Skip to content

[static-analysis] Static Analysis Report - 2026-04-11 #25835

Open
3 of 5 issues completed
Open
[static-analysis] Static Analysis Report - 2026-04-11#25835
3 of 5 issues completed
Assignees
pelikhancopilot-swe-agent
Labels
automationsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 11, 2026

Analysis Summary

Static analysis scan of 187 workflows using zizmor, poutine, actionlint, and runner-guard on 2026-04-11 (§24290033455).

  • Tools Used: zizmor, poutine, actionlint, runner-guard
  • Total Findings: 4,287
  • Workflows Scanned: 187
  • Workflows Compiled: 187 (0 errors, 9 warnings)

Findings by Tool

Tool Total Critical High Medium Low Info/Note
zizmor (security) 4,135 0 17 4,029 21 68
poutine (supply chain) 22 0 0 0 1 21
actionlint (linting) 130 130 errors
runner-guard (taint) 0 0 0 0 0 0

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type Severity Count Affected Workflows
secrets-outside-env Medium 4,027 187 (all)
template-injection High 16 16
template-injection Informational 68 28 total
obfuscation Low 21 21
artipacked Medium 2 2 (copilot-token-audit, copilot-token-optimizer)
github-env High 1 1 (dev-hawk)

Poutine Supply Chain Findings

Issue Type Severity Count Affected Workflows
untrusted_checkout_exec error 6 2 (smoke-workflow-call, smoke-workflow-call-with-inputs)
github_action_from_unverified_creator_used note 8 multiple
unverified_script_exec note 5 multiple
unpinnable_action note 2 2
pr_runs_on_self_hosted warning 1 smoke-copilot-arm

Actionlint Linting Issues

Issue Type Count Affected Workflows
permissions: unknown copilot-requests scope 95 48
shellcheck (SC2086/SC2012/SC2129) 24 15
expression: undefined property 11 4

Runner-Guard Taint Analysis

No findings detected. Runner-guard taint analysis scanner reported 0 issues across all 187 workflows.

Top Priority Issues

1. Template Injection (High) — 16 Workflows

  • Tool: zizmor
  • Count: 16 High-severity findings
  • Severity: High
  • Affected: copilot-pr-nlp-analysis, copilot-session-insights, copilot-token-audit, daily-code-metrics, daily-integrity-analysis, daily-issues-report, daily-multi-device-docs-tester, daily-news, daily-repo-chronicle, github-mcp-structural-analysis, org-health-report, portfolio-analyst, python-data-charts, stale-repo-identifier, weekly-editors-health-check, weekly-issue-summary
  • Description: Code injection via template expansion — GitHub Actions expressions like $\{\{ }} used directly in run: script content can be exploited if the expanded value contains attacker-controlled data (e.g., issue titles, PR bodies, usernames).
  • Impact: An attacker could inject shell commands into workflow steps by crafting malicious issue/PR content that gets interpolated via $\{\{ github.event.issue.title }} or similar in run: blocks.
  • Reference: (docs.zizmor.sh/redacted)

2. Dangerous GITHUB_ENV Usage (High) — dev-hawk

  • Tool: zizmor
  • Count: 1
  • Severity: High
  • Affected: dev-hawk
  • Description: Writing to $GITHUB_ENV with attacker-influenced content can inject environment variables that affect subsequent steps and compromise the workflow.
  • Reference: (docs.zizmor.sh/redacted)

3. Secrets Outside Dedicated Environment (Medium) — All 187 Workflows

  • Tool: zizmor
  • Count: 4,027
  • Severity: Medium
  • Description: All workflows reference secrets without using GitHub's dedicated environment protection. Using environments adds an approval gate and audit trail for secret access.
  • Reference: (docs.zizmor.sh/redacted)

Fix Suggestion for Template Injection (High)

Issue: Code injection via template expansion
Severity: High
Affected Workflows: 16 workflows

Prompt to Copilot Agent:

You are fixing a security vulnerability identified by zizmor in GitHub Actions workflows.

**Vulnerability**: Template Injection — Code injection via template expansion
**Rule**: template-injection — (docs.zizmor.sh/redacted)
**Severity**: High

**Current Issue**:
Workflows use GitHub Actions expressions like `$\{\{ github.event.issue.title }}` or
`$\{\{ github.event.pull_request.title }}` directly inside `run:` script blocks. When
these expressions expand to attacker-controlled values (issue titles, PR bodies, usernames,
etc.), they can execute arbitrary shell commands.

**Required Fix**:
1. Move the expression value into an environment variable in the step's `env:` block
2. Reference the environment variable in the `run:` script using `$VARIABLE_NAME` syntax

**Example**:

Before (vulnerable):
```yaml
- name: Process issue
  run: |
    echo "Processing: $\{\{ github.event.issue.title }}"
    gh issue comment $\{\{ github.event.issue.number }} --body "Done"

After (safe):

- name: Process issue
  env:
    ISSUE_TITLE: $\{\{ github.event.issue.title }}
    ISSUE_NUMBER: $\{\{ github.event.issue.number }}
  run: |
    echo "Processing: $ISSUE_TITLE"
    gh issue comment "$ISSUE_NUMBER" --body "Done"

Please apply this fix to the "Write Safe Outputs Config" step and any other steps with
template injection vulnerabilities in these workflow files:

  • copilot-pr-nlp-analysis.md
  • copilot-session-insights.md
  • copilot-token-audit.md
  • daily-code-metrics.md
  • daily-integrity-analysis.md
  • daily-issues-report.md
  • daily-multi-device-docs-tester.md
  • daily-news.md
  • daily-repo-chronicle.md
  • github-mcp-structural-analysis.md
  • org-health-report.md
  • portfolio-analyst.md
  • python-data-charts.md
  • stale-repo-identifier.md
  • weekly-editors-health-check.md
  • weekly-issue-summary.md

<details>
<summary>View All Findings by Workflow (High Severity)</summary>

#### template-injection (High)
- `copilot-pr-nlp-analysis.lock.yml` line 489
- `copilot-session-insights.lock.yml` line 494
- `copilot-token-audit.lock.yml` line 507
- `daily-code-metrics.lock.yml` line 483
- `daily-integrity-analysis.lock.yml` line 531
- `daily-issues-report.lock.yml` line 504
- `daily-multi-device-docs-tester.lock.yml` line 422
- `daily-news.lock.yml` line 559
- `daily-repo-chronicle.lock.yml` line 452
- `github-mcp-structural-analysis.lock.yml` line 449
- `org-health-report.lock.yml` line 446
- `portfolio-analyst.lock.yml` line 520
- `python-data-charts.lock.yml` line 499
- `stale-repo-identifier.lock.yml` line 509
- `weekly-editors-health-check.lock.yml` line 388
- `weekly-issue-summary.lock.yml` line 428

#### github-env (High)
- `dev-hawk.lock.yml` line 1306 — dangerous write to GITHUB_ENV

#### artipacked (Medium)
- `copilot-token-audit.lock.yml` line 368 — credential persistence via artifacts
- `copilot-token-optimizer.lock.yml` line 351 — credential persistence via artifacts

#### poutine: untrusted_checkout_exec (Error)
- `smoke-workflow-call.lock.yml` — lines 216, 317, 322 (poutine:ignore suppressing 3 more)
- `smoke-workflow-call-with-inputs.lock.yml` — lines 213, 317, 322 (poutine:ignore suppressing 3 more)

</details>

<details>
<summary>View Actionlint Issues Detail</summary>

#### permissions: unknown `copilot-requests` scope (95 findings, 48 workflows)
The `copilot-requests: write` permission is used across many Copilot-engine workflows but is not in actionlint's known scope list. This is a false positive — the permission is valid for GitHub Copilot workflows but actionlint's schema hasn't been updated yet.

Affected workflows include: agent-performance-analyzer, archie, architecture-guardian, artifacts-summary, auto-triage-issues, brave, breaking-change-checker, ci-coach, claude-code-user-docs-review, cli-consistency-checker, code-scanning-fixer, copilot-cli-deep-research, copilot-pr-merged-report, copilot-pr-nlp-analysis, copilot-pr-prompt-analysis, copilot-token-audit, copilot-token-optimizer, craft, daily-architecture-diagram, and 29 more.

