[static-analysis] Report - 2026-05-24

[github-actions]

Analysis Summary

• Tools Used: zizmor, poutine, actionlint, runner-guard
• Total Findings: 1,665 (zizmor 73 + poutine 21 + actionlint 1,289 + runner-guard 282)
• Workflows Scanned: 235 (+1 since yesterday)
• Issues Created: 0 (all current high-severity RGS findings have prior closed rule-level issues; see Issues Created below)

✅ Net improvement vs yesterday: runner-guard dropped 305 → 282 (-23). RGS-018 dropped 29 → 6 across the lock files. Zizmor, poutine, actionlint essentially stable.

⚠️ Persistent regressions: zizmor [High] github-env on dev-hawk.lock.yml (×2, lines 732 and 1577) — same finding reappeared 2026-05-23, still present today. Twelve [error] untrusted_checkout_exec poutine findings across smoke-workflow-call*.lock.yml and dependabot-worker.lock.yml are unchanged from the past three scans.

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info
zizmor (security)	73	0	2	2	29	40
poutine (supply chain)	21	0	12 (error)	0	1 (warning)	8 (note)
actionlint (linting)	1,289	–	–	–	–	–
runner-guard (taint)	282	0	273	9	0	0

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows (basenames)
github-env	High	2	dev-hawk (lines 732, 1577)
excessive-permissions	Medium	1	dependabot-repair
artipacked	Medium	1	daily-geo-optimizer
obfuscation	Low	25	25 workflows (see details)
template-injection	Low	4	daily-otel-instrumentation-advisor, daily-reliability-review, daily-token-consumption-report, deep-report
template-injection	Informational	39	14 workflows (×3 occurrences each typical)
superfluous-actions	Informational	1	smoke-codex

Poutine Supply-Chain Findings

Issue Type	Severity	Count	Affected Workflows
untrusted_checkout_exec	error	12	smoke-workflow-call-with-inputs (×4), smoke-workflow-call (×4), dependabot-worker (×4)
github_action_from_unverified_creator_used	note	6	super-linter, smoke-codex, copilot-setup-steps, mcp-inspector, link-check (×2)
unverified_script_exec	note	2	smoke-codex, copilot-setup-steps
pr_runs_on_self_hosted	warning	1	smoke-copilot-arm

Actionlint Linting Issues

Issue Type	Count
shellcheck	927
syntax-check	235
permissions	111
expression	16

Runner-Guard Taint-Analysis Findings

Rule	Name	Severity	Total Findings	Affected Workflows
RGS-004	Comment-Triggered Workflow Without Author Authorization Check	High	260	q.lock.yml (112), ai-moderator.lock.yml (79), dev-hawk.lock.yml (69)
RGS-018	Suspicious Payload Execution Pattern	High	6	copilot-setup-steps.yml, daily-cli-performance, smoke-codex, daily-sentrux-report, go-logger, smoke-claude
RGS-012	Secret Exfiltration via Outbound HTTP Request	High	7	daily-multi-device-docs-tester, visual-regression-checker (×2), daily-model-inventory (×3), docs-noob-tester
RGS-005	Excessive Permissions on Untrusted Trigger	Medium	8	agentic_commands.yml, ai-moderator, q.lock.yml
RGS-019	(medium-severity rule)	Medium	1	error-message-lint.yml

Top Priority Issues

1. RGS-004 — Comment-Triggered Workflow Without Author Authorization Check

• Tool: runner-guard
• Severity: High
• Total findings: 260 across 3 workflows
• Highest-occurrence files: q.lock.yml (112), ai-moderator.lock.yml (79), dev-hawk.lock.yml (69)
• Description: Workflows triggered by issue_comment / pull_request_review_comment / workflow_run events that access secrets or have write permissions without verifying github.event.comment.author_association.
• Impact: Any external user can post a comment to trigger privileged operations.
• Status: Rule-level closure exists — #29694 was closed with ai-moderator, dev-hawk, q explicitly listed as affected.

2. zizmor github-env (High) on dev-hawk.lock.yml

• Tool: zizmor
• Severity: High
• Count: 2 (lines 732, 1577)
• Description: Dangerous use of the GITHUB_ENV environment file. Writing user-controlled data to $GITHUB_ENV can lead to environment-variable injection.
• Status: Recurring — cleared on 2026-05-22, reappeared 2026-05-23, still present 2026-05-24.
• Reference: (docs.zizmor.sh/redacted)

3. Poutine untrusted_checkout_exec (error)

• Tool: poutine
• Severity: error
• Count: 12 across smoke-workflow-call-with-inputs.lock.yml, smoke-workflow-call.lock.yml, dependabot-worker.lock.yml
• Description: bash "${RUNNER_TEMP}/gh-aw/actions/*.sh" invocations after a checkout that may include untrusted PR code. Each call site has a # poutine:ignore untrusted_checkout_exec comment but poutine still flags them.
• Action: Confirm the ignore comment placement is one line above the flagged run: line (per poutine docs); these may simply be reporting the suppressed findings.

Fix Suggestion: RGS-004 (Comment-Triggered Workflow Without Author Authorization Check)

Issue: 260 high-severity findings across 3 workflows.
Affected: q.lock.yml, ai-moderator.lock.yml, dev-hawk.lock.yml

⚠️ Note: A rule-level closure (#29694) already lists these workflows. The fix template below is provided for reference if these workflows are reconsidered.

Prompt to Copilot Agent:

You are fixing a high-severity security vulnerability identified by runner-guard.

**Vulnerability**: RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
**Reference**: https://github.com/Vigilant-LLC/runner-guard

**Current Issue**:
The following workflows are triggered by `issue_comment`, `pull_request_review_comment`, or
`workflow_run` events and access secrets or have write permissions, but do not verify the
comment author's `author_association` before executing privileged operations:

- .github/workflows/q.md
- .github/workflows/ai-moderator.md
- .github/workflows/dev-hawk.md

Because `issue_comment` fires for ANY GitHub user, this effectively grants secrets access and
write permissions to arbitrary external users.

**Required Fix**:
Add an explicit author-association gate at the beginning of the main job (or in the
activation job that triggers the agent), restricted to OWNER, MEMBER, or COLLABORATOR.

**Example**:

Before:
```yaml
on:
  issue_comment:
    types: [created]
jobs:
  agent:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      issues: write
    steps:
      - run: ./do-privileged-thing.sh

After (gated on author-association):

on:
  issue_comment:
    types: [created]
jobs:
  agent:
    if: |
      contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'),
               github.event.comment.author_association)
    runs-on: ubuntu-latest
    permissions:
      contents: write
      issues: write
    steps:
      - run: ./do-privileged-thing.sh

Note: in gh-aw markdown source, the equivalent is the roles: field in on.command: (or
on.issue_comment: with if: expressions in the safe-jobs: section). Use the gh-aw idiom
when editing the .md source — do NOT directly edit the generated .lock.yml.

Please apply this fix to all three workflows above.

### Issues Created

**0** new GitHub issues created this run.

All current Critical/High runner-guard findings have prior **closed** rule-level issues that explicitly list the affected files:

| Rule | Current file | Prior closed issue |
|------|--------------|--------------------|
| RGS-004 | `q.lock.yml` | [#29694](https://github.com/github/gh-aw/issues/29694) (lists `q`) |
| RGS-004 | `ai-moderator.lock.yml` | [#29694](https://github.com/github/gh-aw/issues/29694) (lists `ai-moderator`) |
| RGS-004 | `dev-hawk.lock.yml` | [#29694](https://github.com/github/gh-aw/issues/29694) (lists `dev-hawk`) |
| RGS-018 | `copilot-setup-steps.yml` | [#33476](https://github.com/github/gh-aw/issues/33476) |
| RGS-018 | `daily-sentrux-report` | [#29461](https://github.com/github/gh-aw/issues/29461) (lists `daily-sentrux-report`) |
| RGS-018 | `go-logger` | [#28154](https://github.com/github/gh-aw/issues/28154) (lists `go-logger`) |
| RGS-018 | `daily-cli-performance`, `smoke-codex`, `smoke-claude` | [#29461](https://github.com/github/gh-aw/issues/29461) ("and 18 additional workflows") |
| RGS-012 | `daily-multi-device-docs-tester` | [#33477](https://github.com/github/gh-aw/issues/33477) |
| RGS-012 | `visual-regression-checker` | [#30947](https://github.com/github/gh-aw/issues/30947) |
| RGS-012 | `daily-model-inventory` | [#30776](https://github.com/github/gh-aw/issues/30776), [#30079](https://github.com/github/gh-aw/issues/30079) |
| RGS-012 | `docs-noob-tester` | [#28488](https://github.com/github/gh-aw/issues/28488) |

Per the dedup policy in [#31043](https://github.com/github/gh-aw/issues/31043) (explicitly closed to fix the daily-recreation problem) and yesterday's precedent ([#34177](https://github.com/github/gh-aw/issues/34177)), no new individual rule-level issues were created.

### Historical Trends

| Date | Workflows | zizmor | poutine | actionlint | runner-guard | Δ runner-guard |
|------|-----------|--------|---------|------------|--------------|----------------|
| 2026-05-21 | 233 | 72 | 21 | 1,285 | 305 | — |
| 2026-05-22 | 234 | 71 | 21 | 1,286 | 296 | -9 |
| 2026-05-23 | 234 | 73 | 21 | 1,284 | 305 | +9 |
| **2026-05-24** | **235** | **73** | **21** | **1,289** | **282** | **-23** ✅ |

#### What changed since 2026-05-23

- ✅ **RGS-018 dropped from 29 → 6** (-23 findings). Likely cause: an editing pass on workflows previously listed in [#29461](https://github.com/github/gh-aw/issues/29461) that cleared the suspicious-payload pattern.
- ➖ RGS-004, RGS-012, RGS-005, RGS-019 all unchanged.
- ➖ Zizmor `github-env` High on `dev-hawk` still present.
- ➖ Poutine `untrusted_checkout_exec` (12) unchanged.
- ➕ +5 actionlint warnings (shellcheck +4, syntax-check +1 with the new workflow).

#### No new issue types

All issue types present today were present in at least one of the past three scans.

<details>
<summary>Detailed Zizmor Findings by Workflow</summary>

#### High severity

- `dev-hawk.lock.yml:732:9` — `[High] github-env: dangerous use of environment file`
- `dev-hawk.lock.yml:1577:9` — `[High] github-env: dangerous use of environment file`

#### Medium severity

- `dependabot-repair.lock.yml:353:3` — `[Medium] excessive-permissions: overly broad permissions`
- `daily-geo-optimizer.lock.yml:1381:9` — `[Medium] artipacked: credential persistence through GitHub Actions artifacts`

#### Low — obfuscation (25 workflows)

`agent-performance-analyzer`, `agentic-token-audit`, `agentic-token-optimizer`, `audit-workflows`, `copilot-agent-analysis`, `copilot-cli-deep-research`, `copilot-pr-nlp-analysis`, `copilot-pr-prompt-analysis`, `copilot-session-insights`, `daily-cli-performance`, `daily-code-metrics`, `daily-news`, `daily-sentrux-report`, `daily-testify-uber-super-expert`, `dataflow-pr-discussion-dataset`, `deep-report`, `delight`, `discussion-task-miner`, `firewall-escape`, `metrics-collector`, `pr-triage-agent`, `security-compliance`, `sergo`, `smoke-ci`, `workflow-health-manager`.

(Each is a `# poutine:ignore untrusted_checkout_exec` comment immediately above a `run:` — zizmor's obfuscation detector flags the comment.)

#### Low — template-injection (4 workflows)

`daily-otel-instrumentation-advisor`, `daily-reliability-review`, `daily-token-consumption-report`, `deep-report`.

#### Informational — template-injection (14 workflows, ×3 each typical)

`ai-moderator`, `contribution-check`, `grumpy-reviewer`, `issue-triage-agent`, `mattpocock-skills-reviewer`, `pr-code-quality-reviewer`, `pr-nitpick-reviewer`, `security-review`, `smoke-agent-all-merged`, `smoke-agent-all-none`, `smoke-agent-public-approved`, `smoke-agent-public-none`, `smoke-agent-scoped-approved`, `smoke-service-ports`.

#### Informational — superfluous-actions

- `smoke-codex.lock.yml:2037:9`

</details>

<details>
<summary>Detailed Poutine Findings by Workflow</summary>

#### error — untrusted_checkout_exec (12 findings)

- `smoke-workflow-call-with-inputs.lock.yml:250`, `:277`, `:388`, `:393`
- `smoke-workflow-call.lock.yml:253`, `:280`, `:389`, `:394`
- `dependabot-worker.lock.yml:278`, `:307`, `:428`, `:433`

#### note — github_action_from_unverified_creator_used (6 findings)

- `super-linter.lock.yml:1522` (`super-linter/super-linter@...`)
- `smoke-codex.lock.yml:2040` (`actions-ecosystem/action-add-labels@...`)
- `copilot-setup-steps.yml:43` (`astral-sh/setup-uv@...`)
- `mcp-inspector.lock.yml:541` (`astral-sh/setup-uv@...`)
- `link-check.yml:35`, `:43` (`gaurav-nelson/github-action-markdown-link-check@...`)

#### note — unverified_script_exec (2 findings)

- `smoke-codex.lock.yml:2101` (`curl https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh`)
- `copilot-setup-steps.yml:17` (`curl https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash`)

#### warning — pr_runs_on_self_hosted

- `smoke-copilot-arm.lock.yml:448` (`runs-on: ubuntu-24.04-arm`)

</details>

<details>
<summary>Detailed Runner-Guard Findings (per rule, per file)</summary>

#### RGS-004 — High (260 total)

- `q.lock.yml`: 112 findings
- `ai-moderator.lock.yml`: 79 findings
- `dev-hawk.lock.yml`: 69 findings

#### RGS-018 — High (6 total)

- `copilot-setup-steps.yml:16:1` — `curl https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash` pattern
- `daily-cli-performance.lock.yml:752:1`
- `smoke-codex.lock.yml`
- `daily-sentrux-report.lock.yml`
- `go-logger.lock.yml`
- `smoke-claude.lock.yml`

#### RGS-012 — High (7 total)

- `daily-multi-device-docs-tester.lock.yml:497:1` (npm dev server)
- `visual-regression-checker.lock.yml:437:1`, `:807:1`
- `daily-model-inventory.lock.yml:1007:1`, `:1173:1`, `:1237:1` (Anthropic/Gemini/OpenAI model APIs)
- `docs-noob-tester.lock.yml`

#### RGS-005 — Medium (8 total)

- `agentic_commands.yml:1:1`
- `ai-moderator.lock.yml`
- `q.lock.yml`

#### RGS-019 — Medium (1)

- `error-message-lint.yml`

</details>

### Recommendations

1. **High priority** — Investigate the recurring zizmor `[High] github-env` on `dev-hawk.lock.yml` (cleared 2026-05-22, regressed since 2026-05-23). The fix that worked on 2026-05-22 may have been reverted; consider adding a compiler safeguard so `$GITHUB_ENV` writes from user-controlled inputs are rejected at lock-time.
2. **Medium priority** — Reconsider the closed-issue policy: 260 RGS-004 findings on three large workflows is the largest cluster but currently treated as "resolved" by [#29694](https://github.com/github/gh-aw/issues/29694). If the underlying compiler is still emitting these patterns, the closure may be premature.
3. **Lock-file noise** — Most zizmor `obfuscation` (Low) findings are false positives flagging `# poutine:ignore` comments. Consider a compiler-side fix to avoid emitting the comment on the same line zizmor inspects.
4. **Maintain dedup discipline** — Continue following [#31043](https://github.com/github/gh-aw/issues/31043): refer to existing closed issues rather than refiling daily.

### Next Steps

- [ ] Decide whether to reopen [#29694](https://github.com/github/gh-aw/issues/29694) (RGS-004) given findings have not actually been remediated
- [ ] Fix recurring `[High] github-env` on `dev-hawk.lock.yml` (lines 732, 1577)
- [ ] Investigate the `untrusted_checkout_exec` poutine ignore-comment placement
- [ ] Confirm the 23-finding drop in RGS-018 is from real remediation, not workflow deletion

### References

- [§26353464282](https://github.com/github/gh-aw/actions/runs/26353464282) — this run
- [§26325008806](https://github.com/github/gh-aw/actions/runs/26325008806) — 2026-05-23 scan
- [#31043](https://github.com/github/gh-aw/issues/31043) — Dedup policy




> Generated by [📊 Static Analysis Report](https://github.com/github/gh-aw/actions/runs/26353464282) · ● opu47 22.7M · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw+is%3Aissue+%22gh-aw-workflow-call-id%3A+github%2Fgh-aw%2Fstatic-analysis-report%22&type=issues)
> - [x] expires <!-- gh-aw-expires: 2026-05-31T06:12:20.919Z --> on May 31, 2026, 6:12 AM UTC

<!-- gh-aw-agentic-workflow: Static Analysis Report, engine: claude, model: agent, id: 26353464282, workflow_id: static-analysis-report, run: https://github.com/github/gh-aw/actions/runs/26353464282 -->

<!-- gh-aw-workflow-id: static-analysis-report -->
<!-- gh-aw-workflow-call-id: github/gh-aw/static-analysis-report -->

[github-actions]

This issue is being closed as outdated. A newer issue has been created: #34884

View newer issue

---

This action was performed automatically by the Static Analysis Report workflow.