You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note on duplicates: Per the dedup-by-rule-and-file policy established in #31043, no new individual runner-guard issues were created this run. All current High-severity RGS rules (RGS-004, RGS-012, RGS-018) are covered by previously-filed-and-closed issues (e.g. #30945, #30946, #30947, #30776, #30777, #30778). Yesterday's report is #31167.
Clustered Findings
Runner-Guard Taint Analysis
Rule ID
Name
Severity
Count
Unique Workflows
RGS-004
Comment-Triggered Workflow Without Author Authorization Check
High
1759
18
RGS-005
Excessive Permissions on Untrusted Trigger
Medium
54
17
RGS-018
Suspicious Payload Execution Pattern
High
29
29
RGS-012
Secret Exfiltration via Outbound HTTP Request
High
8
4
Issues created this run: none — see deduplication note above.
Zizmor Security Findings
Issue Type
Severity
Count
Unique Workflows
template-injection
Informational
40
15
obfuscation
Low
24
24
github-env
High
2
1 (dev-hawk.lock.yml)
artipacked
Medium
1
1 (daily-geo-optimizer.lock.yml)
excessive-permissions
Medium
1
1 (dependabot-repair.lock.yml)
Poutine Supply Chain Findings
Issue Type
Severity
Count
Unique Workflows
untrusted_checkout_exec
error
8
2 (smoke-workflow-call*)
github_action_from_unverified_creator_used
note
6
5
unverified_script_exec
note
2
2
pr_runs_on_self_hosted
warning
1
1
Actionlint Linting Issues
Rule
Count
Unique Workflows
shellcheck
428
217
permissions
109
56
expression
12
4
Top Priority Issues
1. RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
Tool: runner-guard
Severity: High
Count: 1,759 (across 18 workflows — mergefest.lock.yml is the primary contributor)
Description: A workflow triggered by issue_comment, pull_request_review_comment, or workflow_run events accesses secrets or has write permissions, but does not verify the comment author's authorization level before executing privileged operations.
Impact: Without an explicit check on github.event.comment.author_association, any external user can trigger the workflow.
Description: Dangerous use of GitHub environment file — writing to $GITHUB_ENV from untrusted input can lead to env-var injection.
Reference: (docs.zizmor.sh/redacted)
Fix Suggestion for zizmor github-env (High)
This is the highest-severity finding from a code-quality tool that is not already tracked by an open or closed RGS issue, so it is the best candidate for a one-shot Copilot agent fix.
Issue: Dangerous use of GitHub environment file in dev-hawk.lock.yml Severity: High Affected Workflows: 1 (dev-hawk.lock.yml lines 721 and 1532)
Prompt to Copilot Agent:
You are fixing a security vulnerability identified by zizmor.
**Vulnerability**: github-env — dangerous use of environment file
**Rule**: github-env — (docs.zizmor.sh/redacted)
**File**: .github/workflows/dev-hawk.lock.yml (lines 721 and 1532)
**Current Issue**:
The workflow appends to $GITHUB_ENV using a value that may originate from
attacker-controllable input (e.g. an issue title, PR body, or comment).
When such input contains a newline, the attacker can inject arbitrary
environment variables that influence subsequent steps — including
overwriting PATH, GH_TOKEN, or other secrets.
**Required Fix**:
1. Locate the source `dev-hawk.md` markdown workflow under `.github/workflows/`
(the .lock.yml is generated; do not edit it directly).
2. For every `echo "X=$Y" >> $GITHUB_ENV` style line:
a. If $Y comes from `github.event.*` user-controllable input, do NOT
put it on $GITHUB_ENV at all. Pass it via the step `env:` block
from a literal `${{ github.event.* }}` template, OR sanitize
the value first.
b. If you must write to $GITHUB_ENV, use the heredoc form with a
random delimiter:
echo "X<<__END_$RANDOM" >> "$GITHUB_ENV"
echo "$Y" >> "$GITHUB_ENV"
echo "__END_$RANDOM" >> "$GITHUB_ENV"
and ensure $Y itself cannot contain the delimiter.
3. Recompile with `gh aw compile` so dev-hawk.lock.yml is regenerated.
4. Re-run zizmor and confirm the github-env warnings at lines 721 and 1532
are resolved.
**Example**:
Before:
- run: |
echo "TITLE=${{ github.event.issue.title }}" >> "$GITHUB_ENV"
After (use env: block, not $GITHUB_ENV):
- env:
TITLE: ${{ github.event.issue.title }}
run: |
echo "Working with title: $TITLE"
Please apply this fix to .github/workflows/dev-hawk.md and verify the
regenerated dev-hawk.lock.yml passes zizmor.
Historical Trends
Comparison with yesterday's scan (#31167, 2026-05-09):
Tool
2026-05-09
2026-05-10
Δ
zizmor
66
68
+2
poutine
17
17
0
actionlint
551
549
−2
runner-guard
1,858
1,850
−8
Total
2,492
2,484
−8
New Issues
2 new zizmor warnings (within already-tracked rule types — no new rule IDs).
All 8 untrusted_checkout_exec findings are in smoke-workflow-call.lock.yml and smoke-workflow-call-with-inputs.lock.yml — these are smoke tests that intentionally exercise this pattern. Suppressions are already noted via # poutine:ignore untrusted_checkout_exec comments adjacent to each finding.