#### shellcheck (24 findings, 15 workflows)
Primarily SC2086: unquoted variables in shell scripts. Affects: copilot-agent-analysis, copilot-pr-merged-report, copilot-pr-nlp-analysis, copilot-token-audit, copilot-token-optimizer, daily-issues-report, daily-news, deep-report, issue-arborist, prompt-clustering-analysis, release, smoke-claude, static-analysis-report, and others.

#### expression: undefined property (11 findings, 4 workflows)
- `ace-editor`: `needs.activation.outputs.activated` undefined
- `smoke-claude`: `needs.activation.outputs.artifact_prefix` undefined (x2)
- `smoke-workflow-call` and `smoke-workflow-call-with-inputs`: `job.workflow_repository`, `job.workflow_sha`, `job.workflow_ref`, `job.workflow_file_path` undefined

</details>

### Historical Trends

| Date | Total | Zizmor | Poutine | Actionlint | Runner-Guard | Workflows |
|------|-------|--------|---------|------------|--------------|-----------|
| 2026-04-04 | 9,956 | 4,924 | 65 | 4,967 | — | 181 |
| 2026-04-08 | — | — | — | — | — | failed |
| 2026-04-09 | — | — | — | — | — | failed |
| 2026-04-10 | 4,379 | 4,051 | 22 | 306 | 0 | 187 |
| **2026-04-11** | **4,287** | **4,135** | **22** | **130** | **0** | **187** |

- **Change from 2026-04-10**: -92 findings (-2.1%) ✅
- Actionlint improved significantly: 306 → 130 (-57.5%)
- Zizmor slightly increased: 4,051 → 4,135 (+84, +2.1%)
- Poutine stable: 22 → 22 (0%)

#### New Issues vs Previous Scan
- High severity `github-env` finding in `dev-hawk` — may be new
- Actionlint expression errors in `smoke-workflow-call` and `smoke-workflow-call-with-inputs` for `job.workflow_*` properties — possibly new workflow-call features

### Recommendations

1. **Immediate**: Fix High-severity `template-injection` in 16 workflows by moving `$\{\{ }}` expressions to `env:` vars
2. **Immediate**: Investigate `github-env` finding in `dev-hawk` workflow (line 1306)
3. **Short-term**: Address `artipacked` in `copilot-token-audit` and `copilot-token-optimizer` — avoid checking out code when secrets are present
4. **Short-term**: Fix unquoted variables (shellcheck SC2086) in 15 workflows
5. **Long-term**: Evaluate `secrets-outside-env` pattern — 4,027 instances across all workflows suggest this may be an accepted architectural pattern, but consider using GitHub Environments for high-value secrets
6. **Monitoring**: `copilot-requests` permission unknown to actionlint is a known false positive; track actionlint version updates

### Next Steps

- [ ] Apply template-injection fix to 16 affected workflows (use Copilot Agent prompt above)
- [ ] Review `dev-hawk` GITHUB_ENV usage at line 1306
- [ ] Fix `artipacked` in copilot-token-* workflows
- [ ] Investigate undefined expression outputs in ace-editor and smoke-claude
- [ ] Update actionlint or suppress `copilot-requests` false positives

**References:**
- [§24290033455](https://github.com/github/gh-aw/actions/runs/24290033455)
- (docs.zizmor.sh/redacted)
- https://github.com/rhysd/actionlint/blob/main/docs/checks.md




> Generated by [Static Analysis Report](https://github.com/github/gh-aw/actions/runs/24290033455/agentic_workflow) · ● 463.2K · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw+is%3Aissue+%22gh-aw-workflow-call-id%3A+github%2Fgh-aw%2Fstatic-analysis-report%22&type=issues)
> - [x] expires <!-- gh-aw-expires: 2026-04-18T19:45:38.280Z --> on Apr 18, 2026, 7:45 PM UTC

<!-- gh-aw-agentic-workflow: Static Analysis Report, engine: claude, model: auto, id: 24290033455, workflow_id: static-analysis-report, run: https://github.com/github/gh-aw/actions/runs/24290033455 -->

<!-- gh-aw-workflow-id: static-analysis-report -->
<!-- gh-aw-workflow-call-id: github/gh-aw/static-analysis-report -->

Metadata

Metadata

Assignees

Labels

automationsecurity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions