🔍 Static Analysis Report - December 23, 2024

[github-actions[bot]]

Analysis Summary

Comprehensive static analysis completed on 15 agentic workflows using three industry-standard tools: zizmor (security scanner), poutine (supply chain security), and actionlint (workflow linter with shellcheck integration).

• Tools Used: zizmor, poutine, actionlint
• Total Findings: 40 issues
• Workflows Scanned: 15
• Workflows Affected: 15 (100%)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info
zizmor (security)	1	0	0	0	0	1 warning
poutine (supply chain)	15	0	0	0	0	15 info
actionlint (linting)	24	0	0	0	11 warnings	13 info

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
default_permissions_on_risky_events	warning	1	unbloat-docs

Description: Default permissions used on risky events (like pull_request with slash_command). This can allow untrusted code to access repository secrets or modify code.

Reference: (redacted)

---

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Workflows
unverified_script_exec	info	15	ALL workflows analyzed

Description: Unverified script execution - downloading and executing shell scripts via curl pipe to bash without verification.

Command: curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash

Location: "Install awf binary" step in all workflows

Reference: https://github.com/boostsecurityio/poutine

Affected Workflows (15):

• audit-workflows
• cli-version-checker
• copilot-agent-analysis
• daily-doc-updater
• daily-news
• duplicate-code-detector
• go-logger
• go-pattern-detector
• lockfile-stats
• security-fix-pr
• semantic-function-refactor
• smoke-claude
• smoke-codex
• smoke-copilot
• unbloat-docs

---

Actionlint Linting Issues

Issue Type	Severity	Count	Affected Workflows
SC2012 (shellcheck)	info	13	See below
SC2155 (shellcheck)	warning	11	See below

SC2012: Use find instead of ls

Description: Using ls in shell scripts can break with filenames containing spaces or special characters. This is primarily a code quality issue.

Reference: (redacted)

Affected Workflows (13):

• audit-workflows
• cli-version-checker
• copilot-agent-analysis
• daily-doc-updater
• duplicate-code-detector
• go-logger
• go-pattern-detector
• lockfile-stats
• security-fix-pr
• semantic-function-refactor
• smoke-claude
• smoke-codex
• unbloat-docs

SC2155: Declare and assign separately

Description: Combining variable declaration with command substitution can hide command failures, potentially masking errors in the workflow.

Reference: (redacted)

Affected Workflows (11):

• audit-workflows
• cli-version-checker
• copilot-agent-analysis
• daily-doc-updater
• go-logger
• go-pattern-detector
• lockfile-stats
• security-fix-pr
• semantic-function-refactor
• smoke-claude
• unbloat-docs

---

Top Priority Issue

🔴 Unverified Script Execution (Poutine)

• Tool: poutine
• Count: 15 workflows (100% of analyzed workflows)
• Severity: Info (Supply Chain Risk)
• Impact: If the remote repository (githubnext/gh-aw-firewall) or raw.githubusercontent.com CDN is compromised, malicious code could be executed with sudo privileges in all workflow runs.
• Reference: https://github.com/boostsecurityio/poutine

Current Pattern:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash

Risk: Executes remote scripts without integrity verification, vulnerable to supply chain attacks.

---

Fix Suggestion: Unverified Script Execution

Issue: unverified_script_exec
Severity: Info (Supply Chain Security Risk)
Affected Workflows: 15 workflows

Recommended Fixes (in order of preference)

Option 1: Use GitHub Actions with SHA Pinning (Most Secure)

Convert the shell script installation to a GitHub Action and pin it to a specific commit SHA:

- name: Install awf binary
  uses: githubnext/gh-aw-firewall/actions/install@(commit-sha)
  with:
    version: v0.7.0

Pros: GitHub Actions are more auditable, can be pinned to specific commits
Cons: Requires creating a GitHub Action in the gh-aw-firewall repository

Option 2: Download and Verify Checksum

Download the script, verify its checksum, then execute:

- name: Install awf binary
  run: |
    echo "Installing awf via installer script (requested version: v0.7.0)"
    
    # Download the installation script
    curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh -o /tmp/awf-install.sh
    
    # Verify checksum (replace with actual checksum for v0.7.0)
    echo "EXPECTED_CHECKSUM  /tmp/awf-install.sh" | sha256sum -c -
    
    # Execute the verified script
    sudo AWF_VERSION=v0.7.0 bash /tmp/awf-install.sh
    
    # Clean up
    rm /tmp/awf-install.sh

Pros: Verifies script integrity before execution
Cons: Requires maintaining checksums for each version

Option 3: Use Git Tag/Release Pinning (Quick Fix)

Pin to a specific git reference instead of main branch:

- name: Install awf binary
  run: |
    echo "Installing awf via installer script (requested version: v0.7.0)"
    # Using version-specific tag instead of main branch for better supply chain security
    curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/v0.7.0/install.sh | sudo AWF_VERSION=v0.7.0 bash

Pros: Reduces risk by pinning to a specific version, minimal change required
Cons: Still vulnerable if the tag is moved or deleted

---

Historical Trends

Previous Scan: 2025-12-22
Previous Total Findings: ~25 (estimated based on historical data)
Current Total Findings: 40
Change: +15 findings (+60%)

