Skip to content

[static-analysis] Report - 2026-04-24 #28329

Open
Open
[static-analysis] Report - 2026-04-24#28329
Labels
automationsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 24, 2026

Analysis Summary

Static analysis scan completed on 2026-04-24 using four tools against all 201 agentic workflow files in this repository. All 201 workflows compiled successfully (0 errors, 8 warnings).

  • Tools Used: zizmor, poutine, actionlint, runner-guard
  • Total Findings: ~1,817 (+32 vs yesterday)
  • Workflows Scanned: 201 (+1 new workflow)
  • Workflows with Findings: ~90

Findings by Tool

Tool Total Critical High Medium Low/Info
runner-guard (taint analysis) 1,569 0 ~1,523 46 0
actionlint (linting) 116 116
zizmor (security) 110 0 1 1 108
poutine (supply chain) 24 0 8 1 15

Runner-Guard Taint Analysis

Rule ID Name Severity Count Δ vs Yesterday
RGS-004 Comment-Triggered Workflow Without Author Authorization Check High 1,394 +6
RGS-008 Secret Directly Interpolated in run Block High 86 +24
RGS-018 Suspicious Payload Execution Pattern High 40 0
RGS-005 Excessive Permissions on Untrusted Trigger Medium 46 0
RGS-006 Curl-Pipe-Bash Remote Code Execution High 2 0
RGS-012 Secret Exfiltration via Outbound HTTP Request High 1 NEW

Issues created for Critical/High findings (avoiding duplicates from #28154, #28155, #28156):

Clustered Findings by Tool

Actionlint Linting Issues

Issue Type Count Change
copilot-requests unknown permission scope 103 +1
Undefined expression properties 11 0
shellcheck style issues 2 +1

The copilot-requests: write permission scope continues to not be recognized by actionlint — this is a GitHub-internal or preview permission. The new shellcheck finding is SC2034 (unused variable i) in daily-fact.lock.yml.

Zizmor Security Findings

Issue Type Severity Count
template-injection Informational 85
obfuscation ($\{\{ '' }}) Low 23
github-env (dangerous env file) High 1
secrets-inherit Medium 1

New this scan: dev-hawk.lock.yml:1397 flagged as [High] github-env: dangerous use of environment file. This occurs in a step that derives GH_HOST from GITHUB_SERVER_URL and writes it to $GITHUB_ENV. If GITHUB_SERVER_URL can be influenced by an attacker, this could allow environment variable injection.

Poutine Supply Chain Findings

Issue Type Severity Count
untrusted_checkout_exec Error 8
github_action_from_unverified_creator_used Note 9
unverified_script_exec (curl|bash) Note 6
pr_runs_on_self_hosted Warning 1

Unchanged from previous scan. The smoke-workflow-call and smoke-workflow-call-with-inputs workflows continue to have untrusted_checkout_exec errors (marked with # poutine:ignore comments but still flagged).

Top Priority Issues

1. RGS-004: Comment-Triggered Workflow Without Author Authorization Check (tracked: #28156)

  • Count: 1,394 instances (16 workflows)
  • Severity: High
  • Key affected: unbloat-docs, ace-editor, ai-moderator, tidy, plan, q, scout
  • Impact: Any GitHub user can trigger privileged operations by posting a comment

2. RGS-008: Secret Directly Interpolated in run Block (tracked: #28155)

  • Count: 86 instances (+24 vs yesterday, likely from new workflow)
  • Severity: High
  • Key affected: ci.yml, smoke-codex, smoke-agent-all-merged, daily-testify-uber-super-expert, sergo, daily-safe-output-optimizer
  • Impact: Secrets embedded directly in shell script text

3. RGS-012: Secret Exfiltration via Outbound HTTP Request (NEW — tracked: #28328)

  • Count: 1 instance (daily-fact.lock.yml:489)
  • Severity: High
  • Impact: HTTP infrastructure in a secrets-accessible context creates exfiltration risk

Fix Suggestion for RGS-012 (New Finding)

Issue: Secret Exfiltration via Outbound HTTP Request
Severity: High
Affected Workflows: daily-fact (1 instance)

Prompt to Copilot Agent:

You are fixing a security finding identified by runner-guard (RGS-012).

**Vulnerability**: Secret Exfiltration via Outbound HTTP Request
**Rule**: RGS-012

**Current Issue**:
The `daily-fact` workflow makes outbound HTTP requests (curl to localhost MCP server)
in a job context that also has access to `ANTHROPIC_API_KEY` and other secrets.
Runner-guard flags this pattern because it creates an exfiltration risk — if the
curl target URL is influenced by attacker-controlled data, secrets could be sent
to an external endpoint.

**Required Fix**:
1. Confirm that the MCP server URL (`(127.0.0.1/redacted) is hardcoded and 
   cannot be influenced by environment variables or workflow inputs
2. Ensure no user-controlled data can reach the `curl` command's URL or headers
3. If the workflow firewall is available, add a rule to only allow outbound HTTP 
   to localhost (127.0.0.1) during setup steps
4. Review whether the MemPalace MCP server startup step needs to run in the same
   job as secret-accessing steps; consider splitting into separate jobs with
   minimized permissions for the setup phase

File to review: .github/workflows/daily-fact.md (line ~490 in compiled lock file)
View All Findings Details

Zizmor — github-env (High)

  • dev-hawk.lock.yml:1397: A step derives GH_HOST from GITHUB_SERVER_URL and writes it to GITHUB_ENV. The GITHUB_SERVER_URL is controlled by GitHub but in theory could be manipulated in certain GHES contexts. The step has a comment indicating it's intentional for GHES support.

Zizmor — template-injection (Informational, 85 instances)

Affecting 29+ workflows including: ai-moderator, auto-triage-issues, contribution-check, daily-doc-updater, daily-issues-report, discussion-task-miner, grumpy-reviewer, issue-arborist, issue-monster, issue-triage-agent, org-health-report, plan, pr-triage-agent, q, refiner, scout, smoke-agent-*, smoke-copilot, stale-repo-identifier, weekly-blog-post-writer, weekly-issue-summary, workflow-generator

Zizmor — obfuscation (Low, 23 instances)

All 23 relate to the GH_AW_WIKI_NOTE: $\{\{ '' }} pattern — an intentional empty string placeholder used across workflows for wiki note configuration. Not a real security concern.

Actionlint — Unknown Permission Scopes

copilot-requests: write is flagged in 51+ workflows. Also vulnerability-alerts: read in dependabot-go-checker. These are GitHub-internal or preview permission scopes not yet in actionlint's schema.

Actionlint — Undefined Expression Properties

  • ace-editor: needs.activation.outputs.activated — output property not defined in the activation job schema
  • smoke-claude: needs.activation.outputs.artifact_prefix (x2) — same issue
  • smoke-workflow-call and smoke-workflow-call-with-inputs: job.workflow_repository, job.workflow_sha, job.workflow_ref, job.workflow_file_path — GitHub-internal job context properties not yet in actionlint's schema

Poutine — Unverified Actions

  • astral-sh/setup-uv@08807647... / @eac588ad... in mcp-inspector, copilot-token-audit, agentic-optimization-kit, copilot-setup-steps
  • gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2... in link-check.yml
  • super-linter/super-linter@9e863354e3ff... in super-linter
  • actions-ecosystem/action-add-labels@c96b68fec7... in smoke-codex

Poutine — Unverified Script Execution

curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash in copilot-setup-steps.yml, copilot-token-optimizer, copilot-token-audit, agentic-optimization-kit — downloading and executing unverified scripts from the main branch.

Runner-Guard — RGS-004 (High, 1,394 instances)

Primary affected workflow: unbloat-docs.lock.yml (the vast majority of instances). This workflow is triggered by issue_comment / pull_request_review_comment without verifying author_association. Tracked in #28156.

Runner-Guard — RGS-008 (High, 86 instances)

Affected workflows: ci.yml, smoke-agent-all-merged, smoke-codex, copilot-token-audit, daily-testify-uber-super-expert, sergo, daily-safe-output-optimizer, daily-doc-healer, daily-issues-report, daily-secrets-analysis. Tracked in #28155.

Runner-Guard — RGS-018 (High, 40 instances)

Affected: smoke-crush, smoke-codex, copilot-token-audit, daily-safe-output-optimizer, daily-issues-report, agentic-optimization-kit. Tracked in #28154.

Runner-Guard — RGS-005 (Medium, 46 instances)

Primarily unbloat-docs.lock.yml and tidy.lock.yml — write permissions on comment-triggered workflows.

Runner-Guard — RGS-006 (High, 2 instances)

copilot-token-audit.lock.yml:471curl -fsSL ... | bash pattern. Known recurring finding; no dedicated issue yet (mentioned in #28157 daily report).

Historical Trends

Metric 2026-04-23 2026-04-24 Δ
Workflows Scanned 200 201 +1
Total Findings 1,785 ~1,817 +32
Runner-guard High 1,492 ~1,523 +31
Actionlint Issues 114 116 +2
Zizmor High 0 1 +1
New Rule IDs RGS-012

Trend: Findings are increasing (+32) primarily due to the new workflow added and RGS-008 growth (+24 instances). The new RGS-012 finding in daily-fact is the most novel security signal today.

Recommendations

  1. Immediate: Investigate RGS-012 in daily-fact — confirm outbound HTTP cannot reach external endpoints (see [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-fact #28328)
  2. Ongoing: Continue addressing existing tracked issues ([static-analysis] RGS-018: Suspicious Payload Execution Pattern in go-logger and 36 other workflows #28154 RGS-018, [static-analysis] RGS-008: Secret Directly Interpolated in run Block across 61 workflows #28155 RGS-008, [static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check in 16 workflows #28156 RGS-004)
  3. New: Investigate dev-hawk github-env High finding — review the GH_HOST derivation step
  4. Short-term: Fix RGS-006 in copilot-token-audit — replace curl|bash with pinned script
  5. Long-term: Update actionlint schema to recognize copilot-requests and vulnerability-alerts permission scopes

Next Steps

References:

Generated by Static Analysis Report · ● 396.5K ·

  • expires on May 1, 2026, 7:49 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions