🔍 Static Analysis Report - January 13, 2026

[github-actions[bot]]

Analysis Summary

Daily static analysis scan completed using three tools: zizmor (security), poutine (supply chain), and actionlint (linting).

• Tools Used: zizmor, poutine, actionlint
• Workflows Scanned: 119
• Total Findings: 564
• Workflows Affected: 119
• Scan Date: 2026-01-13
• Workflow Run: §20960449305

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Informational
zizmor (security)	120	0	0	120	0	0
poutine (supply chain)	0	0	0	0	0	0
actionlint (linting)	444	0	1	2	1	117

---

🚨 Top Priority Issues

1. Unverified Script Execution (zizmor) - MEDIUM SEVERITY

• Tool: zizmor
• Rule: unverified_script_exec
• Count: 120 occurrences
• Affected: 118 workflows
• Severity: Medium
• Reference: https://docs.zizmor.sh/audits/#unverified-script-exec

Description: Workflows download and execute scripts from remote sources without integrity verification.

Example:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash

Impact:

• No checksum/signature verification
• Vulnerable to Man-in-the-Middle (MITM) attacks
• Supply chain compromise risk
• Executes with elevated privileges (sudo)

Top Affected Workflows:

• ubuntu-image-analyzer.lock.yml (3 instances)
• All other agentic workflows (1 instance each)

---

2. Template Injection Warnings (actionlint) - INFORMATIONAL

• Tool: actionlint
• Rule: template-injection
• Count: 117 occurrences
• Affected: 117 workflows
• Severity: Informational
• Reference: https://docs.zizmor.sh/audits/#template-injection

Description: Potential code injection via template expansion in workflow steps.

Impact: These are informational warnings that flag potential code injection risks in template expansions. Most appear to be false positives in "Stop MCP gateway" steps.

---

3. Shellcheck SC2155 (actionlint) - WARNING

• Tool: actionlint (shellcheck)
• Rule: SC2155
• Count: 195 occurrences
• Affected: 119 workflows
• Severity: Warning
• Reference: https://www.shellcheck.net/wiki/SC2155

Description: Variables are declared and assigned in a single line with command substitution, masking return values.

Example:

local result=$(some_command)

Impact: Hides command failures because local always returns 0, making error handling impossible.

---

4. Expression Errors (actionlint) - ERROR

• Tool: actionlint
• Rule: expression
• Count: 8 occurrences
• Affected: 5 workflows
• Severity: Error

Types:

• Missing activation property (3 occurrences)
• Wrong github.owner instead of github.repository_owner (3 occurrences)
• Missing assign_to_user output (1 occurrence)
• Expression lexing error (1 occurrence)

Affected Workflows:

• ai-moderator.lock.yml:1157
• campaign-generator.lock.yml:769, 1272, 1395, 1952
• daily-assign-issue-to-user.lock.yml:1056
• daily-secrets-analysis.lock.yml:526
• workflow-generator.lock.yml:1238

---

📊 Historical Trends

Comparing with yesterday's scan (2026-01-12):

Metric	Yesterday	Today	Change
Total Findings	244	564	+320 (+131%)
Workflows Scanned	118	119	+1
Zizmor Findings	117	120	+3
Actionlint Findings	127	444	+317 (+250%)
Poutine Findings	0	0	0

Analysis

The significant increase in findings is primarily due to:

1. New zizmor detection: The unverified_script_exec rule (120 findings) was not present in yesterday's scan, which only reported template-injection warnings. This is a NEW security finding that needs immediate attention.

2. Actionlint expansion: The shellcheck integration now captures more issues (195 SC2155 warnings), plus the template-injection warnings moved from zizmor to actionlint.

3. One new workflow: Added workflow contributes to the total count.

Key Changes

New Issues Detected:

• ✅ Unverified Script Execution (120 occurrences) - This is a genuine security concern that requires fixing

Consistent Issues:

• Template injection warnings (117 → 117, stable)
• Expression errors (8 occurrences, stable)
• Shellcheck SC2155 warnings (increased due to better detection)

---

🔧 Fix Suggestion: Unverified Script Execution

Issue: Unverified Script Execution (zizmor)
Severity: Medium
Affected Workflows: 120 occurrences across 118 workflows
Priority: HIGH - Security vulnerability

Current Problem

All workflows use this insecure pattern:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash

Recommended Fix

Replace with secure download-verify-execute pattern:

- name: Install awf binary
  run: |
    echo "Installing awf via installer script (requested version: v0.8.2)"

