🔍 Static Analysis Report - 2025-12-27

[github-actions[bot]]

Analysis Summary

Comprehensive static analysis scan completed across all agentic workflow files using three industry-standard tools: zizmor (security scanner), poutine (supply chain security), and actionlint (workflow linting).

• Tools Used: zizmor, poutine, actionlint
• Total Findings: 114 code quality issues
• Workflows Scanned: 128 compiled workflows
• Workflows Affected: 41 workflows have one or more issues

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info
zizmor (security)	0	0	0	0	0	0
poutine (supply chain)	0	0	0	0	0	0
actionlint (linting)	114	-	-	-	-	114

Good News: No security vulnerabilities or supply chain risks detected! All findings are code quality improvements via shellcheck linting.

Key Findings Overview

All 114 findings come from shellcheck rules detected by actionlint. These are shell scripting best practices that improve reliability and error handling:

Issue Type	Severity	Count	Workflows	Impact
SC2155	Warning	31	31	Masks return values - can hide errors
SC2012	Info	72	41	Using ls instead of find - filename handling
SC2086	Info	10	5	Missing quotes - globbing/splitting risk
SC2129	Info	1	1	Inefficient redirection pattern

Top Priority Issue: SC2155

SC2155: Declare and Assign Separately to Avoid Masking Return Values

Severity: Warning ⚠️
Count: 31 occurrences
Workflows Affected: 31
Reference: (redacted)

Problem

Combining local declaration with command substitution masks the command's exit status:

local result=$(command)  # ❌ Exit status of 'command' is masked

The exit status checked is from local (always succeeds), not from command. This means:

• Errors are silently ignored even with set -e
• Failed commands don't cause script to exit
• Scripts continue with potentially empty/invalid data

Solution

Split into two statements:

local result
result=$(command)  # ✅ Exit status properly checked

Affected Workflows

31 workflows with SC2155 issues (click to expand)

• audit-workflows
• blog-auditor
• cli-version-checker
• cloclo
• commit-changes-analyzer
• copilot-agent-analysis
• copilot-session-insights
• daily-choice-test
• daily-code-metrics
• daily-doc-updater
• daily-multi-device-docs-tester
• developer-docs-consolidator
• example-workflow-analyzer
• github-mcp-structural-analysis
• github-mcp-tools-report
• go-fan
• go-logger
• go-pattern-detector
• instructions-janitor
• lockfile-stats
• prompt-clustering-analysis
• safe-output-health
• schema-consistency-checker
• scout
• security-fix-pr
• semantic-function-refactor
• smoke-claude
• smoke-detector
• static-analysis-report
• typist
• unbloat-docs

Other Findings

SC2012: Use find instead of ls (72 occurrences, 41 workflows)

Severity: Info
Reference: (redacted)

Using ls with parsing can fail with special characters in filenames. The find command is more robust.

Example Fix:

# Before
ls -t *.yml | head -5

# After  
find . -name "*.yml" -type f -printf '%T@ %p\n' | sort -rn | head -5 | cut -d' ' -f2

SC2086: Double quote to prevent globbing (10 occurrences, 5 workflows)

Severity: Info
Reference: (redacted)

Unquoted variables can lead to unexpected word splitting or pathname expansion.

Example Fix:

# Before
echo $variable

# After
echo "$variable"

SC2129: Consider using grouped redirects (1 occurrence, 1 workflow)

Severity: Info
Reference: (redacted)

Minor efficiency improvement for multiple redirects to the same file.

Fix Recommendation

Priority 1: Fix SC2155 (Warning Level)

Since SC2155 is the only warning-level issue and can hide errors, I recommend addressing it first. A detailed fix guide has been prepared in the cache memory.

Fix Approach:

1. Search for local.*=\$( pattern in workflow .md source files
2. Split declaration and assignment into separate statements
3. Recompile workflows with gh aw compile
4. Verify fixes with actionlint

Priority 2: Address SC2012 (Info Level)

The SC2012 issue affects 41 workflows. While only informational, replacing ls with find improves robustness when handling files with special characters.

Priority 3: Other Info-Level Issues

SC2086 and SC2129 are minor improvements that can be addressed as part of regular maintenance.

Historical Context

This is the first comprehensive static analysis scan using all three tools (zizmor, poutine, actionlint) in the cache memory system. Future scans will track:

• New vs. resolved issues
• Trend analysis over time
• Progress on remediation

Recommendations

1. Immediate Action: Review and fix SC2155 warnings (31 occurrences) to improve error handling
2. Short-term: Create a PR to fix SC2012 issues (72 occurrences) for better filename handling
3. Long-term:
   • Integrate actionlint into the workflow compilation process
   • Add pre-commit hooks to catch these issues early
   • Consider running static analysis in CI/CD on workflow changes
4. Process: Update workflow creation templates to avoid these common patterns

Next Steps

• Apply SC2155 fixes across affected workflows
• Create sub-issues for each category of shellcheck warnings
• Update workflow authoring guidelines
• Schedule follow-up scan in 1 week to track progress

Cache Memory

All scan results, vulnerability tracking, and fix templates have been stored in /tmp/gh-aw/cache-memory/ for persistence across workflow runs:

• security-scans/2025-12-27.json - Full scan results
• vulnerabilities/by-tool.json - Vulnerability database
• fix-templates/shellcheck-SC2155.md - Detailed fix guide

---

Scan completed: 2025-12-27
Next scan: Scheduled daily
Status: ✅ No security issues found, 114 code quality improvements identified

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

🎉 Yo ho ho! Plan Command found the treasure and completed successfully! ⚓💰

[github-actions[bot]]

Plan Created ✅

The static analysis findings have been organized into a comprehensive implementation plan with 1 parent tracking issue and 5 actionable sub-issues.

Created Issues

Parent Issue: Address static analysis findings from actionlint/shellcheck

• Tracks all 114 code quality findings
• Links to this discussion
• Provides timeline and success criteria

Sub-Issues (prioritized by severity and impact):

1. Fix SC2155: Separate local declaration from assignment in 31 workflows

   • Priority 1 (Warning level) - Can hide command failures
   • 31 occurrences across 31 workflows

2. Fix SC2012: Replace ls with find in 41 workflows

   • Priority 2 (Info level) - Robustness improvement
   • 72 occurrences across 41 workflows

3. Fix SC2086: Add missing quotes in 5 workflows

   • Priority 3 (Info level) - Safety improvement
   • 10 occurrences across 5 workflows

4. Add actionlint pre-commit hook to prevent shellcheck violations

   • Process improvement to catch issues early

5. Update workflow authoring guidelines to prevent shellcheck violations

   • Documentation to prevent recurrence

Next Steps

The sub-issues are ready to be assigned to GitHub Copilot agents for implementation. Each issue includes:

• Clear objectives and context
• Specific approach and acceptance criteria
• Files to modify
• Examples of fixes needed

Work can begin immediately on the highest priority issue (SC2155) while the process improvements (hooks and guidelines) can proceed in parallel.

---

Issues created from static analysis discussion #7889

AI generated by Plan Command for discussion #7889