Static Analysis Report - January 27, 2026

[github-actions[bot]]

Daily static analysis scan of agentic workflows using actionlint with shellcheck integration.

Analysis Summary

• Scan Date: January 27, 2026
• Tools Used: actionlint 1.7.10 (with shellcheck & pyflakes integration)
• Tools Not Available: zizmor, poutine (infrastructure limitations)
• Workflows Scanned: 138
• Workflows With Issues: 138 (100%)
• Total Findings: 254

Findings by Category

Category	Count	Severity
Shellcheck Errors	238	Info to Warning
Permission Warnings	5	Warning
Experimental Features	9	Info
Security Warnings	1	High
Other Warnings	1	Info

Shellcheck Findings Breakdown

By Rule Type

Rule	Count	Severity	Workflows	Description
SC2129	138	Style	138	Individual redirects should be consolidated
SC1003	82	Info	11	Single quote escaping in shell scripts
SC2166	15	Warning	15	Deprecated test syntax (-a operator)
SC2086	3	Info	1	Missing quotes around variables

Detailed Analysis by Issue Type

1. SC2129: Redirect Consolidation (138 occurrences)

Severity: Style (Low Priority)
Affected: 100% of workflows

Issue: Multiple consecutive redirects to the same file should be grouped for efficiency.

Example Problem:

echo "Line 1" >> output.txt
echo "Line 2" >> output.txt
echo "Line 3" >> output.txt

Recommended Fix:

{
  echo "Line 1"
  echo "Line 2"
  echo "Line 3"
} >> output.txt

Impact: Code style and efficiency - not a security issue
Automation Potential: High - can be fixed with automated script
Priority: Low - include in next maintenance cycle

View All 138 Affected Workflows

• agent-performance-analyzer.lock.yml
• agent-persona-explorer.lock.yml
• ai-moderator.lock.yml
• archie.lock.yml
• artifacts-summary.lock.yml
• audit-workflows.lock.yml
• auto-triage-issues.lock.yml
• blog-auditor.lock.yml
• brave.lock.yml
• breaking-change-checker.lock.yml
• changeset.lock.yml
• chroma-issue-indexer.lock.yml
• ci-coach.lock.yml
• ci-doctor.lock.yml
• claude-code-user-docs-review.lock.yml
• cli-consistency-checker.lock.yml
• cli-version-checker.lock.yml
• cloclo.lock.yml
• code-scanning-fixer.lock.yml
• code-simplifier.lock.yml
• codex-github-remote-mcp-test.lock.yml
• commit-changes-analyzer.lock.yml
• copilot-agent-analysis.lock.yml
• copilot-cli-deep-research.lock.yml
• copilot-pr-merged-report.lock.yml
• copilot-pr-nlp-analysis.lock.yml
• copilot-pr-prompt-analysis.lock.yml
• copilot-session-insights.lock.yml
• craft.lock.yml
• daily-assign-issue-to-user.lock.yml
• daily-choice-test.lock.yml
• daily-cli-performance.lock.yml
• daily-code-metrics.lock.yml
• daily-compiler-quality.lock.yml
• daily-copilot-token-report.lock.yml
• daily-doc-updater.lock.yml
• daily-fact.lock.yml
• daily-file-diet.lock.yml
• daily-firewall-report.lock.yml
• daily-issues-report.lock.yml
• daily-malicious-code-scan.lock.yml
• daily-multi-device-docs-tester.lock.yml
• daily-news.lock.yml
• daily-observability-report.lock.yml
• daily-performance-summary.lock.yml
• daily-regulatory.lock.yml
• daily-repo-chronicle.lock.yml
• daily-safe-output-optimizer.lock.yml
• daily-secrets-analysis.lock.yml
• daily-semgrep-scan.lock.yml
• daily-team-evolution-insights.lock.yml
• daily-team-status.lock.yml
• daily-testify-uber-super-expert.lock.yml
• daily-workflow-updater.lock.yml
• deep-report.lock.yml
• delight.lock.yml
• dependabot-bundler.lock.yml
• dependabot-go-checker.lock.yml
• dev-hawk.lock.yml
• dev.lock.yml
• developer-docs-consolidator.lock.yml
• dictation-prompt.lock.yml
• discussion-task-miner.lock.yml
• docs-noob-tester.lock.yml
• duplicate-code-detector.lock.yml
• example-custom-error-patterns.lock.yml
• example-permissions-warning.lock.yml
• example-workflow-analyzer.lock.yml
• firewall-escape.lock.yml
• firewall.lock.yml
• github-mcp-structural-analysis.lock.yml
• github-mcp-tools-report.lock.yml
• github-remote-mcp-auth-test.lock.yml
• glossary-maintainer.lock.yml
• go-fan.lock.yml
• go-logger.lock.yml
• go-pattern-detector.lock.yml
• grumpy-reviewer.lock.yml
• hourly-ci-cleaner.lock.yml
• instructions-janitor.lock.yml
• issue-arborist.lock.yml
• issue-classifier.lock.yml
• issue-monster.lock.yml
• issue-triage-agent.lock.yml
• jsweep.lock.yml
• layout-spec-maintainer.lock.yml
• lockfile-stats.lock.yml
• mcp-inspector.lock.yml
• mergefest.lock.yml
• metrics-collector.lock.yml
• notion-issue-summary.lock.yml
• org-health-report.lock.yml
• pdf-summary.lock.yml
• plan.lock.yml
• poem-bot.lock.yml
• portfolio-analyst.lock.yml
• pr-nitpick-reviewer.lock.yml
• pr-triage-agent.lock.yml
• prompt-clustering-analysis.lock.yml
• python-data-charts.lock.yml
• q.lock.yml
• release.lock.yml
• repo-audit-analyzer.lock.yml
• repo-tree-map.lock.yml
• repository-quality-improver.lock.yml
• research.lock.yml
• safe-output-health.lock.yml
• schema-consistency-checker.lock.yml
• scout.lock.yml
• secret-scanning-triage.lock.yml
• security-compliance.lock.yml
• security-fix-pr.lock.yml
• security-review.lock.yml
• semantic-function-refactor.lock.yml
• sergo.lock.yml
• slide-deck-maintainer.lock.yml
• smoke-claude.lock.yml
• smoke-codex.lock.yml
• smoke-copilot.lock.yml
• smoke-opencode.lock.yml
• stale-repo-identifier.lock.yml
• static-analysis-report.lock.yml
• step-name-alignment.lock.yml
• sub-issue-closer.lock.yml
• super-linter.lock.yml
• technical-doc-writer.lock.yml
• terminal-stylist.lock.yml
• test-create-pr-error-handling.lock.yml
• tidy.lock.yml
• typist.lock.yml
• ubuntu-image-analyzer.lock.yml
• unbloat-docs.lock.yml
• video-analyzer.lock.yml
• weekly-issue-summary.lock.yml
• workflow-generator.lock.yml
• workflow-health-manager.lock.yml
• workflow-normalizer.lock.yml
• workflow-skill-extractor.lock.yml

📖 Reference: (redacted)

---

2. SC1003: Single Quote Escaping (82 occurrences)

Severity: Info (Low Priority)
Affected: 11 workflows

Issue: Shell scripts contain single quotes that may need proper escaping.

Common Pattern: Long strings with apostrophes in generated code or messages.

Affected Workflows:

• copilot-agent-analysis.lock.yml
• daily-doc-updater.lock.yml
• developer-docs-consolidator.lock.yml
• go-fan.lock.yml
• go-logger.lock.yml
• instructions-janitor.lock.yml
• semantic-function-refactor.lock.yml
• sergo.lock.yml
• step-name-alignment.lock.yml
• typist.lock.yml
• unbloat-docs.lock.yml

Impact: Readability and potential syntax issues in edge cases
Automation Potential: High
Priority: Low

📖 Reference: (redacted)

---

3. SC2166: Deprecated Test Syntax (15 occurrences) ⚠️

Severity: Warning (Medium Priority)
Affected: 15 workflows

Issue: Using deprecated -a operator in test expressions. Should use && instead.

Example Problem:

if [ "$a" = "x" -a "$b" = "y" ]; then
  # do something
fi

Recommended Fix:

if [ "$a" = "x" ] && [ "$b" = "y" ]; then
  # do something
fi

Affected Workflows:

• ai-moderator.lock.yml
• archie.lock.yml
• brave.lock.yml
• cloclo.lock.yml
• craft.lock.yml
• dev.lock.yml
• dictation-prompt.lock.yml
• example-workflow-analyzer.lock.yml
• github-mcp-structural-analysis.lock.yml
• grumpy-reviewer.lock.yml
• jsweep.lock.yml
• mcp-inspector.lock.yml
• plan.lock.yml
• q.lock.yml
• sergo.lock.yml

Impact: Portability - may fail on some shells, not well-defined behavior
Automation Potential: High
Priority: Medium - should be fixed to ensure portability

📖 Reference: (redacted)

---

4. SC2086: Missing Variable Quotes (3 occurrences)

Severity: Info (Medium-High Priority)
Affected: 1 workflow (ci-coach.lock.yml)

Issue: Variables should be quoted to prevent globbing and word splitting.

Example Problem:

echo $VARIABLE

Recommended Fix:

echo "$VARIABLE"

Impact: Potential security issue if variables contain spaces or special characters
Automation Potential: Medium (need to verify context)
Priority: Medium-High - quote variables for safety

📖 Reference: (redacted)

---

Other Findings

Permission Warnings (5 workflows) ⚠️

Severity: Warning (High Priority)

Issue: Missing required permissions for GitHub toolsets

Affected Workflows:

• daily-semgrep-scan.md
• dev.md
• example-permissions-warning.md
• pr-triage-agent.md
• test-create-pr-error-handling.md

Missing Permissions:

• issues: read
• pull-requests: read

Impact: Workflows will fail at runtime when attempting GitHub API operations
Priority: High - should be fixed before workflows are run

Recommended Fix:
Add to workflow frontmatter:

permissions:
  issues: read
  pull-requests: read

---

Security Warning: Sandbox Disabled ⚠️

Severity: High
Affected: 1 workflow (daily-team-evolution-insights.md)

Issue: Workflow has sandbox: false which removes security protections including firewall and MCP gateway.

Impact: AI agent has direct network access without filtering - significant security risk

Recommendation:

• Re-enable sandbox unless there's a specific justified reason
• If sandbox must be disabled, add additional security controls
• Document the security exception

Priority: Critical - review and address immediately

---

Experimental Features (9 occurrences)

Feature: safe-inputs
Severity: Info

Workflows Using Experimental Features:

• copilot-pr-merged-report.md
• daily-cli-performance.md
• daily-performance-summary.md
• (6 others)

Impact: Features may change or be deprecated
Priority: Low - monitor for feature stabilization

---

Historical Trends

Comparison with Previous Scan (January 23, 2026):

• Total Findings: 254 → 254 (no change)
• Trend: Stable
• SC2129: 138 → 138 (unchanged - still affecting all workflows)
• Tools Available: actionlint only (zizmor and poutine unavailable)

Baseline Comparison (December 24, 2025):

• Previous Total (all tools): ~858 findings
• Current Total (shellcheck only): 254 findings
• Missing Findings (estimated): ~600-650 security findings from zizmor and poutine

Note: The current scan only includes shellcheck findings. When zizmor and poutine were available, they identified:

• ~660-670 artipacked vulnerabilities (zizmor)
• ~132-135 unverified script execution issues (poutine)
• 8 template injection vulnerabilities (zizmor)
• 2-5 permission-related issues (zizmor, poutine)

---

Detailed Fix Guidance: SC2129

A comprehensive fix template has been created for the most common issue (SC2129).

Location: /tmp/gh-aw/cache-memory/fix-templates/sc2129-redirect-consolidation.md

Key Points:

• Affects 100% of workflows (138 total)
• Highly automatable fix
• Low risk, low priority
• Can be batched with other maintenance work

Example Automated Fix Pattern:

Before:

echo "instruction 1" >> "$CACHE_MEMORY_FILE"
echo "instruction 2" >> "$CACHE_MEMORY_FILE"
echo "instruction 3" >> "$CACHE_MEMORY_FILE"

After:

{
  echo "instruction 1"
  echo "instruction 2"
  echo "instruction 3"
} >> "$CACHE_MEMORY_FILE"

Rollout Recommendation:

1. Create automated fix script
2. Test on 5-10 workflows
3. Deploy in batches of 20 workflows
4. Monitor for any issues

---

Recommendations

Immediate Actions (High Priority)

1. ✅ Fix Permission Warnings (5 workflows)

   • Add required permissions to workflow frontmatter
   • Test workflows to ensure proper GitHub API access
   • Effort: Low | Impact: High

2. ✅ Review Sandbox Disabled (1 workflow)

   • Audit security justification for disabled sandbox
   • Re-enable if possible, or add compensating controls
   • Effort: Medium | Impact: Critical

3. ✅ Fix SC2086 Variable Quoting (1 workflow)

   • Add quotes around variables in ci-coach workflow
   • Prevents potential security issues
   • Effort: Low | Impact: Medium-High

Short-term Actions (Medium Priority)

4. ✅ Fix SC2166 Deprecated Test Syntax (15 workflows)

   • Replace -a with && in test expressions
   • Improves portability and follows best practices
   • Effort: Low | Impact: Medium

5. ✅ Re-enable Security Scanning Tools

   • Work to restore zizmor and poutine scanning
   • Critical for comprehensive security analysis
   • Estimated ~600-650 security findings currently not detected
   • Effort: High | Impact: Critical

Long-term Actions (Low Priority)

6. ✅ Fix SC2129 Redirect Consolidation (138 workflows)

   • Implement automated fix for redirect consolidation
   • Deploy in batches with monitoring
   • Effort: Medium (automation) | Impact: Low (code quality)

7. ✅ Fix SC1003 Quote Escaping (11 workflows)

   • Address single quote escaping issues
   • Improves code readability
   • Effort: Low | Impact: Low

8. ✅ Monitor Experimental Features (9 workflows)

   • Track safe-inputs feature for stabilization
   • Plan migration if feature changes
   • Effort: Low | Impact: Low

---

Next Steps

Priority Order:

1. Address security warning (sandbox disabled) - Critical
2. Fix permission warnings (5 workflows) - High
3. Fix SC2086 variable quoting (1 workflow) - High
4. Work on re-enabling zizmor and poutine - Critical (for comprehensive scanning)
5. Fix SC2166 deprecated syntax (15 workflows) - Medium
6. Plan batch fix for SC2129 (138 workflows) - Low

Scan Data Saved: /tmp/gh-aw/cache-memory/static-analysis-findings-2026-01-27.json
Fix Template Created: /tmp/gh-aw/cache-memory/fix-templates/sc2129-redirect-consolidation.md

---

Summary

The current scan identified 254 findings across 138 workflows, primarily code quality and style issues detected by shellcheck. The most significant findings are:

• 1 critical security warning requiring immediate attention
• 5 permission warnings that will cause runtime failures
• 138 style issues (SC2129) that can be bulk-fixed with automation
• 15 portability warnings (SC2166) that should be addressed

Key Concern: Zizmor and poutine are unavailable, meaning ~600-650 security findings are not being detected. Restoring these tools should be a priority for comprehensive security analysis.

Workflow Run: §21401137557

AI generated by Static Analysis Report

• expires on Feb 3, 2026, 2:40 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-03T14:40:03.884Z.