You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Findings are flat vs. yesterday (zizmor +1, others 0). No new vulnerability classes. Most high-count findings are known, previously-reviewed false-positive classes tied to gh-aw's own compiler output.
Tool
Total
Crit
High
Med
Low
Info
zizmor (security)
554
0
0
1
292
261
poutine (supply chain)
22
0
0
0
22
—
actionlint (linting)
482
—
—
—
—
—
runner-guard (taint)
330
0
319
11
—
—
Runner-Guard Score/Grade not emitted in this run's output.
Meta-issue #31043 documents that recreating these RGS findings daily after closure is a known antipattern. Applying dedup (closed issue for same rule+file → skip):
All high/medium runner-guard findings map to prior reviewed-and-closed issues. New per-file issues would reintroduce the exact daily noise #31043 flags. Maintainers can reopen the relevant closed issue if remediation is desired.
Top Priority (genuine, actionable)
shellcheck SC2016 (21×, error) — $VAR/${{ }} in single quotes stays literal → silent shell bugs. Affects agent-performance-analyzer, ci-coach, pr-triage-agent, workflow-health-manager, safe-output-health + 16 more.
Fix a static-analysis false-positive dominating the actionlint report.
Issue: actionlint syntax-check — `unexpected key "queue" for "concurrency" section`.
426 occurrences across every compiled .lock.yml.
Root cause: gh-aw emits a `concurrency.queue` extension; stock actionlint's schema knows
only `group` and `cancel-in-progress`, so it errors on every `queue:` key even though
GitHub Actions ignores unknown keys and the workflows run fine.
Fix (in the compile/scan pipeline, NOT by hand-editing generated lock files):
1. actionlint -ignore 'unexpected key "queue" for "concurrency" section'
2. OR strip `queue:` before invoking actionlint
3. OR (upstream) register the extended concurrency schema
Removes 426 of 482 actionlint findings, leaving genuine shellcheck/expression/permissions
issues visible for triage.
No new or resolved issue types. Longer view: runner-guard steady ~330 for weeks; zizmor stable ~550 since the mid-June ruleset change; actionlint swings with the queue false-positive count. Signal is stable, not regressing.
Recommendations
Immediate: Suppress the actionlint queue false positive (88% of actionlint noise).
Short-term: Fix 21 SC2016 findings and the invalid vulnerability-alerts scope.
🔍 Static Analysis Report - 2026-07-01
Analysis Summary
Clustered Findings
Zizmor — template-injection 264 (Info/Low), adhoc-packages 258 (Low), obfuscation 30 (Low), excessive-permissions 1 (Medium — highest zizmor severity), superfluous-actions 1. No High/Critical.
Poutine — untrusted_checkout_exec 10 (error, in smoke-workflow-call*.lock.yml), github_action_from_unverified_creator_used 8 (note), unverified_script_exec 3 (note), pr_runs_on_self_hosted 1 (warning).
Actionlint — syntax-check 426 (false positive: gh-aw
concurrency.queueunknown to stock actionlint), shellcheck 37, expression 18, permissions 1.Runner-Guard
Issues created this run: none — see dedup decision.
Runner-Guard Dedup Decision (per #31043)
Meta-issue #31043 documents that recreating these RGS findings daily after closure is a known antipattern. Applying dedup (closed issue for same rule+file → skip):
generate_safe_outputs_tools.cjs, TruffleHog/sentrux installers) — same false-positive class closed in batch issues [static-analysis] RGS-018: Suspicious Payload Execution Pattern (34 workflows) #30532/[static-analysis] RGS-018: Suspicious Payload Execution Pattern in 36 workflows #29461/[static-analysis] RGS-018: Suspicious Payload Execution Pattern in multiple workflows #30078/[static-analysis] RGS-018: Suspicious Payload Execution Pattern in multiple workflows #30777. → skip.All high/medium runner-guard findings map to prior reviewed-and-closed issues. New per-file issues would reintroduce the exact daily noise #31043 flags. Maintainers can reopen the relevant closed issue if remediation is desired.
Top Priority (genuine, actionable)
$VAR/${{ }}in single quotes stays literal → silent shell bugs. Affects agent-performance-analyzer, ci-coach, pr-triage-agent, workflow-health-manager, safe-output-health + 16 more.vulnerability-alerts(silently grants nothing). Rename/remove.smoke-workflow-call*test workflows; confirm intentional test fixtures.Fix Suggestion — actionlint
syntax-check(426 / 88% of actionlint noise)Prompt to Copilot Agent:
Genuine findings by workflow
SC2016 (21): agent-performance-analyzer, agentic-token-optimizer, audit-workflows, ci-coach, cli-consistency-checker, code-simplifier, copilot-centralization-drilldown, copilot-centralization-optimizer, daily-cli-tools-tester, daily-compiler-quality, daily-max-ai-credits-test, daily-observability-report, daily-regulatory, daily-safe-output-optimizer, daily-team-evolution-insights, detection-analysis-report, portfolio-analyst, pr-triage-agent, safe-output-health, schema-consistency-checker, workflow-health-manager
SC2086 (5): daily-geo-optimizer, impeccable-skills-reviewer, mattpocock-skills-reviewer · other shellcheck: SC2038 (6), SC2034 (2), SC2188/SC2129/SC2005 (1 each)
expression undefined-property (18): ace-editor, approach-validator, daily-cache-strategy-analyzer, daily-caveman-optimizer, daily-doc-healer, skillet, smoke-workflow-call, smoke-workflow-call-with-inputs (activation×6, pre_activation×3, workflow_sha/ref/repository/file_path×2 each, activated×1)
permissions (1): dependabot-go-checker.lock.yml:442 —
vulnerability-alertsHistorical Trends
No new or resolved issue types. Longer view: runner-guard steady ~330 for weeks; zizmor stable ~550 since the mid-June ruleset change; actionlint swings with the
queuefalse-positive count. Signal is stable, not regressing.Recommendations
queuefalse positive (88% of actionlint noise).vulnerability-alertsscope.Next Steps
queuesuppressionvulnerability-alertsscope in dependabot-go-checkerReferences: §28497330053 · prior report #42425 · dedup meta-issue #31043