🔍 Static Analysis Report - December 2, 2025

[github-actions[bot]]

Executive Summary

Comprehensive static analysis scan completed on 92 agentic workflows using three security and code quality tools:

• zizmor (security scanner)
• poutine (supply chain security)
• actionlint (workflow linter)

Key Findings: 13 total issues identified across 8 workflows (91% of workflows are clean)

• 1 Medium severity security issue (credential exposure risk)
• 7 blocking errors (syntax/runtime failures)
• 5 Informational/Low security warnings

Analysis Summary

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info
zizmor (security)	6	0	0	1	1	4
poutine (supply chain)	0	0	0	0	0	0
actionlint (linting)	7	0	0	0	0	7 errors

Workflows Status

• Total Scanned: 92 workflows
• Clean: 84 workflows (91.3%)
• With Issues: 8 workflows (8.7%)

Clustered Findings by Tool and Type

Zizmor Security Findings

1. Template Injection (Informational-Low) - 5 occurrences

Description: Code injection via template expansion in GitHub expressions

Affected Workflows:

• breaking-change-checker.md - Line 5781:9 (Informational)
• changeset.md - Line 6254:9 (Informational)
• duplicate-code-detector.md - Line 5668:9 (Informational)
• mcp-inspector.md - Line 1784:9 (Low)
• release.md - Line 461:9 (Informational)

Risk: Template injection allows attackers to potentially inject malicious code through GitHub expressions. While marked as Informational/Low severity, these should be reviewed to ensure proper input sanitization.

Reference: (redacted)#template-injection

2. Artipacked (Medium) - 1 occurrence ⚠️

Description: Credential persistence through GitHub Actions artifacts

Affected Workflows:

• release.md - Line 5876:9

Risk: Credentials may be persisted in workflow artifacts, potentially exposing sensitive data to unauthorized users who can access the artifacts.

Reference: (redacted)#artipacked

Priority: HIGH - This is the only Medium severity security finding and should be addressed promptly.

Poutine Supply Chain Findings

No supply chain security issues detected ✅

All workflows passed poutine's supply chain security checks.

Actionlint Linting Issues

1. Syntax Check Errors - 1 occurrence

Issue Type: Invalid YAML syntax

Affected Workflow: cloclo.md

• Location: Line 370:5
• Description: Unexpected key "names" for "issues" section
• Impact: Workflow will fail to run

2. Expression Errors - 1 occurrence

Issue Type: Undefined property reference

Affected Workflow: close-old-discussions.md

• Location: Line 547:40
• Description: Property "aw" is not defined in github object (github.aw.inputs.count)
• Impact: Workflow will fail at runtime

3. Shellcheck Warnings (SC2086) - 5 occurrences

Issue Type: Missing quotes in variable expansions

Affected Workflows:

• go-pattern-detector.md - Line 4425:9 (1 occurrence)
• release.md - Lines 464:9 (3 occurrences), 5887:9 (1 occurrence)

Description: Variables without quotes can cause unexpected behavior with spaces or special characters (word splitting and glob expansion)

Impact: May cause runtime failures when variables contain spaces or special characters

Priority Rankings

Based on severity, impact, and number of occurrences:

🔴 Priority 1: Artipacked (Medium Severity)

• Tool: zizmor
• Count: 1
• Workflow: release.md
• Reason: Medium severity security issue - credential exposure risk

🟠 Priority 2: Syntax/Expression Errors

• Tool: actionlint
• Count: 2
• Workflows: cloclo.md, close-old-discussions.md
• Reason: Blocking errors - workflows will fail to run

🟡 Priority 3: Shellcheck Quoting

• Tool: actionlint
• Count: 5
• Workflows: go-pattern-detector.md, release.md
• Reason: Code quality issues that could cause runtime failures

🔵 Priority 4: Template Injection

• Tool: zizmor
• Count: 5
• Workflows: breaking-change-checker.md, changeset.md, duplicate-code-detector.md, mcp-inspector.md, release.md
• Reason: Low/Informational security warnings - should be reviewed but not urgent

Fix Suggestions

Fix 1: Actionlint Syntax Errors (Priority 2)

Two workflows have blocking syntax errors that prevent execution:

Problem 1 - cloclo.md: Invalid names key in issues trigger

# ❌ Current (invalid)
on:
  issues:
    names:
    - cloclo
    types:
    - labeled

# ✅ Fixed
on:
  issues:
    types:
    - labeled

jobs:
  run:
    if: contains(github.event.issue.labels.*.name, 'cloclo')
    # ... rest of job

Problem 2 - close-old-discussions.md: Undefined property github.aw.inputs.count

# ❌ Current (invalid)
env:
  GH_AW_DISCUSSIONS_COUNT: ${{ github.aw.inputs.count }}

# ✅ Fixed
env:
  GH_AW_DISCUSSIONS_COUNT: ${{ inputs.count }}

Fix 2: Shellcheck Variable Quoting (Priority 3)

Add quotes around all variable expansions in shell scripts:

Pattern:

# ❌ Before
gh release view $RELEASE_TAG
jq length $JSON_FILE
cd $DIRECTORY

# ✅ After
gh release view "$RELEASE_TAG"
jq length "$JSON_FILE"
cd "$DIRECTORY"

Affected locations:

• go-pattern-detector.md: Line 4425 in "Install ast-grep" step
• release.md: Lines 464 (3x) in "Setup environment and fetch release data" step
• release.md: Line 5887 in "Get release ID" step

Detailed Findings by Workflow

Breaking Change Checker

zizmor findings:

• template-injection (Informational) at line 5781:9
  • Step: "Assign copilot to created issues"
  • Reference: (redacted)#template-injection

Changeset

zizmor findings:

• template-injection (Informational) at line 6254:9
  • Step: "Configure Git credentials"
  • Reference: (redacted)#template-injection

Cloclo

actionlint findings:

• syntax-check (error) at line 370:5
  • Issue: unexpected key "names" for "issues" section
  • Expected keys: branches, branches-ignore, paths, paths-ignore, tags, tags-ignore, types, workflows

Close Old Discussions

actionlint findings:

• expression (error) at line 547:40
  • Issue: property "aw" is not defined in object type
  • Context: ${{ github.aw.inputs.count }}

Duplicate Code Detector

zizmor findings:

• template-injection (Informational) at line 5668:9
  • Step: "Assign copilot to created issues"
  • Reference: (redacted)#template-injection

Go Pattern Detector

actionlint findings:

• shellcheck SC2086 (error) at line 4425:9
  • Step: "Install ast-grep"
  • Issue: Double quote to prevent globbing and word splitting (line 3, column 28)

MCP Inspector

zizmor findings:

• template-injection (Low) at line 1784:9
  • Step: "Setup MCPs"
  • Reference: (redacted)#template-injection

Release

zizmor findings:

1. artipacked (Medium) at line 5876:9

   • Step: "Checkout"
   • Issue: credential persistence through GitHub Actions artifacts
   • Reference: (redacted)#artipacked

2. template-injection (Informational) at line 461:9

   • Step: "Setup environment and fetch release data"
   • Reference: (redacted)#template-injection

actionlint findings:

1. shellcheck SC2086 (error) at line 464:9 - occurrence 1

   • Step: "Setup environment and fetch release data"
   • Issue: Double quote to prevent globbing (line 15, column 36)

2. shellcheck SC2086 (error) at line 464:9 - occurrence 2

   • Step: "Setup environment and fetch release data"
   • Issue: Double quote to prevent globbing (line 26, column 31)

3. shellcheck SC2086 (error) at line 464:9 - occurrence 3

   • Step: "Setup environment and fetch release data"
   • Issue: Double quote to prevent globbing (line 31, column 48)

4. shellcheck SC2086 (error) at line 5887:9

   • Step: "Get release ID"
   • Issue: Double quote to prevent globbing (line 4, column 34)

Recommendations

Immediate Actions (This Week)

1. Fix blocking errors in cloclo.md and close-old-discussions.md

   • These workflows cannot run until syntax errors are resolved
   • Low effort, high impact fixes

2. Address Medium severity security issue in release.md

   • Review artifact uploads to prevent credential exposure
   • Consult zizmor documentation for remediation guidance

Short-term Actions (Next Sprint)

3. Fix shellcheck warnings in go-pattern-detector.md and release.md

   • Add quotes around all variable expansions
   • Prevents potential runtime failures with special characters

4. Review template injection warnings

   • While low severity, review the 5 affected workflows
   • Ensure proper input sanitization for GitHub expressions

Long-term Improvements

5. Integrate static analysis into CI/CD

   • Add pre-commit hooks for workflow validation
   • Run zizmor, poutine, and actionlint on all PRs
   • Prevent issues from reaching main branch

6. Update workflow creation guidelines

   • Document common pitfalls (syntax errors, quoting)
   • Create templates that follow best practices
   • Add examples of secure workflow patterns

Historical Context

Previous Scan: No previous scan data available
Trend: This is the baseline scan for future comparisons

Scan Metadata

• Scan Date: December 2, 2025
• Tools Used: zizmor 0.x, poutine 0.x, actionlint 1.x
• Workflows Scanned: 92
• Scan Duration: ~15 minutes
• Repository: githubnext/gh-aw

Next Steps

• Create issues for Priority 1 and Priority 2 findings
• Assign developers to fix blocking errors
• Schedule security review for Medium severity finding
• Plan integration of static analysis into CI/CD pipeline

---

Analysis performed by: Static Analysis Report Agent
Data stored in: /tmp/gh-aw/cache-memory/

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

🎉 Yo ho ho! Plan Command found the treasure and completed successfully! ⚓💰

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 3 days ago.