    # Pin to specific commit for reproducibility
    INSTALL_SCRIPT_URL="https://raw.githubusercontent.com/githubnext/gh-aw-firewall/COMMIT_SHA/install.sh"
    EXPECTED_SHA256="<compute-actual-checksum>"

    # Download to temporary location
    curl -sSL "$INSTALL_SCRIPT_URL" -o /tmp/install-awf.sh

    # Verify integrity
    echo "$EXPECTED_SHA256  /tmp/install-awf.sh" | sha256sum -c - || {
      echo "ERROR: Checksum verification failed!"
      exit 1
    }

    # Execute verified script
    sudo AWF_VERSION=v0.8.2 bash /tmp/install-awf.sh
    rm /tmp/install-awf.sh

Implementation Steps

1. Determine commit SHA: Find the commit SHA for the install.sh at version v0.8.2
2. Compute checksum: Calculate SHA256 hash of that specific version
3. Update all workflows: Apply fix to all 118 affected workflows
4. Test: Verify installations still work correctly
5. Document: Update workflow templates with secure pattern

---

📋 Detailed Findings by Issue Type

Zizmor Security Findings

Unverified Script Execution

Workflow	Instances	Line
ubuntu-image-analyzer.lock.yml	3	Multiple
unbloat-docs.lock.yml	1	204
changeset.lock.yml	1	193
firewall.lock.yml	1	138
scout.lock.yml	1	247
grumpy-reviewer.lock.yml	1	200
firewall-escape.lock.yml	1	185
instructions-janitor.lock.yml	1	157
portfolio-analyst.lock.yml	1	220
(and 109 more workflows)	1 each	Various

Total: 120 occurrences across 118 workflows

Actionlint Findings

Template Injection Warnings (117)

Present in "Stop MCP gateway" steps across 117 workflows. These are informational warnings about potential code injection risks.

Shellcheck SC2155 Warnings (195)

Present across all 119 workflows in shell scripts that combine variable declaration with command substitution.

Expression Errors (8)

• ai-moderator.lock.yml: Line 1157 (activation property)
• campaign-generator.lock.yml: Lines 769, 1272, 1395 (github.owner), 1952 (activation)
• daily-assign-issue-to-user.lock.yml: Line 1056 (assign_to_user output)
• daily-secrets-analysis.lock.yml: Line 526 (lexing error)
• workflow-generator.lock.yml: Line 1238 (activation property)

---

🎯 Recommendations

Immediate Actions (This Week)

1. ✅ Fix Unverified Script Execution (Medium Severity)

   • Apply secure download-verify-execute pattern
   • Affects 118 workflows
   • Mitigates MITM and supply chain attacks

2. ✅ Fix Expression Errors (Error Severity)

   • Fix 8 expression errors across 5 workflows
   • These block workflow execution
   • Quick wins with high impact

Short-term Actions (This Month)

3. Address Shellcheck SC2155 (Warning)

   • Fix 195 instances across 119 workflows
   • Improves error handling
   • Can be batched with other updates

4. Review Template Injection Warnings (Informational)

   • Assess 117 warnings for false positives
   • Document safe patterns
   • Update templates if needed

Long-term Actions (This Quarter)

5. Integrate Static Analysis in CI/CD

   • Add zizmor, poutine, actionlint to PR checks
   • Prevent new issues from being introduced
   • Set up automated alerts

6. Update Workflow Templates

   • Incorporate secure patterns into templates
   • Add security guidelines for workflow authors
   • Create reusable workflow components

7. Establish Security Baseline

   • Track metrics over time
   • Set targets for issue reduction
   • Regular security audits

---

📚 Fix Templates Available

Detailed fix templates have been created in cache memory:

• /tmp/gh-aw/cache-memory/fix-templates/zizmor-unverified_script_exec.md
• /tmp/gh-aw/cache-memory/fix-templates/actionlint-shellcheck-SC2155.md
• /tmp/gh-aw/cache-memory/fix-templates/actionlint-expression-errors.md

Each template includes:

• Problem description
• Security impact
• Step-by-step fix instructions
• Before/after code examples
• Copilot Agent prompt for automated fixing

---

🔗 References

• §20960449305 - Today's workflow run
• zizmor Documentation
• actionlint Documentation
• poutine Documentation

---

✅ Next Steps

• Review and prioritize findings
• Apply fix for unverified script execution (120 occurrences)
• Fix expression errors (8 occurrences)
• Address shellcheck warnings (195 occurrences)
• Evaluate template injection warnings (117 occurrences)
• Update workflow creation guidelines
• Consider adding static analysis to CI/CD pipeline

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

🎉 Yo ho ho! Plan Command found the treasure and completed successfully! ⚓💰