🔒 Zizmor Security Analysis Report - 2025-10-31

[github-actions[bot]]

🔒 Zizmor Security Analysis Report - 2025-10-31

Executive Summary

I completed a comprehensive security scan of all agentic workflows using zizmor v1.16.1, a specialized security scanner for GitHub Actions. The scan identified 198 security findings across 62 compiled workflows, with the vast majority (88.9%) being template injection vulnerabilities.

Key Findings:

• Template Injection is the dominant vulnerability (176 occurrences)
• 90 ERROR-level findings require immediate attention
• ~40 workflows are affected by security issues
• Auto-fixes available for most template-injection issues

---

Security Scan Statistics

Overall Findings

Metric	Count
Total Findings	198
Workflows Scanned	62
Workflows Affected	~40
Critical Issues	0
High Severity (ERROR)	90
Medium Severity (WARNING)	22
Low Severity (HELP)	74
Informational (INFO)	12

Findings by Vulnerability Type

Vulnerability Type	Count	Percentage	Severity Mix
template-injection	176	88.9%	90 ERROR, 74 HELP, 12 INFO
excessive-permissions	13	6.6%	2 ERROR, 11 WARNING
github-env	3	1.5%	3 ERROR
dangerous-triggers	3	1.5%	3 ERROR
artipacked	3	1.5%	3 WARNING

---

Top Priority: Template Injection (176 findings)

What is Template Injection?

Template injection occurs when GitHub Actions expressions (${{ ... }}) are used in run: blocks where they could expand into attacker-controllable code. This allows malicious actors to inject commands that execute in your CI/CD environment.

Impact

• Code Execution: Arbitrary commands in workflow runners
• Secret Exfiltration: Access to repository secrets and tokens
• Supply Chain Compromise: Poisoned build artifacts
• Repository Takeover: Unauthorized access and modifications

Common Vulnerable Patterns Found

Pattern 1: Environment Variables in Run Blocks (74 occurrences)

# VULNERABLE ❌
run: |
  "GH_AW_ASSETS_BRANCH": "${{ env.GH_AW_ASSETS_BRANCH }}"

Pattern 2: GitHub Actor in String Contexts

# VULNERABLE ❌
run: |
  echo "Triggered by: @${{ github.actor }}"

Pattern 3: GitHub Event Fields

# VULNERABLE ❌
run: |
  DEFAULT_BRANCH="${{ github.event.repository.default_branch }}"

The Fix: Use Environment Variables

Before (Vulnerable):

- name: Create config
  run: |
    cat > config.json << EOF
    {
      "branch": "${{ env.GH_AW_ASSETS_BRANCH }}",
      "actor": "${{ github.actor }}"
    }
    EOF

After (Secure):

- name: Create config
  env:
    BRANCH_NAME: ${{ env.GH_AW_ASSETS_BRANCH }}
    ACTOR_NAME: ${{ github.actor }}
  run: |
    cat > config.json << EOF
    {
      "branch": "$BRANCH_NAME",
      "actor": "$ACTOR_NAME"
    }
    EOF

Most Affected Workflows

Workflow	Findings	Primary Issues
smoke-detector.lock.yml	18	template-injection, github-env, dangerous-triggers
dev-hawk.lock.yml	13	template-injection, dangerous-triggers
daily-test-improver.lock.yml	12	template-injection, artipacked, excessive-permissions
ci-doctor.lock.yml	10	template-injection, dangerous-triggers, excessive-permissions
scout.lock.yml	9	template-injection
daily-perf-improver.lock.yml	9	template-injection, artipacked, excessive-permissions
duplicate-code-detector.lock.yml	8	template-injection, github-env
technical-doc-writer.lock.yml	7	template-injection
poem-bot.lock.yml	7	template-injection
security-fix-pr.lock.yml	6	template-injection, github-env

---

Other Security Issues

2. Excessive Permissions (13 findings)

Issue: Workflows using permissions: read-all or overly broad id-token: write at workflow level.

