🔍 Static Analysis Report - January 1, 2026

[github-actions[bot]]

Analysis Summary

Successfully scanned 84 agentic workflow files using three static analysis tools to identify security vulnerabilities and code quality issues.

• Tools Used: zizmor (security), poutine (supply chain), actionlint (linting)
• Total Findings: 99 issues identified
• Workflows Scanned: 84 workflows
• Workflows Affected: 84 workflows (100%)

Findings by Tool

Tool	Total	Critical	High	Medium	Low/Info
zizmor (security)	11	0	0	3	8
poutine (supply chain)	88	0	0	6	82
actionlint (linting)	0	-	-	-	-
TOTAL	99	0	0	9	90

Clustered Findings by Tool and Type

🔴 Poutine Supply Chain Security Findings

1. Unverified Script Execution (82 workflows)

Severity: Info (Note)
Count: 82 occurrences
Impact: High - affects 98% of workflows

Issue: All workflows are downloading and executing an installation script without verification:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash

Security Risk:

• Downloads code from remote source without integrity check
• Executes with sudo privileges
• Vulnerable to supply chain attacks or MitM
• Uses main branch (mutable reference)

Affected Workflows (sample):

• agent-performance-analyzer
• ai-moderator
• archie
• artifacts-summary
• audit-workflows
• blog-auditor
• brave
• breaking-change-checker
• campaign-generator
• campaign-manager
• changeset
• ci-coach
• ci-doctor
• cli-consistency-checker
• cli-version-checker
• And 67 more...

2. Default Permissions on Risky Events (6 workflows)

Severity: Warning
Count: 6 occurrences
Impact: Medium - potential security risk

Issue: Workflows use default permissions on risky events (issue_comment, pull_request, etc.) which may grant excessive permissions.

Affected Workflows:

1. ai-moderator
2. archie
3. brave
4. cloclo
5. grumpy-reviewer
6. (1 more)

---

🟡 Zizmor Security Scanner Findings

1. Excessive Permissions (3 workflows)

Severity: Medium
Count: 3 occurrences
Impact: Medium - unnecessary permission grants
Reference: (redacted)

Issue: Workflow jobs have overly broad permissions granted, violating principle of least privilege.

Affected Workflows:

1. ai-moderator (line 94)
2. example-custom-error-patterns
3. (1 more)

Example:

agent:
  needs: activation
  runs-on: ubuntu-latest
  # Missing explicit permissions - defaults to broad access

2. Template Injection (8 workflows)

Severity: Informational
Count: 8 occurrences
Impact: Medium - potential code injection vector
Reference: (redacted)

Issue: Code injection risk via template expansion in workflow steps.

Affected Workflows:

1. campaign-manager (line 512)
2. changeset (line 1415)
3. copilot-pr-merged-report (line 379) - 2 instances
4. daily-performance-summary (line 803) - 2 instances
5. github-mcp-tools-report
6. (2 more)

Example:

- name: Setup MCPs
  env:
    GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

---

✅ Actionlint Linting Results

Status: No issues found
Workflows Checked: 84

All workflows passed actionlint validation (includes shellcheck & pyflakes integration).

---

Top Priority Issues

1. ⚠️ Unverified Script Execution (HIGHEST PRIORITY)

• Tool: Poutine
• Severity: Info (High Impact)
• Count: 82 workflows
• Affected: 98% of all workflows
• Risk: Supply chain security vulnerability

Why This Matters:
This pattern appears in nearly every workflow and executes with elevated (sudo) privileges. While marked as "info" severity, the impact is high because:

• All workflows depend on this installation method
• Compromise of the source repository could affect all workflow executions
• Sudo execution provides full system access

Recommended Action: Implement checksum verification or convert to GitHub Action (see fix suggestions below)

2. ⚠️ Template Injection

• Tool: Zizmor
• Severity: Informational
• Count: 8 workflows
• Impact: Medium

Why This Matters:
Template expressions can potentially execute attacker-controlled code if user input reaches these expressions.

Recommended Action: Review and sanitize all template expressions that use external data

3. ⚠️ Default Permissions on Risky Events

• Tool: Poutine
• Severity: Warning
• Count: 6 workflows
• Impact: Medium

Why This Matters:
Workflows triggered by external events (issue_comment, etc.) should have explicitly minimal permissions.

Recommended Action: Add explicit permissions blocks to affected workflows

4. ⚠️ Excessive Permissions

• Tool: Zizmor
• Severity: Medium
• Count: 3 workflows
• Impact: Medium

Why This Matters:
Overly broad permissions violate least privilege principle and increase attack surface.

Recommended Action: Scope down permissions to minimum required

---

Detailed Fix Suggestion

Priority 1: Fix Unverified Script Execution (82 workflows)

A comprehensive fix template has been created at /tmp/gh-aw/cache-memory/fix-templates/poutine-unverified-script-exec.md

Recommended Approach (Short-term):

Pin the installation script to a specific commit SHA instead of using the mutable main branch:

# Current (vulnerable):
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.7.0 bash

# Fixed (pinned to commit):
INSTALL_SCRIPT_SHA="abc123def456"  # Pin to specific commit
curl -sSL "https://raw.githubusercontent.com/githubnext/gh-aw-firewall/${INSTALL_SCRIPT_SHA}/install.sh" | sudo AWF_VERSION=v0.7.0 bash

Recommended Approach (Long-term):

Create a GitHub Action for awf installation:

- name: Install awf binary
  uses: githubnext/[email protected]  # Pin to specific version
  with:
    version: 'v0.7.0'

Implementation Steps:

1. Determine the current stable commit SHA for install.sh
2. Update the gh-aw compiler to use the pinned SHA
3. Recompile all workflows
4. Verify no more unverified script execution patterns remain

