🔒 Zizmor Security Analysis Report - November 1, 2025

[github-actions[bot]]

🔒 Zizmor Security Analysis Report - November 1, 2025

Executive Summary

Today's security scan of 66 agentic workflows identified 31 security findings across 13 workflows, representing a 73% reduction from the previous scan (115 findings on October 31). The most significant improvement is in template-injection vulnerabilities, which decreased from 96 High severity findings to 11 Low severity findings.

Current Priority: 3 HIGH severity findings for dangerous-triggers require immediate attention.

Security Scan Summary

• Total Findings: 31
• Critical: 0
• High: 5 (3 dangerous-triggers + 2 excessive-permissions)
• Medium: 15 (13 excessive-permissions + 2 artipacked)
• Low: 11 (template-injection)
• Workflows Scanned: 66
• Workflows Affected: 13
• Scan Tool: zizmor v1.16.1

Clustered Findings by Issue Type

Issue Type	Severity	Count	Affected Workflows
dangerous-triggers	High	3	ci-doctor, dev-hawk, smoke-detector
excessive-permissions	High	2	daily-perf-improver, daily-test-improver
excessive-permissions	Medium	13	ci-doctor, copilot-agent-analysis, copilot-pr-prompt-analysis, daily-news, smoke-detector, technical-doc-writer, test-timestamp-js
template-injection	Low	11	duplicate-code-detector, mcp-inspector, smoke-codex
artipacked	Medium	2	daily-perf-improver, daily-test-improver

Top Priority Issues

1. dangerous-triggers (HIGH SEVERITY)

• Count: 3 workflows
• Severity: High
• Confidence: Medium
• Affected: ci-doctor, dev-hawk, smoke-detector
• Description: Use of fundamentally insecure workflow_run trigger
• Impact: The workflow_run trigger executes in the target repository's context rather than the fork's context, allowing untrusted code from external forks to access repository secrets, credentials, and write permissions
• Reference: Zizmor Documentation

Critical Security Risk: This vulnerability allows attackers to:

• Access repository secrets and credentials automatically
• Execute arbitrary code with write permissions
• Manipulate environment variables (GITHUB_ENV, GITHUB_PATH)
• Obtain private source code access

2. excessive-permissions (HIGH SEVERITY)

• Count: 2 workflows
• Severity: High
• Confidence: High
• Affected: daily-perf-improver, daily-test-improver
• Description: Overly broad id-token: write permission at workflow level
• Impact: Excessive permissions increase the attack surface and potential for privilege escalation
• Reference: Zizmor Documentation

3. excessive-permissions (MEDIUM SEVERITY)

• Count: 13 instances across 7 workflows
• Severity: Medium
• Confidence: High
• Description: Use of read-all or overly broad permissions
• Impact: Broader than necessary permissions increase risk of credential theft or unauthorized actions

4. artipacked (MEDIUM SEVERITY)

• Count: 2 workflows
• Severity: Medium
• Confidence: Low
• Affected: daily-perf-improver, daily-test-improver
• Description: Potential credential persistence through GitHub Actions artifacts
• Impact: Credentials may be unintentionally persisted in workflow artifacts
• Reference: Zizmor Documentation

5. template-injection (LOW SEVERITY)

• Count: 11 instances across 3 workflows
• Severity: Low
• Confidence: High
• Affected: duplicate-code-detector, mcp-inspector, smoke-codex
• Description: Code injection via template expansion
• Impact: Low risk in current configurations but should be monitored
• Reference: Zizmor Documentation

Fix Suggestion for dangerous-triggers

Issue: Use of fundamentally insecure workflow_run trigger
Severity: High
Affected Workflows: 3 workflows

Prompt to Copilot Agent:

You are fixing a HIGH SEVERITY security vulnerability identified by zizmor security scanner.

**Vulnerability**: dangerous-triggers - use of fundamentally insecure workflow trigger
**Rule**: dangerous-triggers - (redacted)#dangerous-triggers

**Current Issue**:
The workflows listed below use the `workflow_run` trigger, which executes in the target repository's context rather than the fork's context. This allows untrusted code from external forks to access sensitive repository resources, secrets, and credentials.

