🔍 Static Analysis Report - January 6, 2026

[github-actions[bot]]

Analysis Summary

Today's comprehensive static analysis scan of all agentic workflows identified 45 total issues across three analysis tools: actionlint, zizmor, and poutine.

• Tools Used: actionlint (linting), zizmor (security), poutine (supply chain)
• Total Findings: 45 issues
• Workflows Scanned: 126
• Workflows Checked by Actionlint: 124
• Compilation Status: ✅ All workflows compiled successfully (0 errors, 29 warnings)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info
actionlint	27	-	-	-	-	27 errors
zizmor	18	0	0	2	1	15
poutine	0	0	0	0	0	0
Other Notes	144	-	-	-	-	144

Clustered Findings by Tool and Type

1. Actionlint Linting Issues (27 errors)

Actionlint identified 27 errors across workflow files, broken down into two categories:

1.1 Expression Errors (20 errors) 🔴 HIGH PRIORITY

Issue: Undefined property references in GitHub Actions expressions

Count: 20 errors across 18 workflows

Affected Workflows:

• archie.lock.yml
• beads-worker.lock.yml (3 errors)
• brave.lock.yml
• cloclo.lock.yml
• craft.lock.yml
• daily-assign-issue-to-user.lock.yml
• daily-secrets-analysis.lock.yml
• grumpy-reviewer.lock.yml
• mergefest.lock.yml
• pdf-summary.lock.yml
• plan.lock.yml
• poem-bot.lock.yml
• pr-nitpick-reviewer.lock.yml
• q.lock.yml
• scout.lock.yml
• speckit-dispatcher.lock.yml
• tidy.lock.yml
• unbloat-docs.lock.yml

Common Patterns:

1. Missing check_command_position step (11 workflows): References steps.check_command_position.outputs.matched_command when step doesn't exist in current job
2. Missing bead job dependency (beads-worker.lock.yml): References needs.bead.outputs.id without proper job dependency
3. Undefined inputs (beads-worker.lock.yml): References inputs.reason and inputs.state when inputs aren't defined

Example:

.github/workflows/archie.lock.yml:71:26: error: [expression] 
property "check_command_position" is not defined in object type

Impact: These errors will cause workflow runs to fail at runtime when the expressions are evaluated.

1.2 Shellcheck Errors (7 errors)

Issue: Shell script style and safety issues

Count: 7 errors across 3 workflows

Affected Workflows:

• beads-worker.lock.yml (3 errors)
• smoke-copilot-no-firewall.lock.yml (3 errors)
• daily-choice-test.lock.yml (1 error)

Common Issue: SC2129 - Consider using { cmd1; cmd2; } >> file instead of individual redirects

Example:

# Bad (inefficient)
echo "line 1" >> file
echo "line 2" >> file
echo "line 3" >> file

# Good (efficient)
{
  echo "line 1"
  echo "line 2"
  echo "line 3"
} >> file

Impact: Performance and style issues, but not breaking errors.

---

2. Zizmor Security Findings (18 warnings)

Zizmor identified 18 security warnings across 12 workflows.

2.1 Template Injection (16 warnings) 🟡 MEDIUM PRIORITY

Issue: Code injection via template expansion
Severity: Informational (can escalate to Critical)
Reference: (redacted)

Count: 16 warnings across 11 workflows

Affected Workflows:

1. changeset.lock.yml
2. copilot-pr-merged-report.lock.yml (2 warnings)
3. daily-performance-summary.lock.yml (2 warnings)
4. github-mcp-tools-report.lock.yml
5. mcp-inspector.lock.yml
6. metrics-collector.lock.yml
7. schema-consistency-checker.lock.yml
8. smoke-copilot-no-firewall.lock.yml (2 warnings)
9. smoke-copilot-playwright.lock.yml (2 warnings)
10. smoke-copilot-safe-inputs.lock.yml (2 warnings)
11. spec-kit-execute.lock.yml

Security Risk:
When untrusted user input (like PR titles, issue bodies, or comments) is directly interpolated into shell commands via GitHub Actions expressions, attackers can inject arbitrary commands.

Vulnerable Pattern:

# VULNERABLE
- run: echo "Title: ${{ github.event.pull_request.title }}"

Secure Pattern:

# SECURE
- env:
    PR_TITLE: ${{ github.event.pull_request.title }}
  run: echo "Title: $PR_TITLE"

2.2 Excessive Permissions (1 warning) 🟠 MEDIUM PRIORITY

Issue: Overly broad permissions
Severity: Medium
Reference: (redacted)

Affected Workflow: layout-spec-maintainer.lock.yml (line 69)

Issue: The workflow has broader permissions than necessary, increasing the attack surface.

Recommendation: Apply principle of least privilege - only grant the minimum permissions needed.

2.3 Artipacked (1 warning) 🟠 MEDIUM PRIORITY

Issue: Credential persistence through GitHub Actions artifacts
Severity: Medium
Reference: (redacted)

Affected Workflow: release.lock.yml (line 1087)

Security Risk: Credentials or secrets may be inadvertently included in uploaded artifacts, potentially leaking sensitive data.

Recommendation:

• Review artifact upload steps
• Ensure secrets are not included in artifacts
• Use .gitignore-style filters for artifact uploads

---

3. Poutine Supply Chain Analysis (0 findings)

✅ No issues detected - Poutine ran successfully and found no supply chain security concerns.

---

4. Other Notable Findings (144 notes)

4.1 Unverified Script Execution (129 occurrences)

Severity: Info
Count: 129 instances across 123 workflows

Pattern:

curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.1 bash

Note: This is the standard installation method for the gh-aw-firewall tool. While flagged as unverified script execution, this is an expected pattern for this repository. Consider:

• Pinning to a specific commit SHA instead of version tag
• Verifying checksums after download
• Using a package manager if available

4.2 Schedule Distribution Warnings (15 occurrences)

Issue: Fixed schedule times that should use fuzzy schedules

Example Warnings:

• "Schedule uses fixed daily time (18:0 UTC). Consider using fuzzy schedule 'daily' instead"
• "Schedule uses fixed weekly time (Monday 9:0 UTC). Consider using fuzzy schedule 'weekly on monday'"

Recommendation: Use fuzzy schedules to distribute workflow execution times and reduce load spikes on GitHub Actions infrastructure.

Top Priority Issues

🔴 Priority 1: Actionlint Expression Errors (20 errors)

Immediate Action Required

These errors will cause workflow failures. The most common issue is referencing steps.check_command_position in 11 workflows where the step either doesn't exist or is in a different job.

Recommended Fix: For slash command workflows (archie, brave, cloclo, craft, grumpy-reviewer, mergefest), either:

1. Move the check_command_position step to the job that references it, OR
2. Remove the output reference if the step isn't actually needed

See detailed fix template in the "Fix Suggestions" section below.

🟡 Priority 2: Template Injection Vulnerabilities (16 warnings)

Security Review Needed

While marked "Informational," these can escalate to CRITICAL if:

• Workflows have write permissions
• Workflows process pull requests from forks
• User-controlled input can reach sensitive operations

Recommended Fix: Move all user-controlled input to environment variables instead of direct expression interpolation.

🟠 Priority 3: Medium Severity Security Issues (2 warnings)

1. Excessive Permissions (layout-spec-maintainer.lock.yml) - Reduce to minimum required
2. Artipacked (release.lock.yml) - Ensure no credentials in artifacts

---

Fix Suggestions

Fix Template for Actionlint Expression Errors

The most common issue affects 11 workflows that reference steps.check_command_position.outputs.matched_command in job outputs, but the step doesn't exist in that job.

Affected Workflows: archie, brave, cloclo, craft, grumpy-reviewer, mergefest (and 5 others)

Problem: Job outputs reference a step that exists in a different job or doesn't exist at all.

Fix Option 1 - Job Dependencies:

jobs:
  job1:
    outputs:
      matched_command: ${{ steps.check_command_position.outputs.matched_command }}
    steps:
      - id: check_command_position
        # ... step logic

  job2:
    needs: job1
    steps:
      - run: echo "Command was: ${{ needs.job1.outputs.matched_command }}"

Fix Option 2 - Move Step to Correct Job:

jobs:
  job1:
    outputs:
      slash_command: ${{ steps.check_command_position.outputs.matched_command }}
    steps:
      - id: check_command_position  # Add or move this step here
        run: |
          # Logic to detect slash command
          echo "matched_command=value" >> $GITHUB_OUTPUT

Fix Option 3 - Remove Unused Output:
If the output isn't actually used downstream:

outputs:
  # Remove this line if not needed
  # slash_command: ${{ steps.check_command_position.outputs.matched_command }}

Detailed Fix Guide: Full fix instructions are available in cache memory at:
/tmp/gh-aw/cache-memory/fix-templates/actionlint-expression-errors.md

Fix Template for Template Injection

Affected: 11 workflows with user input in expressions

Quick Fix - Use Environment Variables:

# BEFORE (vulnerable)
- name: Process comment
  run: echo "Comment: ${{ github.event.comment.body }}"

# AFTER (secure)
- name: Process comment
  env:
    COMMENT_BODY: ${{ github.event.comment.body }}
  run: echo "Comment: $COMMENT_BODY"

For Complex Logic - Use github-script:

- uses: actions/github-script@v7
  with:
    script: |
      const title = context.payload.pull_request.title;
      // Safe JavaScript handling
      console.log(`Processing: ${title}`);

Detailed Fix Guide: Full fix instructions are available in cache memory at:
/tmp/gh-aw/cache-memory/fix-templates/zizmor-template-injection.md

---

All Findings Details

Complete Actionlint Error List (27 errors)

Expression Errors (20)

1. .github/workflows/archie.lock.yml:71:26 - property "check_command_position" is not defined
2. .github/workflows/beads-worker.lock.yml:1096:24 - property "bead" is not defined
3. .github/workflows/beads-worker.lock.yml:1097:23 - property "reason" is not defined
4. .github/workflows/beads-worker.lock.yml:1098:22 - property "state" is not defined
5. .github/workflows/brave.lock.yml:62:26 - property "check_command_position" is not defined
6. .github/workflows/cloclo.lock.yml:98:26 - property "check_command_position" is not defined
7. .github/workflows/craft.lock.yml:58:26 - property "check_command_position" is not defined
8. .github/workflows/daily-assign-issue-to-user.lock.yml:986:36 - property "assign_to_user" is not defined
9. .github/workflows/daily-secrets-analysis.lock.yml:490:4242 - unexpected character in expression
10. .github/workflows/grumpy-reviewer.lock.yml:62:26 - property "check_command_position" is not defined
11. .github/workflows/mergefest.lock.yml:58:26 - property "check_command_position" is not defined
12. Additional expression errors in: pdf-summary, plan, poem-bot, pr-nitpick-reviewer, q, scout, speckit-dispatcher, tidy, unbloat-docs

Shellcheck Errors (7)

1-3. .github/workflows/beads-worker.lock.yml:956:9 - SC2129: Consider using { cmd1; cmd2; } >> file (3 instances)
4-6. .github/workflows/smoke-copilot-no-firewall.lock.yml - SC2129 issues (3 instances)
7. .github/workflows/daily-choice-test.lock.yml:981:9 - SC2129 issue

Complete Zizmor Findings (18 warnings)

Template Injection (16 warnings)

Workflow	Line	Severity	Count
changeset.lock.yml	1316	Informational	1
copilot-pr-merged-report.lock.yml	383	Informational	2
daily-performance-summary.lock.yml	811	Informational	2
github-mcp-tools-report.lock.yml	385	Informational	1
mcp-inspector.lock.yml	405	Low	1
metrics-collector.lock.yml	184	Informational	1
schema-consistency-checker.lock.yml	321	Informational	1
smoke-copilot-no-firewall.lock.yml	448	Informational	2
smoke-copilot-playwright.lock.yml	541	Informational	2
smoke-copilot-safe-inputs.lock.yml	429	Informational	2
spec-kit-execute.lock.yml	336	Informational	1

Security Issues

1. excessive-permissions (Medium): layout-spec-maintainer.lock.yml:69
2. artipacked (Medium): release.lock.yml:1087

---

Historical Trends

First Scan: This is the inaugural static analysis report for this repository using the comprehensive three-tool approach (actionlint + zizmor + poutine).

Baseline Established:

• Actionlint: 27 errors
• Zizmor: 18 warnings (2 Medium, 1 Low, 15 Informational)
• Poutine: 0 issues

Future scans will track progress against this baseline.

---

Recommendations

Immediate Actions (This Week)

1. ✅ Fix Actionlint Expression Errors - These will cause runtime failures

   • Start with the 11 workflows that have missing check_command_position references
   • Fix beads-worker.lock.yml job dependency issues

2. 🔒 Security Review Template Injection Warnings

   • Review all 11 workflows flagged for template injection
   • Prioritize workflows that handle public PRs/issues
   • Apply environment variable fixes

3. 🔧 Address Medium Severity Security Issues

   • Reduce permissions in layout-spec-maintainer.lock.yml
   • Review artifact uploads in release.lock.yml

Short-term Actions (This Month)

4. Address Shellcheck Issues

   • Apply SC2129 fixes (redirect consolidation)
   • Improves performance and code quality

5. Optimize Schedules

   • Convert 15 fixed schedules to fuzzy schedules
   • Reduces load spikes on GitHub Actions

6. Fix Campaign Validation Errors

   • Resolve 7 workflow reference issues in campaign files

Long-term Actions (This Quarter)

7. Establish Automated Scanning

   • Add gh aw compile --actionlint --zizmor --poutine to CI/CD
   • Run daily static analysis scans
   • Track trends over time

8. Update Workflow Templates

   • Create secure templates that avoid common patterns
   • Add security guidelines for workflow authors
   • Document secure coding practices

9. Security Hardening

   • Review all workflows with write permissions
   • Implement principle of least privilege
   • Add input validation where needed

10. Tool Integration

    • Consider pre-commit hooks with actionlint
    • Add zizmor to PR review process
    • Explore additional security scanning tools

---

Next Steps

• Priority 1: Fix actionlint expression errors in 18 workflows
• Priority 2: Security review of 11 workflows with template injection warnings
• Priority 3: Fix 2 medium severity security issues (excessive-permissions, artipacked)
• Address shellcheck style issues (7 errors)
• Optimize workflow schedules (15 warnings)
• Set up automated daily scans
• Create secure workflow authoring guidelines

---

Scan Metadata

• Scan Date: 2026-01-06
• Tools: actionlint 1.7.10, zizmor (latest), poutine (latest)
• Workflows Scanned: 126 markdown workflows
• Lock Files Analyzed: 124 compiled YAML workflows
• Compilation Status: ✅ Success (0 errors, 29 warnings)
• Total Analysis Time: ~60 seconds
• Findings Stored: /tmp/gh-aw/cache-memory/security-scans/2026-01-06.json

---

Resources

• Fix Templates:

  • Actionlint errors: /tmp/gh-aw/cache-memory/fix-templates/actionlint-expression-errors.md
  • Template injection: /tmp/gh-aw/cache-memory/fix-templates/zizmor-template-injection.md

• Documentation:

  • Actionlint Documentation
  • [Zizmor Security Audits]((redacted)
  • GitHub Actions Security Hardening

• Raw Data: /tmp/gh-aw/compile-output.txt

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

🎉 Yo ho ho! Plan Command found the treasure and completed successfully! ⚓💰