Alternative: Implement checksum verification:

# Download, verify checksum, then execute
curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/v0.7.0/install.sh -o /tmp/awf-install.sh
echo "EXPECTED_SHA256  /tmp/awf-install.sh" | sha256sum -c -
sudo AWF_VERSION=v0.7.0 bash /tmp/awf-install.sh
rm /tmp/awf-install.sh

---

Full Workflow Breakdown

All Workflows with Findings

Workflows with unverified_script_exec (82 total)

1. agent-performance-analyzer.md
2. ai-moderator.md
3. archie.md
4. artifacts-summary.md
5. audit-workflows.md
6. blog-auditor.md
7. brave.md
8. breaking-change-checker.md
9. campaign-generator.md
10. campaign-manager.md
11. changeset.md
12. ci-coach.md
13. ci-doctor.md
14. cli-consistency-checker.md
15. cli-version-checker.md
16. cloclo.md
17. commit-changes-analyzer.md
18. copilot-agent-analysis.md
19. copilot-pr-merged-report.md
20. copilot-pr-nlp-analysis.md
21. copilot-pr-prompt-analysis.md
22. copilot-session-insights.md
23. craft.md
24. daily-assign-issue-to-user.md
25. daily-choice-test.md
26. daily-cli-performance.md
27. daily-code-metrics.md
28. daily-copilot-token-report.md
29. daily-doc-updater.md
30. daily-fact.md
31. daily-file-diet.md
32. daily-firewall-report.md
33. daily-issues-report.md
34. daily-malicious-code-scan.md
35. daily-multi-device-docs-tester.md
36. daily-news.md
37. daily-performance-summary.md
38. daily-repo-chronicle.md
39. daily-team-status.md
40. daily-workflow-updater.md
41. deep-report.md
42. dependabot-go-checker.md
43. dev-hawk.md
44. dev.md
45. developer-docs-consolidator.md
46. dictation-prompt.md
47. And 36 more workflows...

Workflows with excessive-permissions (3 total)

1. ai-moderator.md (line 94)
2. example-custom-error-patterns.md
3. (1 more)

Workflows with template-injection (8 total)

1. campaign-manager.md (line 512)
2. changeset.md (line 1415)
3. copilot-pr-merged-report.md (line 379, duplicate warning)
4. daily-performance-summary.md (line 803, duplicate warning)
5. github-mcp-tools-report.md
6. (3 more)

Workflows with default_permissions_on_risky_events (6 total)

1. ai-moderator.md
2. archie.md
3. brave.md
4. cloclo.md
5. grumpy-reviewer.md
6. (1 more)

---

Recommendations

Immediate Actions (This Week)

1. Address Unverified Script Execution (Priority 1)

   • Pin install script to specific commit SHA
   • Update gh-aw compiler to generate pinned references
   • Recompile all workflows
   • Target: Eliminate 82 findings

2. Fix Excessive Permissions (Priority 2)

   • Review and scope down permissions in 3 affected workflows
   • Add explicit minimal permissions blocks

3. Address Risky Event Permissions (Priority 3)

   • Add explicit permissions to 6 workflows triggered by external events
   • Follow principle of least privilege

Short-term Actions (This Month)

1. Review Template Injections

   • Audit 8 workflows for template injection risks
   • Sanitize external inputs before template expansion
   • Add safeguards where needed

2. Establish Security Baseline

   • Document acceptable patterns
   • Add static analysis to CI/CD
   • Set up automated scanning on PR creation

Long-term Actions (This Quarter)

1. Create setup-awf GitHub Action

   • Eliminates curl|bash pattern entirely
   • Provides version pinning and verification
   • Follows GitHub Actions security best practices

2. Implement Pre-commit Hooks

   • Run zizmor, poutine, actionlint before commit
   • Catch issues before they reach main branch
   • Automate fixes where possible

3. Security Training

   • Share findings with team
   • Establish secure workflow development guidelines
   • Review and update workflow templates

---

Historical Context

This is the first comprehensive static analysis scan using all three tools together:

• zizmor: Security-focused scanner for GitHub Actions
• poutine: Supply chain security scanner
• actionlint: Linting and best practices checker

Scan Metadata

• Scan Date: 2026-01-01
• Tools Versions: Latest (zizmor, poutine 1.x, actionlint 1.7.10)
• Workflows Analyzed: 84
• Analysis Duration: ~15 minutes
• Findings Stored: /tmp/gh-aw/cache-memory/security-scans/2026-01-01.json
• Fix Templates: /tmp/gh-aw/cache-memory/fix-templates/

---

Next Steps

1. Review this report with the team
2. Prioritize fixes based on impact and effort
3. Create tracking issues for each finding type
4. Begin implementation of fixes
5. Schedule follow-up scan after fixes
6. Establish regular scanning cadence (weekly/monthly)

---

Additional Resources

• Zizmor Documentation: (redacted)
• Poutine Documentation: https://github.com/boostsecurityio/poutine
• Actionlint Documentation: https://github.com/rhysd/actionlint
• Fix Templates: /tmp/gh-aw/cache-memory/fix-templates/
• Scan Results: /tmp/gh-aw/cache-memory/security-scans/2026-01-01.json

---

Summary

This static analysis scan identified 99 findings across 84 workflows, with the most critical issue being unverified script execution affecting 98% of workflows. While most findings are categorized as informational or low severity, their widespread impact and the privileged execution context make them important to address.

Key Takeaway: The most impactful improvement would be addressing the unverified script execution pattern by either pinning to commit SHAs (quick win) or creating a dedicated GitHub Action (sustainable solution).

The analysis results have been stored in cache memory for historical tracking and trend analysis in future scans.

AI generated by Static Analysis Report