🔍 Static Analysis Report - December 8, 2025

[github-actions[bot]]

Analysis Summary

Comprehensive static analysis scan completed on all 103 agentic workflow files using three industry-standard security and code quality tools: zizmor (security scanner), poutine (supply chain security), and actionlint (workflow linter).

Scan Results Overview

• Workflows Scanned: 103
• Workflows with Findings: 11 (10.7%)
• Total Findings: 35
• Tools Used: zizmor, poutine, actionlint
• Date: 2025-12-08

Key Findings by Severity

Severity	Count	Tool	Issue Types
High	2	zizmor	cache-poisoning, excessive-permissions
Medium	1	zizmor	artipacked
Low	1	zizmor	template-injection
Informational	10	zizmor	template-injection
Error	16	actionlint	shellcheck (10), expression errors (6)
Warning	4	actionlint	missing-permissions
None	0	poutine	No findings

Full Report Details

Detailed Analysis by Tool

🛡️ Zizmor Security Scanner

Total Findings: 17 (2 High, 1 Medium, 1 Low, 11 Informational, 2 Unknown)

Critical Security Issues (High Severity)

1. Cache Poisoning Vulnerability

• Severity: High
• Count: 1 occurrence
• Reference: (redacted)#cache-poisoning
• Affected Workflow: release (.github/workflows/release.lock.yml:382:1)
• Impact: Runtime artifacts potentially vulnerable to cache poisoning attack
• Description: The workflow uses Go module caching (cache: true) which could allow an attacker to inject malicious code into the build cache, compromising release integrity.
• Risk: Malicious code injection into releases, supply chain compromise

2. Excessive Permissions

• Severity: High
• Count: 1 occurrence
• Reference: (redacted)#excessive-permissions
• Affected Workflow: speckit-dispatcher (.github/workflows/speckit-dispatcher.lock.yml:502:3)
• Impact: Overly broad permissions granted to workflow
• Description: The workflow has more permissions than necessary, violating the principle of least privilege
• Risk: Increased attack surface, potential for privilege escalation

Medium Severity Issues

3. Artipacked (Credential Persistence)

• Severity: Medium
• Count: 1 occurrence
• Reference: (redacted)#artipacked
• Affected Workflow: release (.github/workflows/release.lock.yml:6269:9)
• Impact: Credentials may persist through GitHub Actions artifacts
• Description: Sensitive credentials or tokens might be unintentionally included in workflow artifacts
• Risk: Credential exposure, unauthorized access

Low/Informational Issues

4. Template Injection

• Severity: Informational (10), Low (1)
• Count: 11 total occurrences
• Reference: (redacted)#template-injection
• Affected Workflows:
  • breaking-change-checker (Informational)
  • changeset (Informational)
  • daily-performance-summary (Informational, 2 occurrences)
  • duplicate-code-detector (Informational)
  • mcp-inspector (Low)
  • test-python-safe-input (Informational, 2 occurrences)
• Impact: Potential code injection via template expansion
• Description: Workflow uses GitHub Actions expression syntax in a way that could be vulnerable to injection if processing untrusted input
• Risk: Code injection if templates process untrusted data

📋 Actionlint Workflow Linter

Total Findings: 18 (16 Errors, 4 Warnings)

Shellcheck Issues (Code Quality)

Count: 10 errors across 2 workflows

Affected Workflows: daily-performance-summary, test-python-safe-input

Issue Breakdown:

1. SC2086: Double quote to prevent globbing and word splitting

   • Occurrences: 4
   • Impact: Potential word splitting bugs in shell scripts

2. SC2129: Use { cmd1; cmd2; } >> file instead of individual redirects

   • Occurrences: 2
   • Impact: Inefficient shell script patterns

3. SC2009: Consider using pgrep instead of grepping ps output

   • Occurrences: 2
   • Impact: Fragile process detection patterns

Expression Errors

Count: 6 errors

Affected Workflow: issue-monster

Issue: Property "search_issues" is not defined in object type

• Locations: Lines 2631, 2632, 2633, 2801, 2802, 2803, 3042, 3043, 3044
• Impact: Runtime errors when workflow attempts to access undefined properties
• Risk: Workflow failures, unexpected behavior

Missing Permissions Warnings

Count: 4 warnings

Affected Workflows:

• firewall-escape
• smoke-srt-custom-config
• smoke-srt
• test-discussion-expires

Issue: Missing required permissions for github toolsets

• Impact: Workflows may fail at runtime due to insufficient permissions
• Risk: Failed workflow executions, inability to interact with GitHub API

🔗 Poutine Supply Chain Security

Total Findings: 0

No supply chain security issues detected. All workflows appear to follow best practices for supply chain security.

Findings Clustered by Issue Type

By Frequency

Issue Type	Tool	Count	Affected Workflows
template-injection	zizmor	11	6 workflows
shellcheck	actionlint	10	2 workflows
expression-errors	actionlint	6	1 workflow
missing-permissions	actionlint	4	4 workflows
cache-poisoning	zizmor	1	1 workflow
excessive-permissions	zizmor	1	1 workflow
artipacked	zizmor	1	1 workflow

Most Affected Workflows

1. release - 3 findings (2 High, 1 Medium)
2. daily-performance-summary - 7 findings (5 shellcheck + 2 template-injection)
3. test-python-safe-input - 7 findings (5 shellcheck + 2 template-injection)
4. issue-monster - 6 findings (expression errors)

Fix Recommendation: Cache Poisoning (Highest Priority)

Issue Overview

Severity: High
Affected: release workflow
Reference: (redacted)#cache-poisoning

Problem

The release workflow uses Go module caching which can be vulnerable to cache poisoning attacks where an attacker injects malicious code into the build cache.

Solution

For release workflows, disable caching entirely to ensure maximum security:

Current Code (.github/workflows/release.md:75-79):

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version-file: go.mod
    cache: true

Recommended Fix:

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version-file: go.mod
    cache: false  # Disabled for release security - prevent cache poisoning attacks

Why This Fix?

• Release workflows handle the most sensitive operation (publishing artifacts)
• Cache poisoning could compromise all releases
• For releases, security > speed
• The workflow already runs only on tags (low frequency)

Alternative: Cache with Trust Boundaries

If caching is needed, use explicit cache keys with trust boundaries:

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version-file: go.mod
    cache: true

- name: Isolated cache
  uses: actions/cache@v4
  with:
    path: |
      ~/.cache/go-build
      ~/go/pkg/mod
    key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ github.ref_protected }}

The github.ref_protected context ensures different caches for protected vs unprotected refs.

Steps to Apply Fix

1. Edit .github/workflows/release.md
2. Find the "Set up Go" step (lines 75-79)
3. Change cache: true to cache: false with comment
4. Run gh aw compile release to regenerate lock file
5. Verify zizmor warning is resolved
6. Test the release process

Historical Context

This is the first comprehensive static analysis scan recorded in the cache memory system. Future scans will include trend analysis to track:

• New vulnerabilities introduced
• Resolved issues over time
• Recurring patterns across workflows
• Security posture improvements

Recommendations by Priority

Immediate Actions (Next 24-48 hours)

1. Fix cache-poisoning in release workflow (High severity)

   • Disable caching or implement trust boundaries
   • Critical for supply chain security

2. Review excessive-permissions in speckit-dispatcher (High severity)

   • Apply principle of least privilege
   • Reduce attack surface

3. Address artipacked credential persistence in release (Medium severity)

   • Audit artifacts for sensitive data
   • Implement credential sanitization

Short-term Actions (Next week)

4. Fix expression errors in issue-monster workflow

   • 6 runtime errors to address
   • May cause workflow failures

5. Fix shellcheck issues in 2 workflows

   • 10 code quality issues
   • Prevents potential runtime bugs

6. Add missing permissions to 4 workflows

   • Prevents runtime permission errors
   • Improves workflow reliability

Long-term Actions (Next month)

7. Review template-injection warnings

   • 11 occurrences across 6 workflows
   • Mostly informational, but good hygiene to address

8. Establish automated static analysis

   • Add zizmor, poutine, actionlint to CI/CD
   • Consider pre-commit hooks
   • Set up automated reporting

9. Update workflow creation guidelines

   • Document common security patterns
   • Create secure workflow templates
   • Share best practices with team

10. Regular security audits

• Schedule weekly/monthly static analysis scans
• Track security metrics over time
• Monitor for new vulnerability types

Next Steps

• Apply cache-poisoning fix to release workflow
• Review excessive permissions in speckit-dispatcher
• Fix expression errors in issue-monster
• Address shellcheck issues in safe-input workflows
• Add missing permissions to test workflows
• Consider adding static analysis to CI/CD pipeline
• Schedule next scan for December 15, 2025

Scan Artifacts

Analysis data stored in cache memory:

• /tmp/gh-aw/cache-memory/security-scans/2025-12-08.json - Full scan results
• /tmp/gh-aw/cache-memory/vulnerabilities/by-tool.json - Vulnerabilities by tool
• /tmp/gh-aw/cache-memory/fix-templates/zizmor-cache-poisoning.md - Fix template

---

Scan Timestamp: 2025-12-08T09:20:00Z
Analysis Tool: gh-aw compile with --zizmor --poutine --actionlint
Report Generated by: Static Analysis Report Agent

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

🎉 Yo ho ho! Plan Command found the treasure and completed successfully! ⚓💰

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 3 days ago.