**Affected Workflows**:
- .github/workflows/ci-doctor.md
- .github/workflows/dev-hawk.md  
- .github/workflows/smoke-detector.md

**Required Fix**:

For each affected workflow, apply the most appropriate remediation (in order of preference):

### Option 1: Replace with workflow_call (Preferred)

Convert the trigger to use `workflow_call` instead:

**Before:**
```yaml
on:
  workflow_run:
    types:
      - completed
    workflows:
      - "Daily Perf Improver"

After:

on:
  workflow_call:
    inputs:
      source_workflow:
        description: 'Name of the calling workflow'
        required: false
        type: string

Note: This requires refactoring the calling workflow to use the uses: syntax.

Option 2: Add Branch Restrictions

If workflow_run cannot be replaced, restrict execution to trusted branches:

Before:

on:
  workflow_run:
    types:
      - completed
    workflows:
      - "Some Workflow"

After:

on:
  workflow_run:
    types:
      - completed
    workflows:
      - "Some Workflow"
    branches:
      - main
      - 'release/**'

Option 3: Use pull_request Instead

If repository write permissions are not essential:

Before:

on:
  workflow_run:
    workflows:
      - "Build"

After:

on:
  pull_request:
    types: [opened, synchronize]

Additional Security Measures

1. Never run attacker-controllable code: Avoid using values from github.event.workflow_run.* in commands
2. Validate inputs: Check all external inputs before use
3. Restrict environment variable injection: Never allow attacker-controlled flows into GITHUB_ENV
4. Use explicit SHA pins: Pin all actions to specific commit SHAs

Implementation Steps

1. Review each affected workflow to understand its purpose
2. Determine the most appropriate remediation option
3. Apply the fix to the workflow file
4. Test the workflow to ensure it still functions as intended
5. Verify the fix by running: gh aw compile --zizmor

<details>
<summary>All Findings Details</summary>

## Detailed Findings by Issue Type

### dangerous-triggers (High Severity)

#### ci-doctor.lock.yml
- **Location**: Trigger definition
- **Annotation**: workflow_run is almost always used insecurely
- **Description**: Use of fundamentally insecure workflow trigger
- **Reference**: (redacted)#dangerous-triggers

#### dev-hawk.lock.yml
- **Location**: Trigger definition
- **Annotation**: workflow_run is almost always used insecurely
- **Description**: Use of fundamentally insecure workflow trigger
- **Reference**: (redacted)#dangerous-triggers

#### smoke-detector.lock.yml
- **Location**: Trigger definition
- **Annotation**: workflow_run is almost always used insecurely
- **Description**: Use of fundamentally insecure workflow trigger
- **Reference**: (redacted)#dangerous-triggers

### excessive-permissions (High Severity)

#### daily-perf-improver.lock.yml
- **Location**: Workflow permissions
- **Annotation**: id-token: write is overly broad at the workflow level
- **Description**: Overly broad permissions
- **Reference**: (redacted)#excessive-permissions

#### daily-test-improver.lock.yml
- **Location**: Workflow permissions
- **Annotation**: id-token: write is overly broad at the workflow level
- **Description**: Overly broad permissions
- **Reference**: (redacted)#excessive-permissions

### excessive-permissions (Medium Severity)

Workflows using `read-all` or overly broad permissions:
- ci-doctor.lock.yml
- copilot-agent-analysis.lock.yml
- copilot-pr-prompt-analysis.lock.yml
- daily-news.lock.yml
- smoke-detector.lock.yml
- technical-doc-writer.lock.yml
- test-timestamp-js.lock.yml

**Recommendation**: Replace `permissions: read-all` with explicit minimal permissions:
```yaml
permissions:
  contents: read
  pull-requests: read
  issues: read

artipacked (Medium Severity)

daily-perf-improver.lock.yml & daily-test-improver.lock.yml

• Description: Credential persistence through GitHub Actions artifacts
• Impact: Workflow artifacts may unintentionally persist credentials
• Recommendation: Review artifact uploads to ensure no credentials are included
• Reference: (redacted)#artipacked

template-injection (Low Severity)

