🔍 Static Analysis Report - January 15, 2026

[github-actions[bot]]

Analysis Summary

Comprehensive security and quality scan of all agentic workflow files using multiple static analysis tools.

• Tools Used: zizmor (security), poutine (supply chain), actionlint (linting)
• Total Findings: 260 issues identified
• Workflows Scanned: 123
• Workflows Affected: 123 (100%)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Informational
zizmor (security)	250	0	0	0	0	250
poutine (supply chain)	0	0	0	0	0	0
actionlint (linting)	85	-	-	-	-	85 errors

Key Observation: All zizmor findings are marked "Informational" severity, indicating potential security considerations rather than immediate vulnerabilities. However, the patterns identified represent real supply chain and injection risks that should be addressed.

---

Clustered Findings by Tool and Type

🔐 Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
unverified_script_exec	Informational	124	121 workflows
template-injection	Informational	123	121 workflows
unpinnable_action	Informational	3	3 workflows

Total: 250 findings across 121 unique workflow files

🔗 Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Workflows
(No findings)	-	0	0

Total: 0 findings (excellent supply chain security posture)

✅ Actionlint Linting Issues

Issue Type	Count	Description
shellcheck (SC2086)	85	Variables should be quoted to prevent globbing and word splitting

Total: 85 shell script quality issues across multiple workflows

---

Top Priority Issues

1. 🔴 Unverified Script Execution (Most Critical)

• Tool: zizmor
• Count: 124 occurrences in 121 workflows
• Severity: Informational (but high security impact)
• Rule: unverified_script_exec

Description: Workflows download and execute shell scripts from external sources without verification using the "curl | bash" pattern. This poses supply chain security risks.

Common Patterns Found:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.9.0 bash
curl -LsSf https://astral.sh/uv/install.sh | sh
curl -fsSL https://raw.githubusercontent.com/githubnext/gh-aw/refs/heads/main/install-gh-aw.sh | bash

Impact:

• No integrity verification of downloaded scripts
• Vulnerable to compromised upstream repositories
• Scripts executed with elevated privileges (sudo)
• No audit trail of executed script content

Affected Files:

• All .github/workflows/*.lock.yml files (121 workflows)
• .github/workflows/copilot-setup-steps.yml

Reference: https://docs.zizmor.sh/audits/#unverified-script-exec

---

2. ⚠️ Template Injection Risk

• Tool: zizmor
• Count: 123 occurrences in 121 workflows
• Severity: Informational
• Rule: template-injection

Description: Workflows use GitHub expressions (${{ }}) in contexts where they could potentially be influenced by attacker-controlled data, creating code injection opportunities.

Example Locations:

• .github/workflows/agent-performance-analyzer.lock.yml:1342:9
• .github/workflows/ai-moderator.lock.yml:820:9
• .github/workflows/archie.lock.yml:896:9

Impact:

• Potential code injection if user-controlled data flows into template expressions
• Risk amplified in contexts like run: steps with shell evaluation

Common Pattern: Steps named "Stop MCP gateway", "Configure Git credentials" using templates

Reference: https://docs.zizmor.sh/audits/#template-injection

---

3. 📝 Shell Script Quality Issues

• Tool: actionlint (shellcheck)
• Count: 85 issues
• Rule: SC2086

Description: Shell variables used without quotes, leading to potential globbing and word splitting issues.

Example: Using $VAR instead of "$VAR" in shell scripts

Impact:

• Unexpected behavior with filenames containing spaces
• Potential security issues with unintended command expansion
• Reduced script reliability

Reference: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-shellcheck-integ

---

4. 🔒 Unpinnable Actions (Low Impact)

• Tool: zizmor
• Count: 3 occurrences
• Severity: Informational
• Rule: unpinnable_action

Description: Local composite actions cannot be pinned to specific commit SHAs (limitation of GitHub Actions architecture).

Affected File: .github/actions/daily-test-improver/coverage-steps/action.yml

Impact: Minimal - local actions are under repository control

Reference: https://docs.zizmor.sh/audits/#unpinnable-action

---

🛠️ Fix Suggestion for Unverified Script Execution

Since this is the most prevalent and highest-impact issue, here's a detailed fix approach:

Issue: Unverified Script Execution

Severity: Informational (but security-critical)
Affected Workflows: 121 workflows (124 occurrences)

Recommended Solutions

Option 1: Download, Verify, Then Execute (Most Secure)

# Download the script
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh -o /tmp/install-awf.sh

# Verify checksum (requires maintaining known-good checksums)
echo "expected_sha256_here  /tmp/install-awf.sh" | sha256sum -c -

# Execute with explicit permissions
sudo AWF_VERSION=v0.9.0 bash /tmp/install-awf.sh

Option 2: Pin to Specific Git SHA (Recommended)

# Pin to a specific commit SHA instead of 'main'
INSTALL_SCRIPT_SHA="a1b2c3d4e5f6"  # Replace with actual commit SHA
curl -sSL "https://raw.githubusercontent.com/githubnext/gh-aw-firewall/${INSTALL_SCRIPT_SHA}/install.sh" -o /tmp/install-awf.sh
sudo AWF_VERSION=v0.9.0 bash /tmp/install-awf.sh

