[plan] Address static analysis findings from January 13, 2026 scan #9885
Description
Overview
This tracking issue covers remediation of 564 security, linting, and supply chain findings identified in the daily static analysis scan on January 13, 2026.
Source: Discussion #9836
Workflow Run: §20960449305
Summary
- Total Findings: 564 across 119 workflows
- Critical Priority: Unverified script execution (120 occurrences)
- High Priority: Expression errors blocking workflows (8 occurrences)
- Medium Priority: Shellcheck warnings (195 occurrences)
- Low Priority: Template injection informational warnings (117 occurrences)
Findings Breakdown
| Tool | Total | Critical | High | Medium | Low | Informational |
|---|---|---|---|---|---|---|
| zizmor (security) | 120 | 0 | 0 | 120 | 0 | 0 |
| actionlint (linting) | 444 | 0 | 1 | 2 | 1 | 117 |
| poutine (supply chain) | 0 | 0 | 0 | 0 | 0 | 0 |
Planned Sub-Tasks
This work is broken down into 5 focused sub-issues:
- Fix unverified script execution - 120 occurrences of insecure curl-to-bash pattern
- Fix workflow expression errors - 8 blocking errors in 5 workflows
- Fix shellcheck SC2155 warnings - 195 instances of masked return values
- Evaluate template injection warnings - 117 informational warnings to assess
- Update workflow security guidelines - Document secure patterns for future workflows
Success Criteria
- All unverified script executions replaced with secure download-verify-execute pattern
- All expression errors resolved and workflows executing correctly
- Shellcheck SC2155 warnings addressed with proper error handling
- Template injection warnings assessed and documented
- Workflow creation guidelines updated with security best practices
References
AI generated by Plan Command for discussion #9836