Found in: duplicate-code-detector, mcp-inspector, smoke-codex

• Description: Code injection via template expansion
• Severity: Low (currently minimal risk)
• Recommendation: Monitor and ensure user-controlled data is never expanded in shell contexts
• Reference: (redacted)#template-injection

Historical Trends

Comparison with Previous Scan (October 31, 2025):

• Previous Scan: October 31, 2025
• Total Findings Then: 115
• Total Findings Now: 31
• Change: -84 (-73.0%)

Significant Improvements

1. template-injection: Reduced from 96 High severity findings to 11 Low severity findings

   • This represents an 88.5% reduction in template-injection vulnerabilities
   • Severity downgraded from High to Low, indicating much better security posture

2. excessive-permissions: Slight increase from 13 Medium to 15 total (2 High + 13 Medium)

   • 2 new High severity findings for id-token: write permission
   • This requires attention but overall permissions management has improved

3. dangerous-triggers: Stable at 3 High severity findings

   • No change from previous scan
   • These remain the highest priority for remediation

4. artipacked: Decreased from 3 to 2 Medium severity findings

   • One workflow fixed since last scan

New Issues

No new issue types have emerged since the previous scan.

Resolved Issues

• 85+ template-injection vulnerabilities have been resolved or downgraded
• 1 artipacked vulnerability has been resolved

Recommendations

Immediate Actions (High Priority)

1. Fix dangerous-triggers vulnerabilities:

   • Review and refactor ci-doctor, dev-hawk, and smoke-detector workflows
   • Replace workflow_run triggers with safer alternatives (workflow_call or branch restrictions)
   • Timeline: Within 1 week

2. Address High severity excessive-permissions:

   • Scope down id-token: write permission in daily-perf-improver and daily-test-improver
   • Move permissions to job level if possible
   • Timeline: Within 2 weeks

Short-term Actions (Medium Priority)

3. Review Medium severity excessive-permissions:

   • Replace read-all with explicit minimal permissions
   • Apply principle of least privilege to all 7 affected workflows
   • Timeline: Within 1 month

4. Investigate artipacked findings:

   • Review artifact uploads in daily-perf-improver and daily-test-improver
   • Ensure no credentials are persisted in artifacts
   • Timeline: Within 1 month

Long-term Actions

5. Establish automated zizmor checking:

   • Add zizmor to CI/CD pipeline
   • Block PRs that introduce new security findings
   • Set up automated daily scans with alerting

6. Update workflow templates:

   • Create secure workflow templates with minimal permissions
   • Document security best practices for agentic workflows
   • Add security review checklist for new workflows

7. Monitor template-injection findings:

   • Continue monitoring the 11 Low severity template-injection findings
   • Ensure user-controlled data is never expanded in shell contexts

Next Steps

• Apply suggested fixes for dangerous-triggers (3 workflows)
• Scope down id-token: write permissions (2 workflows)
• Replace read-all with explicit permissions (7 workflows)
• Review artifact uploads for credential leakage (2 workflows)
• Integrate zizmor into CI/CD pipeline
• Create secure workflow templates and documentation

Conclusion

The security posture of the agentic workflows has improved significantly, with a 73% reduction in total findings. The most notable achievement is the near-elimination of High severity template-injection vulnerabilities. However, the 3 HIGH severity dangerous-triggers findings require immediate attention, as they represent critical security boundary violations that could allow attackers to access repository secrets and credentials.

By addressing the high priority issues and continuing to monitor and improve the security posture, the agentic workflow system will maintain a strong security foundation.

---

Generated by: Zizmor Security Analyzer v1.16.1
Scan Date: November 1, 2025, 17:43 UTC
Next Scheduled Scan: November 2, 2025, 09:00 UTC

AI generated by Zizmor Workflow Security Analyzer

[pelikhan]

/plan

[github-actions[bot]]

✅ Agentic Plan Command completed successfully.

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.