis Report

• expires on Feb 10, 2026, 9:32 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-10T21:32:51.813Z.

Closed by Workflow