Affected Workflows:

• ci-doctor.lock.yml (2 findings)
• copilot-agent-analysis.lock.yml (2 findings)
• copilot-pr-prompt-analysis.lock.yml (2 findings)
• daily-news.lock.yml (2 findings)
• And 5 others

Fix: Use least-privilege permissions by specifying only required permissions:

permissions:
  contents: read
  pull-requests: write
  issues: write

3. GitHub Environment File Usage (3 findings)

Issue: Writing to $GITHUB_ENV without sanitization can allow code execution.

Location: .github/workflows/ci-doctor.lock.yml:1777

Fix: Sanitize values before writing to $GITHUB_ENV:

run: |
  CLEAN_VERSION=$(echo "$VERSION_OUTPUT" | tr -dc '[:alnum:].-')
  echo "AGENT_VERSION=$CLEAN_VERSION" >> $GITHUB_ENV

4. Dangerous Triggers (3 findings)

Issue: Using workflow_run trigger which is almost always insecure.

Affected:

• ci-doctor.lock.yml
• dev-hawk.lock.yml
• smoke-detector.lock.yml

Fix: If possible, use alternative triggers or implement strict input validation.

5. Credential Persistence (3 findings - artipacked)

Issue: actions/checkout without persist-credentials: false leaves credentials in .git/config.

Affected:

• daily-perf-improver.lock.yml
• daily-test-improver.lock.yml

Fix:

- uses: actions/checkout@v4
  with:
    persist-credentials: false

---

Detailed Fix Guide

Comprehensive Fix Instructions for Template Injection

Template Injection Fix Guide

Case 1: MCP Server Configuration (Most Common)

This affects nearly every workflow when creating MCP server configuration.

Current Code (Vulnerable):

run: |
  cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF
  {
    "mcpServers": {
      "safeoutputs": {
        "env": {
          "GH_AW_ASSETS_BRANCH": "${{ env.GH_AW_ASSETS_BRANCH }}",
          "GH_AW_ASSETS_MAX_SIZE_KB": "${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}",
          "GH_AW_ASSETS_ALLOWED_EXTS": "${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}"
        }
      }
    }
  }
  EOF

Fixed Code (Secure):

env:
  ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }}
  ASSETS_MAX_SIZE: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}
  ASSETS_ALLOWED: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}
run: |
  cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF
  {
    "mcpServers": {
      "safeoutputs": {
        "env": {
          "GH_AW_ASSETS_BRANCH": "$ASSETS_BRANCH",
          "GH_AW_ASSETS_MAX_SIZE_KB": "$ASSETS_MAX_SIZE",
          "GH_AW_ASSETS_ALLOWED_EXTS": "$ASSETS_ALLOWED"
        }
      }
    }
  }
  EOF

Case 2: GitHub Context in Comments/Issues

Current Code (Vulnerable):

run: |
  gh issue comment $NUMBER --body "
  - **Triggered by**: @${{ github.actor }}
  - **Run URL**: ${{ github.event.workflow_run.html_url }}
  - **Commit**: ${{ github.event.workflow_run.head_sha }}
  "

Fixed Code (Secure):

env:
  ACTOR: ${{ github.actor }}
  RUN_URL: ${{ github.event.workflow_run.html_url }}
  COMMIT_SHA: ${{ github.event.workflow_run.head_sha }}
run: |
  gh issue comment $NUMBER --body "
  - **Triggered by**: @${ACTOR}
  - **Run URL**: ${RUN_URL}
  - **Commit**: ${COMMIT_SHA}
  "

Case 3: Default Branch Usage

Current Code (Vulnerable):

run: |
  DEFAULT_BRANCH="${{ github.event.repository.default_branch }}"
  git checkout "$DEFAULT_BRANCH"

Fixed Code (Secure):

env:
  DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
run: |
  git checkout "$DEFAULT_BRANCH"

Case 4: User/Workflow Inputs

Current Code (Vulnerable):

run: |
  echo "Input: ${{ github.event.inputs.user_input }}"

