🔍 Static Analysis Report - December 22, 2025

[github-actions[bot]]

Analysis Summary

Comprehensive static analysis scan of agentic workflows using three complementary security and code quality tools.

• Tools Used: zizmor (security), poutine (supply chain), actionlint (linting)
• Total Findings: 37
• Workflows Scanned: 10
• Workflows with Issues: 10 (100%)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Warning	Info
Zizmor (security)	4	0	0	0	0	4	0
Poutine (supply chain)	10	0	0	0	0	0	10
Actionlint (linting)	23	0	0	0	0	7	16

Key Finding: No critical or high-severity security vulnerabilities detected. All findings are informational, warnings, or code quality improvements.

---

Clustered Findings by Tool and Type

🛡️ Zizmor Security Findings

1. Template Injection Risk

• Rule: template-injection
• Severity: Warning (Informational)
• Count: 2 occurrences
• Affected Workflows: dev (1 workflow)
• Location: Line 3057 - "Start Safe Inputs MCP HTTP Server" step
• Description: Code injection via template expansion
• Reference: (redacted)

Impact: Potential for code injection through GitHub Actions template expansion. This is informational as it relates to the Safe Inputs MCP server configuration.

2. Default Permissions on Risky Events

• Rule: default_permissions_on_risky_events
• Severity: Warning
• Count: 2 occurrences
• Affected Workflows: tidy, scout (2 workflows)
• Location: Line 1 (workflow file start)
• Description: Default permissions used on risky events
• Reference: (redacted)

Impact: Workflows triggered by potentially untrusted events (e.g., pull_request, workflow_dispatch) are using default permissions instead of explicitly scoped permissions.

---

🔗 Poutine Supply Chain Findings

1. Unverified Script Execution (Most Common Issue)

• Rule: unverified_script_exec
• Severity: Info/Note
• Count: 10 occurrences
• Affected Workflows: ALL 10 scanned workflows
  • static-analysis-report
  • audit-workflows
  • daily-doc-updater
  • cli-version-checker
  • copilot-agent-analysis
  • smoke-claude
  • smoke-copilot
  • dev
  • tidy
  • scout

Problematic Command:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash

Location: "Install awf binary" step in all workflows

Description: The installation script for the Agentic Workflow Firewall (awf) is downloaded and piped directly to bash with elevated privileges, without integrity verification.

Security Concerns:

• No checksum verification
• Script executed immediately without inspection
• Runs with sudo privileges
• Could be intercepted or modified

---

🔧 Actionlint Linting Issues

1. SC2012 - Use find instead of ls

• Rule: SC2012 (shellcheck)
• Severity: Info
• Count: 16 occurrences (2 per workflow)
• Affected Workflows: 7 workflows with Claude engine
  • static-analysis-report
  • audit-workflows
  • daily-doc-updater
  • cli-version-checker
  • copilot-agent-analysis
  • smoke-claude
  • scout

Message: "Use find instead of ls to better handle non-alphanumeric filenames"

Locations:

• First occurrence: Firewall execution script (awf command)
• Second occurrence: Claude Code CLI execution script

Reference: (redacted)

2. SC2155 - Declare and assign separately

• Rule: SC2155 (shellcheck)
• Severity: Warning
• Count: 7 occurrences (1 per workflow)
• Affected Workflows: Same 7 Claude-based workflows as SC2012
  • static-analysis-report
  • audit-workflows
  • daily-doc-updater
  • cli-version-checker
  • copilot-agent-analysis
  • smoke-claude
  • scout

Message: "Declare and assign separately to avoid masking return values"

Location: Claude Code CLI execution script

Reference: (redacted)

---

Top Priority Issues

🥇 Priority 1: Unverified Script Execution (Poutine)

• Severity: Info
• Affected: 10/10 workflows (100%)
• Tool: Poutine
• Impact: Supply chain security risk

While marked as "info" severity, this affects every workflow and represents a supply chain attack vector. Fixing this pattern once will improve security posture across all workflows.

🥈 Priority 2: SC2012 Shellcheck Issues (Actionlint)

• Severity: Info
• Affected: 7/10 workflows
• Tool: Actionlint (shellcheck)
• Impact: Code quality and robustness

These are code quality issues that could cause problems with filenames containing special characters.

🥉 Priority 3: SC2155 Shellcheck Warning (Actionlint)

• Severity: Warning
• Affected: 7/10 workflows
• Tool: Actionlint (shellcheck)
• Impact: Error handling

Variable declaration pattern that can mask return values and hide errors.

4️⃣ Priority 4: Default Permissions (Zizmor)

• Severity: Warning
• Affected: 2/10 workflows
• Tool: Zizmor
• Impact: Least privilege principle

Workflows should explicitly define minimum required permissions.

---

Fix Suggestion: Unverified Script Execution

Since this issue affects all 10 workflows, fixing it provides the highest impact. Here's a detailed fix guide:

Problem

- name: Install awf binary
  run: |
    curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash

Recommended Solutions

Option 1: Use GitHub Actions Composite Action (Preferred)

Create a composite action in the gh-aw-firewall repository:

- name: Install awf binary
  uses: githubnext/gh-aw-firewall/.github/actions/install@v0.7.0

Benefits:

• Cryptographic verification via Git commit
• More auditable and maintainable
• Follows GitHub Actions best practices
• Can include additional validation logic

Option 2: Download, Verify, Then Execute

- name: Install awf binary
  run: |
    echo "Downloading awf installer script"
    curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh -o /tmp/install-awf.sh
    
    # Verify checksum (requires publishing checksums)
    echo "EXPECTED_SHA256  /tmp/install-awf.sh" | sha256sum -c -
    
    # Execute verified script
    sudo AWF_VERSION=v0.7.0 bash /tmp/install-awf.sh

Benefits:

• Integrity verification via checksum
• Script can be inspected before execution
• Clear separation of download and execution

Requirements:

• Upstream project must publish checksums for each version

Option 3: Pin to Specific Commit (Minimal Change)

- name: Install awf binary
  run: |
    curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/COMMIT_SHA/install.sh | sudo AWF_VERSION=v0.7.0 bash

Benefits:

• Minimal code change
• Immutable script reference
• Prevents silent updates

Trade-offs:

• Must update commit SHA for each version
• Still pipes to bash (less auditable)

---

Detailed Findings by Workflow

Full Report

static-analysis-report.md

• ✅ Zizmor: No issues
• ⚠️ Poutine: 1 unverified_script_exec (line 283)
• ⚠️ Actionlint: SC2012 (line 2768), SC2012 (line 6341), SC2155 (line 6341)

audit-workflows.md

• ✅ Zizmor: No issues
• ⚠️ Poutine: 1 unverified_script_exec (line 317)
• ⚠️ Actionlint: SC2012 (line 2750), SC2012 (line 6336), SC2155 (line 6336)

daily-doc-updater.md

• ✅ Zizmor: No issues
• ⚠️ Poutine: 1 unverified_script_exec (line 261)
• ⚠️ Actionlint: SC2012 (line 2604), SC2012 (line 6186), SC2155 (line 6186)

cli-version-checker.md

• ✅ Zizmor: No issues
• ⚠️ Poutine: 1 unverified_script_exec (line 268)
• ⚠️ Actionlint: SC2012 (line 2767), SC2012 (line 6339), SC2155 (line 6339)

copilot-agent-analysis.md

• ✅ Zizmor: No issues
• ⚠️ Poutine: 1 unverified_script_exec (line 277)
• ⚠️ Actionlint: SC2012 (line 3011), SC2012 (line 6583), SC2155 (line 6583)

smoke-claude.md

• ✅ Zizmor: No issues
• ⚠️ Poutine: 1 unverified_script_exec (line 689)
• ⚠️ Actionlint: SC2012 (line 3133), SC2012 (line 6705), SC2155 (line 6705)

smoke-copilot.md

• ✅ Zizmor: No issues
• ⚠️ Poutine: 1 unverified_script_exec (line 678)
• ⚠️ Actionlint: No issues (uses safe-inputs experimental feature)

dev.md

• ⚠️ Zizmor: 2 template-injection warnings (line 3057)
• ⚠️ Poutine: 1 unverified_script_exec (line 251)
• ⚠️ Actionlint: No shellcheck issues

tidy.md

• ⚠️ Zizmor: 1 default_permissions_on_risky_events warning (line 1)
• ⚠️ Poutine: 1 unverified_script_exec (line 682)
• ⚠️ Actionlint: No shellcheck issues

scout.md

• ⚠️ Zizmor: 1 default_permissions_on_risky_events warning (line 1)
• ⚠️ Poutine: 1 unverified_script_exec (line 1057)
• ⚠️ Actionlint: SC2012 (line 3548), SC2012 (line 7122), SC2155 (line 7122)

---

Historical Trends

This is the first comprehensive static analysis scan with all three tools. Future scans will track:

• New issues introduced
• Issues resolved
• Trends by tool and severity
• Workflow-specific patterns

Baseline established: 37 total findings across 10 workflows

---

Recommendations

Immediate Actions (High Impact, Low Effort)

1. ✅ Fix unverified script execution - Create composite action or use commit pinning for awf installation
   • Impact: Improves supply chain security for all workflows
   • Effort: One-time fix, reusable across all workflows

Short-term Actions (Code Quality)

2. ✅ Fix SC2012 shellcheck issues - Update scripts to use find instead of ls

   • Impact: More robust file handling
   • Effort: Low, pattern-based replacement

3. ✅ Fix SC2155 shellcheck warnings - Separate variable declaration and assignment

   • Impact: Better error handling
   • Effort: Low, pattern-based replacement

Long-term Actions (Security Hardening)

4. ✅ Add explicit permissions to risky workflows - Define minimum required permissions for tidy and scout

   • Impact: Follows principle of least privilege
   • Effort: Low, requires understanding workflow requirements

5. ✅ Review template injection warnings - Analyze Safe Inputs MCP configuration in dev workflow

   • Impact: Ensure template expansion is secure
   • Effort: Medium, requires security review

6. ✅ Automate static analysis - Add pre-commit hooks or CI checks

   • Impact: Catch issues before merge
   • Effort: Medium, requires workflow integration

Prevention & Continuous Improvement

7. ✅ Update workflow creation templates - Incorporate fixes into standard patterns
8. ✅ Document secure patterns - Create guidelines for workflow authors
9. ✅ Schedule regular scans - Run this analysis weekly or on major changes
10. ✅ Track remediation progress - Monitor issues over time

---

Next Steps

• Review and prioritize findings with security team
• Implement fix for unverified script execution across all workflows
• Address shellcheck warnings in Claude-based workflows
• Define explicit permissions for tidy and scout workflows
• Schedule follow-up scan in 1 week to track progress
• Consider integrating static analysis tools into CI/CD pipeline

---

Scan Metadata

• Scan Date: 2025-12-22
• Tools: zizmor (latest), poutine (latest), actionlint (latest)
• Repository: githubnext/gh-aw
• Branch: main
• Commit: 53b11d6
• Workflows Analyzed: 10
• Total Workflow Files: 130+
• Coverage: Representative sample of Claude and Copilot-based workflows

Cache Location: /tmp/gh-aw/cache-memory/security-scans/2025-12-22.json

AI generated by Static Analysis Report

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 3 days ago.