[static-analysis] Report - 2026-06-14

[github-actions]

🔍 Static Analysis Report - 2026-06-14

Analysis Summary

• Tools Used: zizmor, poutine, actionlint, runner-guard
• Total Findings: 1,638
• Workflows Scanned: 246
• Workflows Affected (runner-guard): 18
• Run: §27490365128

Headline: zizmor findings dropped sharply 538 → 229 (−309, −57%) — the template-injection (Informational) class fell from 503 to 194, almost certainly a direct effect of commit #39157 ("Reduce ambient-context payload in daily/PR workflows and shared prompt imports"), which trimmed ${{ }} template expansions in the auto-generated CLI-execution steps. All other categories are essentially flat.

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info
zizmor (security)	229	0	1	2	31	195
poutine (supply chain)	24	0	0	0	1	23
actionlint (linting)	1054	-	-	-	-	-
runner-guard (taint analysis)	331	0	317	14	0	-

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
template-injection	Informational	194	~all .lock.yml (Execute Copilot/Claude CLI step)
obfuscation	Low	28	many .lock.yml (${{ '' }} placeholders)
template-injection	Low	3	a few .lock.yml
excessive-permissions	Medium	1	dependabot-repair.lock.yml:395
artipacked	Medium	1	daily-geo-optimizer.lock.yml:1573
superfluous-actions	Informational	1	1 .lock.yml
github-env	High	1	dev-hawk.lock.yml:1771 (has zizmor:ignore — GITHUB_SERVER_URL is Actions-set, not user input)

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Workflows
untrusted_checkout_exec	error	12	various (suppressed via poutine:ignore)
github_action_from_unverified_creator_used	note	8	e.g. super-linter.lock.yml (super-linter@pinned)
unverified_script_exec	note	3	daily-byok-ollama-test (ollama install), copilot-setup-steps.yml
pr_runs_on_self_hosted	warning	1	1 workflow

Actionlint Linting Issues

Issue Type	Count	Notes
shellcheck	508	mostly SC2086 (quote to prevent globbing) in generated run: blocks
syntax-check	407	dominated by queue: max concurrency key — a gh-aw extension actionlint doesn't recognise (false positive)
permissions	117	copilot-requests unknown-scope — false positive, valid gh-aw scope
expression	22	expression-context warnings in generated lock files

The overwhelming majority of actionlint findings are noise from auto-generated .lock.yml files using gh-aw extensions (queue: max, copilot-requests:) that actionlint's schema doesn't know about. Real signal here is low.

Runner-Guard Taint Analysis Findings

Score/grade: not emitted by this scanner build.

Rule ID	Name	Severity	Count	Affected Files
RGS-004	Comment-Triggered Workflow Without Author Authorization Check	high	301	q(122), dev-hawk(91), ai-moderator(88)
RGS-012	Secret Exfiltration via Outbound HTTP Request	high	10	daily-model-inventory(4), daily-byok-ollama-test(2), visual-regression-checker(2), daily-multi-device-docs-tester(1), docs-noob-tester(1)
RGS-018	Suspicious Payload Execution Pattern	high	6	copilot-setup-steps.yml, daily-byok-ollama-test, daily-cli-performance, daily-sentrux-report, smoke-claude, smoke-codex
RGS-005	(medium taint pattern)	medium	8	ai-moderator(4), q(3), commands.yml(1)
RGS-007	(medium taint pattern)	medium	4	publish-safe-outputs-node.yml(3 — NEW), aoai-endpoint-smoke-test.yml(1)
RGS-019	(medium taint pattern)	medium	2	error-message-lint.yml, windows-cli-integration.yml

Issues created this run: none. Every High (RGS-004/012/018) rule+file combination maps to an already-closed static-analysis issue, re-verified via GitHub search:

• RGS-004 q/dev-hawk/ai-moderator → closed [static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check in 16 workflows #29694, [static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check (16 workflows) #30284, [static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check in 16 workflows #28156
• RGS-012 (5 files) → closed [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-byok-ollama-test.lock.yml #35652, [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-multi-device-docs-tester.lock.yml #33477, [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-model-inventory #30079, [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-model-inventory.lock.yml #30776, [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in visual-regression-checker.lock.yml #30947
• RGS-018 (6 files) → closed [static-analysis] RGS-018: Suspicious Payload Execution Pattern in daily-byok-ollama-test.lock.yml #35653, [static-analysis] RGS-018: Suspicious Payload Execution Pattern in copilot-setup-steps.yml #33476, [static-analysis] RGS-018: Suspicious Payload Execution Pattern (34 workflows) #30532, [static-analysis] RGS-018: Suspicious Payload Execution Pattern in 36 workflows #29461, [static-analysis] RGS-018: Suspicious Payload Execution Pattern in multiple workflows #30777

Per the dedup policy (closed rule+file ⇒ skip; the recurring-recreation problem was tracked and resolved in #31043), no new issues or comments were created. The only delta this run — RGS-007 on publish-safe-outputs-node.yml — is medium severity, below the Critical/High issue-creation threshold.

Top Priority Issues

1. RGS-004 — Comment-Triggered Workflow Without Author Authorization Check (runner-guard, High, ×301)

• Affected: q.lock.yml, dev-hawk.lock.yml, ai-moderator.lock.yml
• Why it matters: workflows triggered by issue/PR comments that act on comment content without verifying the commenter's association can be driven by untrusted users. gh-aw mitigates this with its built-in detection_guard/membership checks; the high count is per-trigger lock-file expansion of the same underlying pattern.
• Status: reviewed & closed previously ([static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check in 16 workflows #29694/[static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check (16 workflows) #30284/[static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check in 16 workflows #28156). No new action.

2. github-env (zizmor, High, ×1) — dev-hawk.lock.yml:1771

• Already carries a zizmor:ignore annotation: the value is GITHUB_SERVER_URL, set by the Actions runner, not user-controlled. Benign.

Fix Suggestion: zizmor template-injection (largest cluster, 194)

Issue: code injection via template expansion — ${{ ... }} expressions interpolated directly into run: shell blocks.
Severity: Informational (in gh-aw's case, on auto-generated lock files)
Affected Workflows: ~all 246 .lock.yml files (the "Execute Copilot/Claude CLI" step)

Prompt to Copilot Agent:

You are reducing zizmor template-injection (Informational) findings in gh-aw generated lock files.

Vulnerability: template-injection — (docs.zizmor.sh/redacted)
Rule: GitHub Actions ${{ }} expressions expanded directly into shell `run:` blocks can
permit code injection when the expression resolves to attacker-controlled text.

Current Issue:
The gh-aw compiler emits the "Execute Copilot/Claude CLI" step (and similar) with
context expressions inlined into the run script. zizmor flags every such expansion.
Commit #39157 already cut these from 503 to 194 by reducing ambient-context payload.

Required Fix (apply in the gh-aw COMPILER / shared templates, not hand-edits to .lock.yml):
1. Identify remaining `${{ <expr> }}` uses inside `run:` blocks in the emitted step templates.
2. Move each into an `env:` mapping and reference the env var with proper quoting in shell.
3. Prefer `"$GH_AW_VALUE"` over inline expansion so the value is never parsed as shell.

Example:
Before:
  run: |
    echo "Processing ${{ github.event.issue.title }}"
After:
  env:
    GH_AW_ISSUE_TITLE: ${{ github.event.issue.title }}
  run: |
    echo "Processing $GH_AW_ISSUE_TITLE"

Apply by editing the compiler's step emitters so all generated lock files inherit the fix.

Historical Trends

Date	zizmor	poutine	actionlint	runner-guard
2026-06-11	537	24	1049	316
2026-06-12	539	24	1052	316
2026-06-13	538	24	1053	328
2026-06-14	229	24	1054	331
Δ vs prior	−309 ⬇️	0	+1	+3

• zizmor −309: template-injection 503 → 194. Attributed to commit Reduce ambient-context payload in daily/PR workflows and shared prompt imports #39157 (ambient-context payload reduction). Major, real improvement.
• runner-guard +3: new RGS-007 hits on publish-safe-outputs-node.yml (medium). No new High combos.
• poutine / actionlint: effectively flat.

New Issues

• RGS-007 on publish-safe-outputs-node.yml (medium) — newly surfaced; monitor, no issue per policy.

Resolved / Reduced Issues

• ~309 zizmor template-injection findings eliminated by reduced template payload.

Recommendations

1. Immediate: None blocking — the single High zizmor finding is annotated/benign; all High runner-guard findings are reviewed-and-closed recurring lock-file patterns.
2. Short-term: Keep pushing the compiler-side template-injection fix (env-var indirection) to drive the remaining 194 toward zero; investigate the new RGS-007 pattern in publish-safe-outputs-node.yml.
3. Long-term: Teach the scan harness to suppress known actionlint false positives (queue: max, copilot-requests:) so real linting signal isn't buried under ~600 schema-mismatch warnings.
4. Prevention: Continue the ambient-context reduction work from Reduce ambient-context payload in daily/PR workflows and shared prompt imports #39157 across remaining templates.

Next Steps

• Apply env-var indirection fix to remaining zizmor template-injection sites (compiler)
• Investigate new RGS-007 finding in publish-safe-outputs-node.yml
• Filter known actionlint false positives (queue, copilot-requests) from the scan
• Confirm commit Reduce ambient-context payload in daily/PR workflows and shared prompt imports #39157 is the cause of the zizmor drop and document expected steady-state

Methodology & notes

• Counts derived from /tmp/gh-aw/agent/compile-output.txt by counting finding-header lines per tool section (zizmor 5851–7454, poutine 7455–7623, actionlint 580–5850, runner-guard 7624–end).
• Per-type zizmor counts match the 2026-06-13 cache method exactly for every category except template-injection Informational (503→194), confirming the drop is a genuine reduction, not a counting change.
• Runner-guard dedup verified live against GitHub closed issues this run.

References: §27490365128

Generated by 📊 Static Analysis Report · 166.5 AIC · ⌖ 33.4 AIC · ⊞ 9.4K · ◷

• expires on Jun 20, 2026, 10:24 PM UTC-08:00