Fixed Code (Secure):

env:
  USER_INPUT: ${{ github.event.inputs.user_input }}
run: |
  # Sanitize if needed
  SANITIZED=$(echo "$USER_INPUT" | tr -dc '[:alnum:] _-.')
  echo "Input: $SANITIZED"

Automation Approach

For bulk fixes across workflows, consider this approach:

1. Identify all run: blocks containing ${{ ... }}
2. Extract the template expressions
3. Generate corresponding env: entries
4. Replace inline templates with env variable references
5. Test each workflow after modification

---

Recommendations

Immediate Actions (Week 1)

1. ✅ Fix Critical Template Injections (90 ERROR-level findings)

   • Start with most-used workflows: smoke-detector, dev-hawk, ci-doctor
   • Apply environment variable pattern from fix guide
   • Prioritize workflows triggered by external events

2. ✅ Review Dangerous Triggers

   • Evaluate workflow_run usage in 3 affected workflows
   • Implement input validation or consider alternative triggers

3. ✅ Fix GitHub Environment File Issues

   • Add sanitization to ci-doctor workflow
   • Review other workflows for similar patterns

Short-term Actions (Week 2-3)

4. ✅ Address HELP-level Template Injections (74 findings)

   • Apply fixes to MCP configuration generation
   • Update all environment variable usage patterns

5. ✅ Reduce Excessive Permissions (13 findings)

   • Replace read-all with specific permissions
   • Move id-token: write to job level where needed

6. ✅ Fix Credential Persistence (3 findings)

   • Add persist-credentials: false to checkout actions

Long-term Actions (Month 1)

7. ✅ Automate Security Scanning

   • Integrate zizmor into CI/CD pipeline
   • Run zizmor on every workflow compilation
   • Add pre-commit hooks for workflow changes

8. ✅ Update Development Guidelines

   • Document secure template usage patterns
   • Create workflow templates with security best practices
   • Add security review checklist for new workflows

9. ✅ Establish Monitoring

   • Track security findings over time
   • Set up alerts for new vulnerabilities
   • Regular security audits (monthly)

---

Historical Context

This is the first comprehensive security scan using zizmor for this repository. Key insights:

• Baseline established: 198 findings across 5 vulnerability types
• Primary issue identified: Template injection affects 88.9% of findings
• Pattern recognition: Most issues follow common patterns with available fixes
• Auto-fix capability: Majority of issues can be automatically remediated

Future scans will track:

• Trend analysis (improvement/regression)
• New vulnerability types
• Effectiveness of fixes
• Compliance with security standards

---

Verification Steps

After applying fixes, verify with:

# Compile all workflows
gh aw compile

# Run zizmor security scan
zizmor .github/workflows/*.lock.yml

# Check for remaining issues
zizmor .github/workflows/*.lock.yml | grep -E "error|warning"

Expected outcome: Significant reduction in findings, with template-injection issues resolved.

---

Resources

• Zizmor Documentation: (redacted)
• Template Injection Details: (redacted)
• Fix Template: /tmp/gh-aw/cache-memory/fix-templates/template-injection.md
• Scan Results: /tmp/gh-aw/cache-memory/security-scans/2025-10-31.json
• Full Output: /tmp/gh-aw/agent/zizmor-output.txt

---

Next Steps

1. Review this report and prioritize fixes based on workflow criticality
2. Start with ERROR-level findings in high-traffic workflows
3. Apply template injection fixes using the provided patterns
4. Re-run security scan to verify improvements
5. Implement automated scanning to prevent regression

Security is an ongoing process. This scan provides a baseline and clear path forward to significantly improve the security posture of all agentic workflows.

---

Scan Completed: 2025-10-31
Scanner: zizmor v1.16.1
Repository: githubnext/gh-aw
Agent: Claude (Zizmor Security Analyzer)

AI generated by Zizmor Workflow Security Analyzer

[pelikhan]

/plan focus on Template Injection Fix Guide

[github-actions[bot]]

✅ Agentic Plan Command completed successfully.

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.