Recommendations
Immediate: The two zizmor github-env High findings in dev-hawk.lock.yml are the highest-priority fixes that are NOT already tracked by an existing RGS issue. See the Copilot prompt above.
Short-term: Triage the bulk RGS-004 finding in mergefest.lock.yml (which alone produces hundreds of duplicates). A single author_association gate at the top of that workflow would erase the largest cluster.
Long-term: The RGS-018 pattern fires once per file across 29 workflows — investigate whether this is a false-positive shared template (e.g. all the lock files contain a similar Setup-jq step) and tune the rule or the template.
Analysis Summary
Findings by Tool
Note on duplicates: Per the dedup-by-rule-and-file policy established in #31043, no new individual runner-guard issues were created this run. All current High-severity RGS rules (RGS-004, RGS-012, RGS-018) are covered by previously-filed-and-closed issues (e.g. #30945, #30946, #30947, #30776, #30777, #30778). Yesterday's report is #31167.
Clustered Findings
Runner-Guard Taint Analysis
Issues created this run: none — see deduplication note above.
Zizmor Security Findings
dev-hawk.lock.yml)daily-geo-optimizer.lock.yml)dependabot-repair.lock.yml)Poutine Supply Chain Findings
Actionlint Linting Issues
Top Priority Issues
1. RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
mergefest.lock.ymlis the primary contributor)issue_comment,pull_request_review_comment, orworkflow_runevents accesses secrets or has write permissions, but does not verify the comment author's authorization level before executing privileged operations.github.event.comment.author_association, any external user can trigger the workflow.2. RGS-018 — Suspicious Payload Execution Pattern
run:block contains code patterns associated with obfuscated payload execution or known IOCs (eval+decode chains,base64 --decode | bash, etc.).3. zizmor
github-env(High).github/workflows/dev-hawk.lock.ymllines 721, 1532$GITHUB_ENVfrom untrusted input can lead to env-var injection.Fix Suggestion for zizmor
github-env(High)This is the highest-severity finding from a code-quality tool that is not already tracked by an open or closed RGS issue, so it is the best candidate for a one-shot Copilot agent fix.
Issue: Dangerous use of GitHub environment file in
dev-hawk.lock.ymlSeverity: High
Affected Workflows: 1 (
dev-hawk.lock.ymllines 721 and 1532)Prompt to Copilot Agent:
Historical Trends
Comparison with yesterday's scan (#31167, 2026-05-09):
New Issues
Resolved Issues
All Findings Details
Runner-Guard High-severity affected workflows
RGS-004 (18 workflows, 1759 findings):
ace-editor.lock.yml,ai-moderator.lock.yml,approach-validator.lock.yml,archie.lock.yml,brave.lock.yml,cloclo.lock.yml,dev-hawk.lock.yml,grumpy-reviewer.lock.yml,mergefest.lock.yml,pdf-summary.lock.yml,plan.lock.yml,pr-code-quality-reviewer.lock.yml,pr-nitpick-reviewer.lock.yml,q.lock.yml,scout.lock.yml,security-review.lock.yml,tidy.lock.yml,unbloat-docs.lock.ymlRGS-018 (29 workflows, 1 each):
api-consumption-report.lock.yml,audit-workflows.lock.yml,changeset.lock.yml,ci-coach.lock.yml,cli-version-checker.lock.yml,cloclo.lock.yml,copilot-agent-analysis.lock.yml,copilot-opt.lock.yml,copilot-pr-merged-report.lock.yml,copilot-pr-nlp-analysis.lock.yml,copilot-pr-prompt-analysis.lock.yml,copilot-session-insights.lock.yml,copilot-setup-steps.yml,daily-cli-performance.lock.yml,daily-issues-report.lock.yml,daily-news.lock.yml,daily-safe-output-optimizer.lock.yml,daily-sentrux-report.lock.yml,deep-report.lock.yml,discussion-task-miner.lock.yml,go-logger.lock.yml,issue-arborist.lock.yml,org-health-report.lock.yml,prompt-clustering-analysis.lock.yml,safe-output-health.lock.yml,scout.lock.yml,smoke-claude.lock.yml,smoke-codex.lock.yml,stale-repo-identifier.lock.ymlRGS-012 (4 workflows, 8 findings):
daily-model-inventory.lock.yml,docs-noob-tester.lock.yml,unbloat-docs.lock.yml,visual-regression-checker.lock.ymlZizmor High & Medium findings (4 total)
.github/workflows/dev-hawk.lock.yml.github/workflows/dev-hawk.lock.yml.github/workflows/daily-geo-optimizer.lock.yml.github/workflows/dependabot-repair.lock.ymlPoutine error findings (8 total)
All 8
untrusted_checkout_execfindings are insmoke-workflow-call.lock.ymlandsmoke-workflow-call-with-inputs.lock.yml— these are smoke tests that intentionally exercise this pattern. Suppressions are already noted via# poutine:ignore untrusted_checkout_execcomments adjacent to each finding.Recommendations
github-envHigh findings indev-hawk.lock.ymlare the highest-priority fixes that are NOT already tracked by an existing RGS issue. See the Copilot prompt above.mergefest.lock.yml(which alone produces hundreds of duplicates). A singleauthor_associationgate at the top of that workflow would erase the largest cluster.Next Steps
github-envindev-hawk.lock.ymlartipacked,excessive-permissions)untrusted_checkout_execpatterns in smoke tests via# poutine:ignorecommentsReferences: