Skip to content

[static-analysis] Report - 2026-07-01 #42670

Description

@github-actions

🔍 Static Analysis Report - 2026-07-01

Analysis Summary

  • Tools: zizmor, poutine, actionlint, runner-guard v2.6.0
  • Total Findings: 1,388 · Workflows Scanned: 257
  • Findings are flat vs. yesterday (zizmor +1, others 0). No new vulnerability classes. Most high-count findings are known, previously-reviewed false-positive classes tied to gh-aw's own compiler output.
Tool Total Crit High Med Low Info
zizmor (security) 554 0 0 1 292 261
poutine (supply chain) 22 0 0 0 22
actionlint (linting) 482
runner-guard (taint) 330 0 319 11

Runner-Guard Score/Grade not emitted in this run's output.

Clustered Findings

Zizmor — template-injection 264 (Info/Low), adhoc-packages 258 (Low), obfuscation 30 (Low), excessive-permissions 1 (Medium — highest zizmor severity), superfluous-actions 1. No High/Critical.

Poutine — untrusted_checkout_exec 10 (error, in smoke-workflow-call*.lock.yml), github_action_from_unverified_creator_used 8 (note), unverified_script_exec 3 (note), pr_runs_on_self_hosted 1 (warning).

Actionlint — syntax-check 426 (false positive: gh-aw concurrency.queue unknown to stock actionlint), shellcheck 37, expression 18, permissions 1.

Runner-Guard

Rule Name Sev Count Affected
RGS-004 Comment-Triggered w/o Author Auth Check high 302 ai-moderator, dev-hawk, q
RGS-012 Secret Exfiltration via Outbound HTTP high 11 daily-byok-ollama-test, daily-model-inventory, daily-multi-device-docs-tester, docs-noob-tester, visual-regression-checker
RGS-018 Suspicious Payload Execution Pattern high 6 copilot-setup-steps, daily-byok-ollama-test, daily-cli-performance, daily-sentrux-report, smoke-claude, smoke-codex
RGS-005 Excessive Permissions on Untrusted Trigger med 8 agentic_commands, ai-moderator, q
RGS-019 Step Output Interpolated in run Block med 2 error-message-lint, windows-cli-integration
RGS-007 Unpinned Third-Party Action (mutable tag) med 1 publish-safe-outputs-node

Issues created this run: none — see dedup decision.

Runner-Guard Dedup Decision (per #31043)

Meta-issue #31043 documents that recreating these RGS findings daily after closure is a known antipattern. Applying dedup (closed issue for same rule+file → skip):

All high/medium runner-guard findings map to prior reviewed-and-closed issues. New per-file issues would reintroduce the exact daily noise #31043 flags. Maintainers can reopen the relevant closed issue if remediation is desired.

Top Priority (genuine, actionable)

  1. shellcheck SC2016 (21×, error) — $VAR/${{ }} in single quotes stays literal → silent shell bugs. Affects agent-performance-analyzer, ci-coach, pr-triage-agent, workflow-health-manager, safe-output-health + 16 more.
  2. actionlint permissions (1×, error) — dependabot-go-checker.lock.yml:442 uses unknown scope vulnerability-alerts (silently grants nothing). Rename/remove.
  3. poutine untrusted_checkout_exec (10×) — concentrated in the two smoke-workflow-call* test workflows; confirm intentional test fixtures.

Fix Suggestion — actionlint syntax-check (426 / 88% of actionlint noise)

Prompt to Copilot Agent:

Fix a static-analysis false-positive dominating the actionlint report.

Issue: actionlint syntax-check — `unexpected key "queue" for "concurrency" section`.
426 occurrences across every compiled .lock.yml.

Root cause: gh-aw emits a `concurrency.queue` extension; stock actionlint's schema knows
only `group` and `cancel-in-progress`, so it errors on every `queue:` key even though
GitHub Actions ignores unknown keys and the workflows run fine.

Fix (in the compile/scan pipeline, NOT by hand-editing generated lock files):
1. actionlint -ignore 'unexpected key "queue" for "concurrency" section'
2. OR strip `queue:` before invoking actionlint
3. OR (upstream) register the extended concurrency schema

Removes 426 of 482 actionlint findings, leaving genuine shellcheck/expression/permissions
issues visible for triage.
Genuine findings by workflow

SC2016 (21): agent-performance-analyzer, agentic-token-optimizer, audit-workflows, ci-coach, cli-consistency-checker, code-simplifier, copilot-centralization-drilldown, copilot-centralization-optimizer, daily-cli-tools-tester, daily-compiler-quality, daily-max-ai-credits-test, daily-observability-report, daily-regulatory, daily-safe-output-optimizer, daily-team-evolution-insights, detection-analysis-report, portfolio-analyst, pr-triage-agent, safe-output-health, schema-consistency-checker, workflow-health-manager

SC2086 (5): daily-geo-optimizer, impeccable-skills-reviewer, mattpocock-skills-reviewer · other shellcheck: SC2038 (6), SC2034 (2), SC2188/SC2129/SC2005 (1 each)

expression undefined-property (18): ace-editor, approach-validator, daily-cache-strategy-analyzer, daily-caveman-optimizer, daily-doc-healer, skillet, smoke-workflow-call, smoke-workflow-call-with-inputs (activation×6, pre_activation×3, workflow_sha/ref/repository/file_path×2 each, activated×1)

permissions (1): dependabot-go-checker.lock.yml:442 — vulnerability-alerts

Historical Trends

Metric 06-30 07-01 Δ
zizmor 553 554 +1
poutine 22 22 0
actionlint 482 482 0
runner-guard 330 330 0
total 1,387 1,388 +1

No new or resolved issue types. Longer view: runner-guard steady ~330 for weeks; zizmor stable ~550 since the mid-June ruleset change; actionlint swings with the queue false-positive count. Signal is stable, not regressing.

Recommendations

  1. Immediate: Suppress the actionlint queue false positive (88% of actionlint noise).
  2. Short-term: Fix 21 SC2016 findings and the invalid vulnerability-alerts scope.
  3. Dedup: Implement dedup-by-rule for RGS-* issues ([deep-report] Static-analysis RGS-* security issues recreated daily after closure (no dedup-by-rule) #31043) in the report generator.
  4. Long-term: Confirm smoke-workflow-call* checkout-exec findings are intentional.

Next Steps

References: §28497330053 · prior report #42425 · dedup meta-issue #31043

Generated by 📊 Static Analysis Report · 247.5 AIC · ⌖ 25.9 AIC · ⊞ 10K ·

  • expires on Jul 7, 2026, 10:23 PM UTC-08:00

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions