feat: add runner-guard to static-analysis-report workflow

[Copilot]

Summary

Updates .github/workflows/static-analysis-report.md to also run runner-guard (CI/CD source-to-sink vulnerability scanner by Vigilant-LLC) alongside the existing zizmor, poutine, and actionlint tools.

Changes

New runner_guard pre-job (0 secrets)

• Runs in a separate job with permissions: contents: read only — no GITHUB_TOKEN write access, no other secrets
• Installs runner-guard v2.6.0 via go install and scans .github/workflows/ for pipeline injection vulnerabilities (fork checkout exploits, expression injection, secret exfiltration, unpinned actions, AI config injection, supply chain steganography)
• Separates stderr from stdout to avoid corrupting JSON output
• Validates JSON output and provides safe fallback on parse failure
• Uploads results as a short-lived artifact (1 day retention)

New create-issue safe-output

• title-prefix: "[runner-guard] ", labels: [security, automation], max: 3
• Enables the agent to file up to 3 GitHub issues per run for critical findings

Agent instructions (Phase 6)

• Downloads the runner-guard artifact in steps:
• New Phase 6 reads /tmp/gh-aw/runner-guard-results.json, parses findings, and creates up to 3 issues for Critical/High severity findings
• Deduplication: searches for existing open issues matching [runner-guard] + rule ID before creating
• Discussion template updated with runner-guard taint analysis section (score, grade, findings table, issue links)
• Success criteria updated to include runner-guard

[pelikhan]

@copilot use Claude

[Copilot]

@copilot use Claude

The workflow already uses engine: claude — that was set before my changes and remains unchanged (commit e5b3425). I also updated the workflow description to mention runner-guard alongside the other tools.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.67.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.67.0 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@Copile merge main and recompile in dev mode

[pelikhan]

@copilot merge main and recompile in dev mode

[Copilot]

@copilot merge main and recompile in dev mode

Done — merged main and recompiled all 181 workflows in dev mode (commit aff9007). Build succeeded with 0 errors.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ,short (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Adds a new runner-guard scan to the “Static Analysis Report” workflow so the agent can consume runner-guard findings alongside zizmor/poutine/actionlint and optionally open limited GitHub issues for critical results.

Changes:

• Add a runner_guard pre-job that installs and runs runner-guard, then uploads JSON results as an artifact.
• Extend the agent workflow to download runner-guard results and update the discussion/reporting instructions to include runner-guard output.
• Introduce a create-issue safe-output configuration (prefix/labels/max) for runner-guard Critical/High findings.

Show a summary per file

File	Description
.github/workflows/static-analysis-report.md	Adds runner-guard job/artifact + updates agent steps and report template to incorporate runner-guard and issue creation.
.github/workflows/static-analysis-report.lock.yml	Compiled/locked workflow reflecting the new runner-guard job dependency, artifact download, and safe-output tool config.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (4)

.github/workflows/static-analysis-report.md:53

• The PR description says runner-guard should scan .github/workflows/, but this job scans the entire repo (scan .). This will likely increase runtime/noise and doesn’t match the documented behavior; consider scanning only .github/workflows/ (or make the description match the broader scan).

            "$RUNNER_GUARD" scan . --format json > /tmp/runner-guard-results.json 2>/tmp/runner-guard-stderr.log || true

.github/workflows/static-analysis-report.md:56

• The fallback JSON construction interpolates raw stderr into a JSON string using shell quoting and tr, which can still produce invalid JSON (newlines, backslashes, control chars, etc.). Since downstream steps parse this file as JSON, generate the fallback JSON via a proper JSON encoder (e.g., python/json.dumps) or omit/log stderr separately to keep /tmp/runner-guard-results.json always valid.

            if ! python3 -c "import json,sys; json.load(open('/tmp/runner-guard-results.json'))" 2>/dev/null; then
              echo '{"findings":[],"stderr":"'"$(cat /tmp/runner-guard-stderr.log | head -20 | tr '"' "'")"'"}' > /tmp/runner-guard-results.json

.github/workflows/static-analysis-report.lock.yml:1326

• The PR description says runner-guard should scan .github/workflows/, but this job scans the entire repo (scan .). This will likely increase runtime/noise and doesn’t match the documented behavior; consider scanning only .github/workflows/ (or make the description match the broader scan).

            "$RUNNER_GUARD" scan . --format json > /tmp/runner-guard-results.json 2>/tmp/runner-guard-stderr.log || true

.github/workflows/static-analysis-report.lock.yml:1329

• The fallback JSON construction interpolates raw stderr into a JSON string using shell quoting and tr, which can still produce invalid JSON (newlines, backslashes, control chars, etc.). Since downstream steps parse this file as JSON, generate the fallback JSON via a proper JSON encoder (e.g., python/json.dumps) or omit/log stderr separately to keep /tmp/runner-guard-results.json always valid.

            if ! python3 -c "import json,sys; json.load(open('/tmp/runner-guard-results.json'))" 2>/dev/null; then
              echo '{"findings":[],"stderr":"'"$(cat /tmp/runner-guard-stderr.log | head -20 | tr '"' "'")"'"}' > /tmp/runner-guard-results.json

• Files reviewed: 2/2 changed files
• Comments generated: 2

[Copilot]

This job runs go install ... without setting up a Go toolchain. Relying on whatever Go happens to be preinstalled on ubuntu-latest can lead to flakes or version incompatibility with runner-guard; consider adding an explicit actions/setup-go step (this workflow already uses it elsewhere, e.g. .github/workflows/static-analysis-report.lock.yml:339-343).

This issue also appears in the following locations of the same file:

• line 53
• line 55

Suggested change

	persist-credentials: false
	persist-credentials: false
	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version: '1.22'

[Copilot]

This job runs go install ... without setting up a Go toolchain. Relying on whatever Go happens to be preinstalled on ubuntu-latest can lead to flakes or version incompatibility with runner-guard; consider adding an explicit actions/setup-go step (this workflow already sets up Go in the agent job at static-analysis-report.lock.yml:339-343).

This issue also appears in the following locations of the same file:

• line 1326
• line 1328

Suggested change

	persist-credentials: false
	persist-credentials: false
	- name: Set up Go
	uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
	with:
	go-version: "1.22"