🔍 Static Analysis Report - 2025-12-30 (Docker Images Not Ready)

[github-actions[bot]]

Analysis Summary

Status: ⚠️ Analysis could not be completed - Docker images for static analysis tools are not ready

• Tools Configured: zizmor, poutine, actionlint
• Workflows Scanned: 0 (blocked by infrastructure)
• Issue: Docker images for static analysis tools (zizmor, poutine, actionlint) are not available in the current GitHub Actions environment

Technical Details

When attempting to compile workflows with static analysis enabled using the gh-aw MCP server, the following error was returned:

MCP error -32603: docker images not ready

This indicates that the Docker containers required to run the static analysis tools have not been pulled or are not available in the current runner environment.

Repository Configuration

The gh-aw MCP server is properly configured and detected 145 workflows in the repository:

Workflow List (145 total)

• agent-performance-analyzer (copilot)
• ai-moderator (copilot)
• archie (copilot)
• artifacts-summary (copilot) - active
• audit-workflows (claude) - active
• blog-auditor (claude)
• brave (copilot)
• breaking-change-checker (copilot)
• campaign-generator (copilot)
• campaign-manager (copilot)
• changeset (codex)
• ci-coach (copilot) - not compiled
• ci-doctor (copilot) - active
• cli-consistency-checker (copilot)
• cli-version-checker (claude) - active
• cloclo (claude)
• close-old-discussions (codex)
• commit-changes-analyzer (claude) - active
• copilot-agent-analysis (claude) - active
• copilot-pr-merged-report (copilot)
• copilot-pr-nlp-analysis (copilot)
• copilot-pr-prompt-analysis (copilot)
• copilot-session-insights (claude)
• craft (copilot)
• daily-assign-issue-to-user (copilot) - not compiled
• daily-choice-test (claude)
• daily-code-metrics (claude)
• daily-copilot-token-report (copilot)
• daily-doc-updater (claude) - active
• daily-fact (codex)
• daily-file-diet (copilot)
• daily-firewall-report (copilot) - not compiled
• daily-issues-report (codex)
• daily-malicious-code-scan (copilot)
• daily-multi-device-docs-tester (claude)
• daily-news (copilot) - active
• daily-performance-summary (codex)
• daily-repo-chronicle (copilot)
• daily-team-status (copilot)
• daily-workflow-updater (copilot)
• deep-report (codex)
• dependabot-go-checker (copilot)
• dev-hawk (copilot) - active
• dev (copilot) - active
• developer-docs-consolidator (claude)
• dictation-prompt (copilot) - not compiled
• docs-noob-tester (copilot)
• duplicate-code-detector (codex) - active
• example-permissions-warning (copilot)
• example-workflow-analyzer (claude) - active
• firewall-escape (copilot)
• firewall (copilot)
• github-mcp-structural-analysis (claude)
• github-mcp-tools-report (claude) - active, not compiled
• glossary-maintainer (copilot)
• go-fan (claude)
• go-file-size-reduction-project64.campaign.g (copilot)
• go-file-size-reduction-project64.campaign (copilot) - N/A
• go-logger (claude) - active
• go-pattern-detector (claude) - active
• grumpy-reviewer (copilot)
• hourly-ci-cleaner (copilot)
• human-ai-collaboration (copilot)
• incident-response (copilot)
• instructions-janitor (claude)
• intelligence (copilot)
• issue-arborist (codex)
• issue-classifier (copilot)
• issue-monster (copilot)
• issue-template-optimizer (copilot)
• issue-triage-agent (copilot)
• jsweep (copilot)
• layout-spec-maintainer (copilot)
• lockfile-stats (claude) - active
• mcp-inspector (copilot) - active, not compiled
• mergefest (copilot) - active
• metrics-collector (copilot)
• notion-issue-summary (copilot) - active
• org-health-report (copilot)
• org-wide-rollout (copilot)
• pdf-summary (copilot)
• plan (copilot) - active
• playground-org-project-update-issue (copilot)
• playground-snapshots-refresh (copilot)
• poem-bot (copilot) - active
• portfolio-analyst (copilot)
• pr-nitpick-reviewer (copilot) - not compiled
• prompt-clustering-analysis (claude)
• python-data-charts (copilot)
• q (copilot) - active
• release (copilot)
• repo-tree-map (copilot) - active
• repository-quality-improver (copilot)
• research (copilot) - active
• safe-output-health (claude) - not compiled
• schema-consistency-checker (claude)
• scout (claude) - active
• security-compliance (copilot)
• security-fix-pr (claude) - active
• semantic-function-refactor (claude) - active
• slide-deck-maintainer (copilot)
• smoke-claude (claude) - active
• smoke-codex-firewall (codex)
• smoke-codex (codex) - active
• smoke-copilot-no-firewall (copilot)
• smoke-copilot-playwright (copilot)
• smoke-copilot-safe-inputs (copilot)
• smoke-copilot (copilot) - active
• smoke-detector (claude)
• smoke-srt-custom-config (copilot)
• smoke-srt (copilot)
• spec-kit-execute (copilot)
• spec-kit-executor (copilot) - not compiled
• speckit-dispatcher (copilot)
• stale-repo-identifier (copilot)
• static-analysis-report (claude) - this workflow
• sub-issue-closer (copilot) - not compiled
• super-linter (copilot)
• technical-doc-writer (copilot) - active
• terminal-stylist (copilot) - active
• tidy (copilot) - active
• typist (claude)
• unbloat-docs (claude) - active
• video-analyzer (copilot) - active
• weekly-issue-summary (copilot) - active
• workflow-generator (copilot)
• workflow-health-manager (copilot)

Recommendations

To enable static analysis scanning, the following actions are needed:

1. Docker Image Setup

The workflow needs to ensure Docker images for the static analysis tools are available:

- name: Pull static analysis tool images
  run: |
    docker pull ghcr.io/woodruffw/zizmor:latest
    docker pull ghcr.io/boostsecurityio/poutine:latest
    # actionlint runs natively, no Docker needed

2. Alternative: Use Native Binaries

Instead of Docker, install the tools directly in the GitHub Actions runner:

- name: Install static analysis tools
  run: |
    # Install zizmor
    cargo install zizmor
    
    # Install poutine
    go install github.com/boostsecurityio/poutine@latest
    
    # Install actionlint
    bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)

3. Update gh-aw Configuration

Verify that the gh-aw extension is configured to use the correct Docker images or has fallback to native binaries when Docker is unavailable.

4. Workflow Modification

Update the static-analysis-report.md workflow to include setup steps:

setup:
  run: |
    # Ensure Docker is available
    docker --version
    
    # Pre-pull required images
    docker pull ghcr.io/woodruffw/zizmor:latest
    docker pull ghcr.io/boostsecurityio/poutine:latest

Impact

Without static analysis tools running, the repository is missing automated detection of:

• Security vulnerabilities (zizmor): Workflow injection attacks, secret leakage, permissions issues
• Supply chain risks (poutine): Malicious dependencies, compromised actions, attestation gaps
• Code quality issues (actionlint): Syntax errors, deprecated features, best practice violations

Next Steps

1. ✅ Investigate Docker image availability in GitHub Actions runners
2. ✅ Add Docker image pre-pull step to workflow
3. ✅ Consider native binary installation as fallback
4. ✅ Test static analysis tools locally before next scheduled run
5. ✅ Update workflow documentation with setup requirements

Historical Context

This is the initial attempt to run the static-analysis-report workflow. No previous scan data is available in cache memory for comparison.

---

Note: This report documents the infrastructure limitation preventing static analysis. Once Docker images are available, the workflow should be re-run to generate a complete security and code quality analysis.

AI generated by Static Analysis Report