🔍 Static Analysis Report - January 19, 2026

[github-actions[bot]]

Analysis Summary

Daily static analysis scan of all agentic workflows using three security and code quality tools: zizmor (security), poutine (supply chain), and actionlint (linting with shellcheck).

• Tools Used: zizmor, poutine, actionlint
• Total Findings: 362
• Workflows Scanned: 130
• Workflows Affected: 131 (some workflows have multiple findings)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info/Style
actionlint (linting)	217	0	0	15	0	202
poutine (supply chain)	128	0	128*	0	0	0
zizmor (security)	1	0	0	0	1	0

* Marked as high priority due to supply chain security implications, though poutine reports it as "note"

---

🚨 Priority Issue: Unverified Script Execution

Overview

Tool: Poutine
Finding: unverified_script_exec
Severity: Note (High Priority - Supply Chain Risk)
Affected: 128 out of 130 workflows
Impact: Remote script execution without integrity verification

The Issue

128 workflows execute a remote installation script without verification:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash

Why This Matters:

• Script runs with sudo (full system privileges)
• No checksum or signature verification
• If the source repository is compromised, malicious code executes immediately
• Affects nearly all workflows (98% of repository)

Recommended Fix

Add checksum verification before execution:

- name: Install awf binary
  run: |
    echo "Installing awf via installer script (requested version: v0.10.0)"
    
    # Download script
    curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh -o /tmp/install-awf.sh
    
    # Verify checksum
    EXPECTED_SHA256="<CHECKSUM_HERE>"
    ACTUAL_SHA256=$(sha256sum /tmp/install-awf.sh | awk '{print $1}')
    
    if [ "$EXPECTED_SHA256" != "$ACTUAL_SHA256" ]; then
      echo "ERROR: Checksum verification failed!"
      exit 1
    fi
    
    # Execute verified script
    sudo AWF_VERSION=v0.10.0 bash /tmp/install-awf.sh
    rm /tmp/install-awf.sh

Action Items:

1. Generate checksum of current install.sh
2. Update workflow compiler/generator template
3. Recompile all affected workflows
4. Document checksum update process

Full fix template available at: /tmp/gh-aw/cache-memory/fix-templates/poutine-unverified-script-exec.md

---

Clustered Findings by Tool

Actionlint (Shellcheck) Findings

Actionlint uses shellcheck to identify shell script issues in workflow run: blocks.

Issue Code	Severity	Count	Workflows	Description
SC2129	style	116	116	Using individual redirects instead of grouped output (>> used multiple times)
SC1003	info	82	11	Incorrect single quote escaping in strings
SC2166	warning	15	15	Deprecated test syntax [ p -a q ] instead of [ p ] && [ q ]
SC2086	info	3	1	Missing quotes can cause word splitting/globbing
expression	error	1	1	GitHub Actions expression evaluation error

SC2129 Example (116 workflows)

Location: Prompt creation scripts
Current:

echo "line1" >> file
echo "line2" >> file
echo "line3" >> file

Better:

{
  echo "line1"
  echo "line2"
  echo "line3"
} >> file

Priority: Low (style issue, no functional impact)

SC1003 Example (11 workflows)

Issue: Incorrect single quote escaping in heredocs or strings
Priority: Medium (affects code correctness)

SC2166 Example (15 workflows)

Current: [ condition1 -a condition2 ]
Better: [ condition1 ] && [ condition2 ]
Priority: Medium (portability and correctness)

Poutine (Supply Chain Security) Findings

Finding	Count	Workflows	Description
unverified_script_exec	128	128	Downloads and executes remote script without verification

All affected workflows: See detailed list in cache at /tmp/gh-aw/cache-memory/security-scans/2026-01-19.json

Zizmor (Security) Findings

Finding	Severity	Count	Workflow	Description
template-injection	Low	1	mcp-inspector.lock.yml	Code injection via template expansion

Location: .github/workflows/mcp-inspector.lock.yml:434:9
Reference: https://docs.zizmor.sh/audits/#template-injection
Priority: Medium (potential code injection vulnerability)

---

Findings by Workflow

Top 20 Affected Workflows (by finding count)

Most workflows have 1-2 findings. Common patterns:

• SC2129 (style): 116 workflows
• unverified_script_exec: 128 workflows
• SC1003: 11 workflows
• SC2166: 15 workflows

Workflows with multiple issue types:

• Most workflows have both SC2129 (style) + unverified_script_exec (supply chain)
• A subset also has SC2166 (deprecated test syntax)
• ci-coach.lock.yml has SC2086 issues (missing quotes)

---

Historical Context

First Scan: This is the first comprehensive static analysis scan with all three tools.

Baseline Established:

• Security findings: 129 (128 poutine + 1 zizmor)
• Code quality: 217 actionlint findings
• Total: 362 findings across 131 workflows

Future Tracking: Scan data stored in /tmp/gh-aw/cache-memory/security-scans/ for trend analysis.

---

Recommendations

Immediate (Security)

1. ✅ Fix unverified script execution in 128 workflows

   • Add checksum verification to install.sh download
   • Update workflow compiler template
   • Recompile all workflows

2. ✅ Review template-injection in mcp-inspector.lock.yml

   • Analyze the template expansion at line 434
   • Ensure no untrusted input in templates

Short-term (Code Quality)

3. 🔧 Fix SC2166 warnings (15 workflows)

   • Replace deprecated -a test syntax
   • Medium priority - affects portability

4. 🔧 Fix SC1003 issues (11 workflows)

   • Correct single quote escaping
   • Medium priority - affects correctness

Long-term (Process)

5. 📋 Improve SC2129 style (116 workflows)

   • Use grouped redirects for better performance
   • Low priority - style improvement

6. 🔄 Establish continuous monitoring

   • Add static analysis to CI/CD pipeline
   • Set up alerts for new security findings
   • Track trends over time

7. 📚 Update workflow templates

   • Incorporate fixes into templates
   • Prevent recurring issues
   • Document secure patterns

---

Scan Data Storage

All findings have been stored in persistent cache memory for historical tracking:

/tmp/gh-aw/cache-memory/
├── security-scans/
│   ├── index.json                    # Scan history index
│   └── 2026-01-19.json              # Today's full scan results
├── vulnerabilities/
│   ├── by-tool.json                 # Findings grouped by tool
│   └── by-workflow.json             # Findings grouped by workflow
└── fix-templates/
    └── poutine-unverified-script-exec.md  # Fix template for priority issue

---

Next Steps

Priority 1: Address the unverified script execution finding

• Generate checksum for current install.sh
• Update workflow compiler template with verification
• Test with one workflow
• Recompile all 128 affected workflows
• Document checksum update process

Priority 2: Fix medium-severity code quality issues

• SC2166: Update deprecated test syntax (15 workflows)
• SC1003: Fix quote escaping (11 workflows)
• Review template-injection in mcp-inspector

Priority 3: Process improvements

• Add static analysis to CI/CD
• Update workflow creation guidelines
• Schedule weekly scans for trend monitoring

---

Scan Details:

• Date: 2026-01-19
• Tools: zizmor 1.x, poutine, actionlint 1.7.10
• Scan storage: /tmp/gh-aw/cache-memory/security-scans/2026-01-19.json

AI generated by Static Analysis Report

• expires on Jan 26, 2026, 2:39 PM UTC