🔍 Static Analysis Report - 2025-12-26

[github-actions[bot]]

Analysis Summary

Static analysis scan of agentic workflows using zizmor (security), poutine (supply chain), and actionlint (linting) on a subset of 11 active workflows.

• Tools Used: zizmor, poutine, actionlint
• Total Findings: 33
• Workflows Scanned: 11
• Workflows Affected: 11 (100%)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info/Warning
zizmor (security)	0	0	0	0	0	0
poutine (supply chain)	11	0	0	0	0	11 (info)
actionlint (linting)	22	0	0	0	0	22 (11 info, 11 warning)

Clustered Findings by Tool and Type

Poutine Supply Chain Findings

All workflows exhibit the same supply chain security pattern:

Issue Type	Severity	Count	Pattern
unverified_script_exec	Info	11	Downloading and executing installer script without verification

Affected Workflows: static-analysis-report, audit-workflows, cli-version-checker, daily-doc-updater, daily-news, lockfile-stats, go-logger, go-pattern-detector, safe-output-health, copilot-agent-analysis, github-mcp-tools-report

Command Pattern:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash

Issue: The AWF (gh-aw-firewall) installer script is fetched from the main branch and piped directly to bash without cryptographic verification. While the source is a trusted repository, this pattern poses supply chain security risks.

Actionlint Linting Issues

Two shellcheck issues appear consistently across all workflows:

Issue Type	Severity	Count	Rule	Description
SC2012	Info	11	shellcheck	Use find instead of ls for better filename handling
SC2155	Warning	11	shellcheck	Declare and assign separately to avoid masking return values

Locations:

• SC2012: AWF execution scripts (firewall command invocation)
• SC2155: Claude Code CLI execution scripts (variable assignment)

Affected Workflows: Same as above (all 11 workflows)

Zizmor Security Findings

✅ No security vulnerabilities found by zizmor in the scanned workflows.

Historical Trends

Comparing with previous scans from cache memory:

Date	Total Findings	Zizmor	Poutine	Actionlint	Notes
2024-12-23	43	2	15	26	Full scan baseline
2025-12-25	381	3	126	252	Full scan - significant increase
2025-12-26	33	0	11	22	Partial scan (11 workflows)

Trend Analysis

Note: Today's scan is a partial analysis of 11 workflows (subset), so direct comparison is limited. However:

• Zizmor findings: 0 in scanned subset (positive - previously had 2-3 issues)
• Poutine pattern: The unverified script execution issue affects 100% of scanned workflows (consistent with previous trend)
• Actionlint issues: SC2012 and SC2155 are systematic across all workflows (infrastructure-level issue)

Key Observations from Historical Data

From the 2025-12-25 full scan, the historical data shows:

1. Zizmor Issues Previously Found:

   • template-injection: 1 workflow (changeset)
   • default_permissions_on_risky_events: 2 workflows (tidy, unbloat-docs)

2. Pattern: The supply chain and linting issues (poutine, actionlint) are infrastructure-wide, affecting the workflow generation process itself rather than individual workflow logic.

Top Priority Issues

1. Unverified Script Execution (Poutine)

• Tool: Poutine
• Count: 11 workflows (100% of scanned)
• Severity: Info/Note
• Impact: Supply chain security best practice violation
• Description: AWF installer script is downloaded from main branch and executed without verification
• Risk Level: Low-Medium (trusted source but lacks verification)

2. Variable Declaration Masking Return Values (SC2155)

• Tool: Actionlint (shellcheck)
• Count: 11 workflows
• Severity: Warning
• Impact: Error handling - command failures may be masked
• Description: Combined declaration and assignment can hide command exit codes
• Risk Level: Low (error handling concern)

3. Use of ls Command (SC2012)

• Tool: Actionlint (shellcheck)
• Count: 11 workflows
• Severity: Info
• Impact: Code quality - potential issues with special filenames
• Description: ls usage instead of find for better filename handling
• Risk Level: Very Low (code quality)

---

Fix Suggestion for Unverified Script Execution

Issue: Poutine unverified_script_exec - Most Common Issue (11 workflows)
Severity: Info/Note
Affected: All scanned workflows using AWF firewall

Problem

The current pattern fetches the installer script from the main branch without verification:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash

Issues:

• Installer script fetched from main branch (mutable reference)
• No cryptographic verification (checksum/signature)
• Pipe-to-bash pattern eliminates opportunity for inspection
• Version pinning only applies to the binary, not the installer

Recommended Fix

Option 1: Pin Installer to Version Tag (Quick Fix)

Change the installer URL from main to the version tag:

- name: Install awf binary
  run: |
    echo "Installing awf via installer script (version: v0.7.0)"
    curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/v0.7.0/install.sh | sudo AWF_VERSION=v0.7.0 bash

Change: /main/ → /v0.7.0/

Benefits:

• Installer script version matches binary version
• Immutable reference (tags don't change)
• Minimal code change
• Eliminates mutable main branch reference

Option 2: Download, Verify, Execute (Best Practice)

Two-step process with checksum verification:

- name: Install awf binary
  run: |
    # Download installer to temporary location
    curl -sSL -o /tmp/awf-install.sh \
      https://raw.githubusercontent.com/githubnext/gh-aw-firewall/v0.7.0/install.sh
    
    # Verify checksum (replace with actual SHA256)
    echo "EXPECTED_SHA256_HERE  /tmp/awf-install.sh" | sha256sum -c -
    
    # Execute after verification
    sudo AWF_VERSION=v0.7.0 bash /tmp/awf-install.sh

Benefits:

• Cryptographic verification
• Opportunity for script inspection
• Follows security best practices
• Prevents MITM and tampering

Implementation Plan

1. Quick Win: Apply Option 1 to all workflows (change main to version tag)
2. Long-term: Implement Option 2 with checksum verification
3. Automation: Update workflow generation templates to include fix by default
4. Documentation: Document checksums for each AWF version in repository

Files Requiring Updates

All workflows using AWF firewall infrastructure. Based on scan results, this includes at minimum:

• .github/workflows/static-analysis-report.md
• .github/workflows/audit-workflows.md
• .github/workflows/cli-version-checker.md
• .github/workflows/daily-doc-updater.md
• .github/workflows/daily-news.md
• .github/workflows/lockfile-stats.md
• .github/workflows/go-logger.md
• .github/workflows/go-pattern-detector.md
• .github/workflows/safe-output-health.md
• .github/workflows/copilot-agent-analysis.md
• .github/workflows/github-mcp-tools-report.md

Note: Full scan would reveal additional affected workflows (126 workflows affected per 2025-12-25 scan).

---

Recommendations

Immediate Actions

1. ✅ Pin AWF Installer to Version Tag: Quick fix for unverified script execution (11+ workflows)
2. 🔍 Complete Full Scan: Run static analysis on all workflows to get comprehensive view
3. 📊 Review Zizmor Findings: Address the 3 security issues found in previous full scan:
   • template-injection in changeset workflow
   • default_permissions_on_risky_events in tidy and unbloat-docs workflows

Short-term Actions

1. 🔐 Implement Checksum Verification: Add cryptographic verification to AWF installation
2. 🛠️ Fix Shellcheck Issues: Address SC2155 (variable masking) and SC2012 (ls usage)
3. 📝 Update Workflow Templates: Fix issues at the template level to prevent recurrence

Long-term Actions

1. 🤖 Automated Static Analysis: Integrate all three tools into CI/CD pipeline
2. 📋 Establish Workflow Standards: Document security and quality standards for workflow creation
3. 🔄 Regular Scanning: Schedule daily/weekly static analysis scans
4. 🎓 Developer Education: Share findings and best practices with workflow authors

---

Conclusion

The static analysis reveals no critical security vulnerabilities in the scanned workflows. The findings are primarily:

• Supply chain hygiene: Unverified script execution (systematic across all workflows)
• Code quality: Shellcheck linting issues (infrastructure-level patterns)

All issues are addressable and stem from common workflow infrastructure patterns rather than individual workflow security flaws. The recommended fixes are low-effort, low-risk changes that follow security best practices.

Key Insight: The consistency of findings across all workflows indicates these are systematic infrastructure issues rather than per-workflow problems. Fixing the workflow generation templates will resolve issues across the entire workflow suite.

---

Cache Memory

Analysis results stored in persistent cache memory:

• 📊 /tmp/gh-aw/cache-memory/security-scans/2025-12-26.json - Today's scan results
• 📈 /tmp/gh-aw/cache-memory/vulnerabilities/by-tool.json - Historical trends updated
• 📝 /tmp/gh-aw/cache-memory/fix-templates/poutine-unverified_script_exec.md - Fix template created

References:

• §20524083861

AI generated by Static Analysis Report