Option 3: Two-Step Process (Minimal Change)

# Separate download from execution
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh -o /tmp/install-awf.sh
sudo AWF_VERSION=v0.9.0 bash /tmp/install-awf.sh

Example Workflow Fix

Before:

- name: Install awf binary
  run: |
    echo "Installing awf via installer script (requested version: v0.9.0)"
    curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.9.0 bash

After (with SHA pinning):

- name: Install awf binary
  run: |
    echo "Installing awf via installer script (requested version: v0.9.0)"
    INSTALL_SCRIPT_SHA="abc123def456"  # Pin to verified commit
    curl -sSL "https://raw.githubusercontent.com/githubnext/gh-aw-firewall/${INSTALL_SCRIPT_SHA}/install.sh" -o /tmp/install-awf.sh
    sudo AWF_VERSION=v0.9.0 bash /tmp/install-awf.sh

Implementation Checklist

• Identify all 124 occurrences of curl | bash pattern
• For internal GitHub repos: Pin to specific commit SHAs
• For external sources: Add checksum verification
• Test modified workflows
• Document pinned versions for future updates

---

📊 Detailed Findings by Workflow

View All Findings

Zizmor Findings Distribution

Workflows with both template-injection and unverified_script_exec (121 workflows):

• agent-performance-analyzer.lock.yml
• ai-moderator.lock.yml
• archie.lock.yml
• artifacts-summary.lock.yml
• audit-workflows.lock.yml
• blog-auditor.lock.yml
• brave.lock.yml
• breaking-change-checker.lock.yml
• campaign-generator.lock.yml
• changeset.lock.yml
• ci-coach.lock.yml
• ci-doctor.lock.yml
• cli-consistency-checker.lock.yml
• cli-version-checker.lock.yml
• cloclo.lock.yml
• code-scanning-fixer.lock.yml
• code-simplifier.lock.yml
• commit-changes-analyzer.lock.yml
• copilot-agent-analysis.lock.yml
• copilot-cli-deep-research.lock.yml
• (and 101 more workflows)

Actionlint Findings

85 workflows contain shellcheck SC2086 issues (unquoted variables)

Compilation Warnings

Additionally, the compiler reported:

• 14 compilation warnings (e.g., unable to resolve actions dynamically, experimental features)
• 4 schedule timing warnings (suggesting fuzzy schedules to reduce load spikes)
• All 123 workflows compiled successfully

---

📈 Historical Context

First Scan: This is the baseline security scan establishing initial metrics.

Future Tracking: Subsequent scans will compare against this baseline to track:

• New vulnerabilities introduced
• Issues resolved
• Security posture trends over time

---

🎯 Recommendations

Immediate Actions (High Priority)

1. Address Unverified Script Execution (124 occurrences)

   • Implement Option 2 (SHA pinning) for all GitHub-hosted scripts
   • Add checksum verification for external scripts
   • Target: Reduce to 0 occurrences

2. Review Template Injection Risks (123 occurrences)

   • Audit workflows for user-controlled data in expressions
   • Use intermediate environment variables to sanitize inputs
   • Focus on "Stop MCP gateway" and similar steps

Short-term Actions (Medium Priority)

3. Fix Shellcheck Issues (85 occurrences)

   • Quote all variable expansions in shell scripts
   • Use shellcheck locally during workflow development
   • Automated fix: "$VAR" instead of $VAR

4. Establish CI/CD Integration

   • Add zizmor, poutine, and actionlint to pre-commit hooks
   • Set up automated scanning on pull requests
   • Block merges with Critical/High severity findings

Long-term Actions (Continuous Improvement)

5. Update Workflow Templates

   • Create secure workflow templates with best practices
   • Document secure patterns for common operations
   • Regular security training for workflow authors

6. Monitor Supply Chain

   • Track versions of external install scripts
   • Maintain inventory of pinned SHAs
   • Set up alerts for upstream changes

7. Automate Remediation

   • Create automated PR generator to fix common issues
   • Use Copilot agents to apply fixes at scale
   • Maintain fix templates in cache memory

---

📁 Cache Memory Updated

Analysis data stored in /tmp/gh-aw/cache-memory/:

• ✅ security-scans/2026-01-15.json - Full scan results
• ✅ security-scans/index.json - Scan history index
• ✅ vulnerabilities/by-tool.json - Vulnerability patterns database
• ✅ fix-templates/zizmor-unverified_script_exec.md - Detailed fix guide

This persistent cache enables trend analysis and knowledge retention across workflow runs.

---

🔗 Additional Resources

• Zizmor Documentation
• Poutine Documentation
• Actionlint Documentation
• GitHub Actions Security Hardening

---

✅ Next Steps

1. Review this report and prioritize which issues to address first
2. Apply fixes for unverified script execution (highest impact)
3. Re-run static analysis after fixes to measure improvement
4. Establish regular scanning cadence (daily or on every PR)

Scan completed successfully. All workflows compiled without errors. Focus on addressing the 260 identified quality and security improvements to strengthen the security posture of the agentic workflow system.

AI generated by Static Analysis Report