🔍 Static Analysis Report - January 25, 2026

[github-actions[bot]]

Analysis Summary

This automated security and code quality scan analyzed 140 workflow files using three static analysis tools: zizmor (security), poutine (supply chain), and actionlint (linting with shellcheck).

• Total Findings: 281
• Workflows Scanned: 140
• Workflows Affected: 140
• Analysis Date: 2026-01-25

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info/Style
actionlint (linting)	266	-	-	-	-	266 errors
poutine (supply chain)	14	-	-	-	-	14 warnings
zizmor (security)	1	0	0	0	1	0
Total	281	0	0	0	1	280

Key Findings

✅ Major Security Improvements (vs. Jan 15)

• Zizmor findings reduced 99.6% (250 → 1)
  • Template injection issues: 123 → 1 (99.2% reduction)
  • Unverified script execution: 124 → 0 (100% resolved)
  • Unpinnable action warnings: 3 → 0 (100% resolved)

⚠️ New Issues Detected

1. Actionlint findings increased 212.9% (85 → 266)

   • Root cause: Code generation changes in workflow compiler
   • Primarily style/quality issues, not security vulnerabilities

2. New poutine warnings (0 → 14)

   • Security best practice violations
   • Requires explicit permissions on risky event triggers

Clustered Findings by Tool and Type

Actionlint Linting Issues (266 total)

Issue Type	Count	Affected Workflows	Severity	Fix Priority
SC2129	139	139	Style	Low
SC1003	82	11	Info	Low
expression	27	27	Error	High
SC2166	15	15	Warning	Medium
SC2086	3	1	Info	Low

SC2129: Multiple redirects to same file (style issue)

• Description: Using multiple cat >> file instead of grouped { cat; cat; } > file
• Impact: Minor performance penalty, reduced readability
• Root Cause: Workflow compiler code generation pattern
• Fix Location: Compiler templates (not individual workflows)

expression: Undefined property references (critical)

• Description: Expressions reference properties that don't exist in context
• Impact: Runtime errors, workflow failures, empty values
• Affected: 27 workflows (requires individual analysis)
• Example: needs.create_pull_request.outputs.error_message when output not defined

SC1003: Single quote escaping in strings

• Description: Incorrect escaping of single quotes in single-quoted strings
• Impact: Minor syntax issues
• Affected: 11 workflows with multiple occurrences

Poutine Supply Chain Security (14 total)

Issue Type	Count	Severity	Security Impact
default_permissions_on_risky_events	14	Warning	Medium

Affected Workflows:

• ai-moderator
• archie
• brave
• cloclo
• grumpy-reviewer
• mergefest
• pdf-summary
• plan
• pr-nitpick-reviewer
• q
• scout
• security-review
• tidy
• unbloat-docs

Security Concern: These workflows are triggered by potentially untrusted events (like issue_comment, pull_request_target) but use default permissions, which may grant excessive access.

Zizmor Security Findings (1 total)

Workflow	Issue	Severity	Location
mcp-inspector	template-injection	Low	Line 453

Details: Code injection via template expansion

• Reference: (redacted)
• Impact: Low severity, single occurrence

Top Priority Issues

🔴 Priority 1: Expression Errors (27 workflows)

Impact: Workflow runtime failures and unexpected behavior

View Affected Workflows

• ci-coach
• cloclo
• code-scanning-fixer
• code-simplifier
• daily-doc-updater
• daily-workflow-updater
• dependabot-bundler
• developer-docs-consolidator
• dictation-prompt
• github-mcp-tools-report
• grumpy-reviewer
• homebrew-updater
• library-upgrade-guide
• mergefest
• openapi-spec-generator
• pdf-summary
• plan
• pr-nitpick-reviewer
• pull-request-summary
• q
• r
• release
• repo-audit-analyzer
• repo-tree-map
• scout
• skill-update-prompter
• unbloat-docs

Recommended Action: Audit each workflow's job dependencies and ensure all referenced outputs are properly defined.

🟡 Priority 2: Default Permissions on Risky Events (14 workflows)

Impact: Security best practice violation, potential privilege escalation

Recommended Action: Add explicit permissions to workflow frontmatter following principle of least privilege.

See detailed fix prompt below.

🟢 Priority 3: SC2129 Style Issues (139 workflows)

Impact: Code readability and minor performance

Recommended Action: Update workflow compiler templates to use grouped command redirection.

This is a systematic issue affecting all compiled workflows - fix once in compiler to resolve all occurrences.

Fix Suggestion: Default Permissions on Risky Events

Issue: Poutine detected 14 workflows using default permissions with risky event triggers

Severity: Warning (Security Best Practice)

Affected Workflows: 14 (ai-moderator, archie, brave, cloclo, grumpy-reviewer, mergefest, pdf-summary, plan, pr-nitpick-reviewer, q, scout, security-review, tidy, unbloat-docs)

Fix Prompt for Copilot Agent

### Security Fix: Add Explicit Permissions to Risky Event Workflows

**Problem**: Workflows triggered by risky events (pull_request_target, issue_comment, workflow_run) are using default permissions, which grants broad repository access.

**Security Risk**:
- Risky events can be triggered by untrusted actors (external contributors)
- Default permissions include write access to repository contents
- Attackers could potentially modify code or steal secrets
- Violates principle of least privilege

**Required Fix**:

Add explicit permissions to the workflow frontmatter (the `.md` file, not `.lock.yml`):

**Before**:
```yaml
on:
  issue_comment:
    types: [created]

agent: claude-sonnet-4.5
```

**After**:
```yaml
permissions:
  contents: read        # Only if you need to read repository files
  issues: write         # Only if you need to comment on issues
  pull-requests: write  # Only if you need to comment on PRs

on:
  issue_comment:
    types: [created]

agent: claude-sonnet-4.5
```

**Steps**:

1. Review each workflow's actual requirements
2. Start with minimal permissions (`contents: read`)
3. Add only permissions actually needed:
   - `issues: write` - if commenting on issues
   - `pull-requests: write` - if commenting on PRs
   - `contents: write` - only if pushing code changes
4. Document why each permission is required (optional comment)
5. Test the workflow to ensure it still functions

**Affected Files** (14 workflows):
- .github/workflows/ai-moderator.md
- .github/workflows/archie.md
- .github/workflows/brave.md
- .github/workflows/cloclo.md
- .github/workflows/grumpy-reviewer.md
- .github/workflows/mergefest.md
- .github/workflows/pdf-summary.md
- .github/workflows/plan.md
- .github/workflows/pr-nitpick-reviewer.md
- .github/workflows/q.md
- .github/workflows/scout.md
- .github/workflows/security-review.md
- .github/workflows/tidy.md
- .github/workflows/unbloat-docs.md

**Common Permission Patterns**:

For comment-only workflows:
```yaml
permissions:
  contents: read
  issues: write
  pull-requests: write
```

For workflows that need to push changes:
```yaml
permissions:
  contents: write
  pull-requests: write
```

For read-only analysis workflows:
```yaml
permissions:
  contents: read
```

**Reference**: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Historical Trends

Comparison: January 25, 2026 vs. January 15, 2026 (10 days)

Metric	Previous	Current	Change	% Change
Workflows Scanned	123	140	+17	+13.8%
Total Findings	260	281	+21	+8.1%
Actionlint	85	266	+181	+212.9%
Zizmor	250	1	-249	-99.6%
Poutine	0	14	+14	New

Key Improvements ✅

1. Zizmor security findings reduced by 99.6%

   • Template injection: 123 → 1 (99.2% reduction)
   • Unverified script execution: 124 → 0 (completely resolved)
   • Unpinnable actions: 3 → 0 (completely resolved)

2. Security posture significantly improved

   • Only 1 low-severity security finding remaining
   • No critical, high, or medium severity security issues

New Concerns ⚠️

1. Actionlint findings increased 212.9%

   • Root cause: Workflow compiler changes
   • Primarily code quality/style issues (SC2129)
   • 27 expression errors need attention

2. New supply chain security warnings

   • Poutine detected 14 workflows with risky permissions
   • Security best practice improvements needed

Detailed Findings

View Complete Actionlint Findings by Type

SC2129: Multiple Redirects (139 occurrences)

Description: Consider using { cmd1; cmd2; } >> file instead of individual redirects

Pattern Found:

cat << 'EOF' > "$FILE"
content
EOF
cat file1 >> "$FILE"
cat file2 >> "$FILE"

Recommended Pattern:

{
  cat << 'EOF'
  content
  EOF
  cat file1
  cat file2
} > "$FILE"

Affected: All 139 compiled workflows (systematic compiler issue)

SC1003: Single Quote Escaping (82 occurrences in 11 workflows)

Workflows with this issue:

• Multiple prompt strings with embedded single quotes
• Requires proper escaping: 'it'\''s' instead of 'it's'

Expression Errors (27 workflows)

Common Patterns:

• Referencing job outputs that don't exist
• Incorrect property paths in needs.* context
• Missing output definitions in dependent jobs

Requires: Individual workflow analysis to fix

View Zizmor Security Finding Details

Template Injection (Low Severity)

Workflow: mcp-inspector.lock.yml
Location: Line 453, Column 9
Issue: Code injection via template expansion
URL: (redacted)

Context: Single occurrence of potential template injection vulnerability. Review the template expansion to ensure untrusted input is properly sanitized.

Recommendations

Immediate Actions (This Week)

1. Fix Expression Errors (Priority: High)

   • Review all 27 workflows with expression errors
   • Add missing output definitions to job dependencies
   • Test workflows to ensure proper data flow

2. Add Explicit Permissions (Priority: Medium-High)

   • Update 14 workflows with risky event triggers
   • Follow principle of least privilege
   • Document permission requirements

Short-Term Actions (Next 2 Weeks)

3. Review Template Injection

   • Investigate mcp-inspector workflow line 453
   • Ensure proper input sanitization
   • Consider adding validation

4. Update Workflow Compiler

   • Fix SC2129 by updating code generation templates
   • Implement grouped command redirection pattern
   • Regenerate all workflows to apply fix

Long-Term Improvements (Next Month)

5. Establish Automated Scanning

   • Keep daily static analysis scans running
   • Set up alerts for new high/critical findings
   • Track trends in security posture

6. Update Development Guidelines

   • Document permission requirements for new workflows
   • Provide templates for common patterns
   • Add static analysis to PR checks

7. Consider Pre-Commit Hooks

   • Add actionlint to local development
   • Catch expression errors before commit
   • Validate permissions configuration

Scan Metadata

• Scan Date: 2026-01-25
• Repository: githubnext/gh-aw
• Branch: main
• Tools Used:
  • actionlint v1.7.10 (with shellcheck & pyflakes)
  • zizmor (latest)
  • poutine (latest)
• Workflows Analyzed: 140
• Lock Files Generated: 139 (1 compilation error in shared/mcp/chroma.md)

Additional Resources

• Fix Templates: Available in /tmp/gh-aw/cache-memory/fix-templates/

  • actionlint-SC2129.json - Shell redirection fix guide
  • poutine-default_permissions.json - Permissions security fix
  • actionlint-expression.json - Expression error fix guide

• Scan Data: /tmp/gh-aw/cache-memory/security-scans/2026-01-25.json

• Vulnerability Database: /tmp/gh-aw/cache-memory/vulnerabilities/by-tool.json

• Trend Analysis: /tmp/gh-aw/cache-memory/vulnerabilities/trends.json

---

Next Scan: Scheduled for 2026-01-26 (daily automated scan)

AI generated by Static Analysis Report

• expires on Feb 1, 2026, 2:38 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-01T14:38:16.697Z.