Changes Since Last Scan

Increase in unverified_script_exec: From 10 workflows to 15 workflows (+50%)

• This indicates that 5 additional workflows were either created or analyzed in this scan

Zizmor findings:

• Previous: 2 workflows affected (tidy, scout) by default_permissions_on_risky_events
• Current: 1 workflow affected (unbloat-docs)
• Note: The previous workflows (tidy, scout) were not included in this batch analysis

Actionlint findings: Consistent with previous scans

• SC2012 and SC2155 continue to be prevalent across workflows

---

Recommendations

Immediate Actions

1. Address Supply Chain Risk: Implement Option 3 (Git Tag Pinning) as a quick mitigation for unverified script execution across all 15 workflows
2. Fix Default Permissions: Review and restrict permissions in unbloat-docs workflow

Short-term Actions

3. Shell Script Quality: Address SC2155 warnings (11 workflows) to prevent error masking
4. Code Quality: Address SC2012 info messages (13 workflows) for better filename handling

Long-term Actions

5. Implement Checksum Verification: Upgrade from Option 3 to Option 2 for unverified_script_exec
6. Convert to GitHub Action: Work with gh-aw-firewall maintainers to implement Option 1
7. Automated Scanning: Integrate zizmor, poutine, and actionlint into CI/CD pre-commit hooks
8. Expand Analysis: Run static analysis on remaining ~115 workflows in the repository

---

Workflows Analyzed in This Scan

1. audit-workflows
2. cli-version-checker
3. copilot-agent-analysis
4. daily-doc-updater
5. daily-news
6. duplicate-code-detector
7. go-logger
8. go-pattern-detector
9. lockfile-stats
10. security-fix-pr
11. semantic-function-refactor
12. smoke-claude
13. smoke-codex
14. smoke-copilot
15. unbloat-docs

---

Full Report

Detailed Findings by Workflow

audit-workflows

Poutine Findings:

• unverified_script_exec at line 317: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 2743: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6330: Declare and assign separately to avoid masking return values

---

cli-version-checker

Poutine Findings:

• unverified_script_exec at line 268: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 2760: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6332: Declare and assign separately to avoid masking return values

---

copilot-agent-analysis

Poutine Findings:

• unverified_script_exec at line 277: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 3004: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6576: Declare and assign separately to avoid masking return values

---

daily-doc-updater

Poutine Findings:

• unverified_script_exec at line 261: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 2597: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6179: Declare and assign separately to avoid masking return values

---

daily-news

Poutine Findings:

• unverified_script_exec at line 309: Unverified script execution via curl pipe to bash

Actionlint Findings:

• None (clean actionlint scan)

---

duplicate-code-detector

Poutine Findings:

• unverified_script_exec at line 260: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 2543: Use find instead of ls to better handle non-alphanumeric filenames

---

go-logger

Poutine Findings:

• unverified_script_exec at line 277: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 2675: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6254: Declare and assign separately to avoid masking return values

---

go-pattern-detector

Poutine Findings:

• unverified_script_exec at line 252: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 2521: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6120: Declare and assign separately to avoid masking return values

---

lockfile-stats

Poutine Findings:

• unverified_script_exec at line 265: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 2742: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6314: Declare and assign separately to avoid masking return values

---

security-fix-pr

Poutine Findings:

• unverified_script_exec at line 269: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 2565: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6144: Declare and assign separately to avoid masking return values

---

semantic-function-refactor

Poutine Findings:

• unverified_script_exec at line 250: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 2885: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6450: Declare and assign separately to avoid masking return values

---

smoke-claude

Poutine Findings:

• unverified_script_exec at line 689: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 3126: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6698: Declare and assign separately to avoid masking return values

---

smoke-codex

Poutine Findings:

• unverified_script_exec at line 687: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 2936: Use find instead of ls to better handle non-alphanumeric filenames

---

smoke-copilot

Poutine Findings:

• unverified_script_exec at line 678: Unverified script execution via curl pipe to bash

Actionlint Findings:

• None (clean actionlint scan)

---

unbloat-docs

Zizmor Findings:

• default_permissions_on_risky_events at line 1: Default permissions used on risky events (warning)

Poutine Findings:

• unverified_script_exec at line 696: Unverified script execution via curl pipe to bash

Actionlint Findings:

• SC2012 at line 3253: Use find instead of ls to better handle non-alphanumeric filenames
• SC2155 at line 6844: Declare and assign separately to avoid masking return values

---

Next Steps

• Implement Git tag pinning for unverified script execution (Option 3)
• Fix default permissions in unbloat-docs workflow
• Address SC2155 warnings to prevent error masking
• Consider implementing checksum verification for awf installation
• Schedule full repository scan of all ~130 workflows
• Add static analysis tools to pre-commit hooks

Cache Memory Updated

Analysis data has been stored in /tmp/gh-aw/cache-memory/ for future trend analysis and historical comparison:

• /tmp/gh-aw/cache-memory/security-scans/2024-12-23.json - Full scan results
• /tmp/gh-aw/cache-memory/vulnerabilities/by-tool.json - Vulnerability database
• /tmp/gh-aw/cache-memory/fix-templates/poutine-unverified_script_exec.md - Detailed fix instructions

AI generated by Static Analysis Report

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 3 days ago.