🔍 Static Analysis Report - January 30, 2026

[github-actions[bot]]

Analysis Summary

Comprehensive static analysis completed on 145 agentic workflows using three security and code quality tools.

Scan Details:

• Tools Used: zizmor (security), poutine (supply chain), actionlint (linting)
• Total Findings: 579 issues identified
• Workflows Scanned: 145
• Workflows Affected: 144 (99.3%)
• Workflow Run: §21519309020

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info/Style
zizmor (security)	128	0	0	1	127	-
poutine (supply chain)	26	-	-	-	-	1 error, 14 warnings, 11 notes
actionlint (linting)	436	-	-	-	-	292 errors, 144 warnings
Compilation	24	-	-	-	-	24 warnings

Priority Issues

🔴 Critical: Poutine Error (1 workflow)

Issue: if_always_true - Conditional expression always evaluates to true
Affected: .github/workflows/dev-hawk.lock.yml
Impact: Workflow logic error that may cause incorrect execution flow
Action Required: Fix the conditional logic in the workflow

🟡 Medium: Zizmor Security Finding (1 workflow)

Issue: artipacked - Credential persistence through GitHub Actions artifacts
Severity: Medium
Affected: .github/workflows/hourly-ci-cleaner.lock.yml
Reference: (docs.zizmor.sh/redacted)
Impact: Potential credential leakage through workflow artifacts

🟡 High Priority: Default Permissions on Risky Events (14 workflows)

Issue: default_permissions_on_risky_events (Poutine warning)
Severity: Warning
Affected Workflows: 14
Impact: Workflows triggered by risky events (issue_comment, pull_request_target) using default read-write permissions

View Affected Workflows

• .github/workflows/ai-moderator.lock.yml
• .github/workflows/archie.lock.yml
• .github/workflows/brave.lock.yml
• .github/workflows/cloclo.lock.yml
• .github/workflows/grumpy-reviewer.lock.yml
• .github/workflows/mergefest.lock.yml
• .github/workflows/pdf-summary.lock.yml
• .github/workflows/plan.lock.yml
• .github/workflows/pr-nitpick-reviewer.lock.yml
• .github/workflows/q.lock.yml
• .github/workflows/scout.lock.yml
• .github/workflows/security-review.lock.yml
• .github/workflows/tidy.lock.yml
• .github/workflows/unbloat-docs.lock.yml

Clustered Findings

Zizmor Security Findings

Issue Type	Severity	Count	Workflows Affected
obfuscation	Low	126	63
template-injection	Low	1	1
artipacked	Medium	1	1

Obfuscation Details: Low severity warnings about obfuscated GitHub Actions features usage. Most findings relate to environment variable patterns that look unusual but are part of the standard workflow generation process.

Poutine Supply Chain Findings

Issue Type	Severity	Count	Workflows Affected
default_permissions_on_risky_events	Warning	14	14
if_always_true	Error	1	1
unverified_script_exec	Note	4	2
github_action_from_unverified_creator_used	Note	4	1
unpinnable_action	Note	3	3

Actionlint Linting Issues

Issue Type	Severity	Count	Workflows Affected
SC2129	Style	144	144
SC1003	Info	140	21
SC2086	Info	3	1
Missing permissions	Warning	2	2

SC2129 Analysis: Shellcheck suggests using { cmd1; cmd2; } >> file instead of individual redirects. This is a style suggestion affecting 144 workflows (all workflows that create prompts).

SC1003 Analysis: Shellcheck info about single quote escaping in complex environment variable setup scripts. Affects 21 workflows with advanced shell configurations.

Historical Trends

Previous Scan: 2026-01-29
Total Findings Then: 304 issues
Total Findings Now: 579 issues
Change: +275 issues (+90.5%)

Analysis of Change

The significant increase in findings is primarily due to:

1. New workflows added: 145 workflows scanned today vs 143 yesterday (+2 workflows)
2. More comprehensive scanning: Today's scan includes full actionlint output with detailed shellcheck findings
3. Expanded poutine findings: More detailed supply chain analysis captured more informational notes

The core security issues remain stable:

• Default permissions warnings: 14 workflows (unchanged from yesterday)
• Critical/High severity issues: Still minimal, primarily in style and informational categories

Fix Suggestions

1. Fix Default Permissions on Risky Events (Priority: High)

Issue: 14 workflows using default permissions on risky events
Severity: Warning
Tool: Poutine

Automated Fix Prompt for Copilot Agent:

## Security Fix Required: Default Permissions on Risky Events

You are fixing a **supply chain security vulnerability** identified by poutine.

### Problem

14 workflows are triggered by risky events (like `issue_comment`, `pull_request_target`) but use default permissions (read-write access to most resources). This violates the principle of least privilege.

### Required Action

For each workflow below, add explicit minimal permissions to the frontmatter:

**Affected Source Workflows** (edit the `.md` files, NOT `.lock.yml`):
- `.github/workflows/ai-moderator.md`
- `.github/workflows/archie.md`
- `.github/workflows/brave.md`
- `.github/workflows/cloclo.md`
- `.github/workflows/grumpy-reviewer.md`
- `.github/workflows/mergefest.md`
- `.github/workflows/pdf-summary.md`
- `.github/workflows/plan.md`
- `.github/workflows/pr-nitpick-reviewer.md`
- `.github/workflows/q.md`
- `.github/workflows/scout.md`
- `.github/workflows/security-review.md`
- `.github/workflows/tidy.md`
- `.github/workflows/unbloat-docs.md`

### Fix Template

**Before**:
```yaml
---
name: Example Workflow
on:
  issue_comment:
    types: [created]
---
```

**After**:
```yaml
---
name: Example Workflow
on:
  issue_comment:
    types: [created]
permissions:
  contents: read
  issues: write
  pull-requests: write
---
```

### Common Permission Patterns

- For workflows that read data and create reports: `contents: read, issues: write, pull-requests: read`
- For workflows that respond to comments: `contents: read, issues: write, pull-requests: write`
- For workflows that modify code: `contents: write, issues: write, pull-requests: write`

### Validation

After fixing, re-run the workflow compilation to verify the poutine warning is resolved.

### References
- [GitHub Actions Security Hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
- [Poutine Security Scanner](https://github.com/boostsecurityio/poutine)

Recommendations

Immediate Actions (Critical/High Priority)

1. Fix if_always_true error in dev-hawk.lock.yml - Logic error that needs immediate attention
2. Investigate artipacked medium severity in hourly-ci-cleaner.lock.yml - Potential credential leakage
3. Add explicit permissions to 14 workflows with risky event triggers

Short-term Actions (Medium Priority)

1. Review and validate the 63 workflows flagged for "obfuscation" by zizmor
2. Address the template-injection low severity finding in mcp-inspector.lock.yml
3. Fix the 2 workflows with missing permissions warnings

Long-term Actions (Low Priority/Informational)

1. SC2129 (144 workflows): Consider refactoring prompt creation scripts to use grouped redirects
2. SC1003 (21 workflows): Review environment variable setup for proper quote escaping
3. Establish automated scanning: Integrate all three tools into CI/CD pre-commit workflow

Next Steps

• Fix critical if_always_true error in dev-hawk workflow
• Investigate and fix artipacked issue in hourly-ci-cleaner workflow
• Apply permission fixes to 14 workflows using the automated fix prompt above
• Review obfuscation findings to understand if they're false positives or real concerns
• Update workflow creation guidelines to include explicit permissions
• Consider adding zizmor, poutine, and actionlint to pre-commit hooks

Summary Statistics

• Total Workflows: 145
• Clean Workflows: 1 (0.7%)
• Workflows with Issues: 144 (99.3%)
• Average Issues per Workflow: 4.0
• Most Affected Workflow: typist.lock.yml (21 issues)
• Security Issues: 155 (zizmor + poutine)
• Code Quality Issues: 436 (actionlint)

View Top 15 Most Affected Workflows

Workflow	Issues	Primary Types
typist.lock.yml	21	SC2129, SC1003
semantic-function-refactor.lock.yml	13	SC2129, SC1003
go-logger.lock.yml	11	SC2129, SC1003
step-name-alignment.lock.yml	9	SC2129, SC1003
layout-spec-maintainer.lock.yml	9	SC2129, SC1003
glossary-maintainer.lock.yml	9	SC2129, SC1003
delight.lock.yml	9	SC2129, SC1003
daily-file-diet.lock.yml	9	SC2129, SC1003
daily-doc-updater.lock.yml	9	SC2129, SC1003
daily-compiler-quality.lock.yml	9	SC2129, SC1003
sergo.lock.yml	7	SC2129, SC1003
go-fan.lock.yml	7	SC2129, SC1003
daily-testify-uber-super-expert.lock.yml	7	SC2129, SC1003
workflow-skill-extractor.lock.yml	5	SC2129
instructions-janitor.lock.yml	5	SC2129

Analysis Notes

Tool Coverage:

• ✅ zizmor: Security-focused scanner for GitHub Actions
• ✅ poutine: Supply chain security analyzer
• ✅ actionlint: Comprehensive workflow linting with shellcheck integration

False Positive Rate: The "obfuscation" warnings (126 occurrences) appear to be primarily related to standard workflow compilation patterns and may have a high false positive rate. These should be reviewed but are likely acceptable.

Real Security Concerns: The 14 workflows with default permissions on risky events represent genuine security risks that should be addressed promptly using the least-privilege principle.

References:

• Full scan output: /tmp/gh-aw/compile-output.txt
• Scan data: /tmp/gh-aw/cache-memory/security-scans/2026-01-30.json
• Fix templates: /tmp/gh-aw/cache-memory/fix-templates/

AI generated by Static Analysis Report

• expires on Feb 6, 2026, 2:42 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-06T14:42:08.070Z.