Skip to content

[static-analysis] Report - 2026-07-08 #44210

Description

@github-actions

🔍 Static Analysis Report - 2026-07-08

Analysis Summary

Posture is stable vs. yesterday (07-07). No new security regressions; zizmor High = 0 for the 20th+ consecutive day. Net movement is noise (zizmor +4 Low/Info, poutine −3, runner-guard −3).

Findings by Tool

Tool Total Critical High Medium Low/Info
zizmor (security) 552 0 0 0 552
poutine (supply chain) 19 0 10 (error) 1 (warn) 8 (note)
actionlint (linting) 39 - - - 39
runner-guard (taint) 330 0 319 11 0

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type Severity Count Affected Workflows
template-injection Informational (260) / Low (4) 264 ~197 generated .lock.yml files
adhoc-packages Low 257 broad (apt/pip/npm installs in setup steps)
obfuscation Low 30 agent-performance-analyzer, agentic-token-audit/optimizer, audit-workflows, copilot-* ...
superfluous-actions Informational 1 1 file

All zizmor findings are Low/Informational. No High or Medium — a clean, stable security surface for the generated workflows.

Poutine Supply Chain Findings

Issue Type Severity Count Affected Workflows
untrusted_checkout_exec error (High) 10 smoke-workflow-call, smoke-workflow-call-with-inputs (all # poutine:ignore annotated — trusted internal ${RUNNER_TEMP}/gh-aw/actions/*.sh scripts)
github_action_from_unverified_creator_used note 8 hippo-embed, super-linter, copilot-setup-steps, mcp-inspector, smoke-codex, dataflow-pr-discussion-dataset, link-check (all SHA-pinned)
pr_runs_on_self_hosted warning 1 smoke-copilot-arm (ubuntu-24.04-arm)

Actionlint Linting Issues

Issue Type Count Notes
SC2016 (expr won't expand in single quotes) 21 intentional literal ${{...}} / awk $n in single quotes — false positives
SC2086 (missing quotes) 7 real word-splitting/globbing risk — actionable
SC2038 (find/xargs) 6 prefer -print0 | xargs -0
SC2034 (unused var) 2 dead assignment (daily-byok-ollama-test)
SC2188 / SC2129 / SC2005 1 each redirect / grouped redirect / useless echo

All 39 are shellcheck category; 0 syntax / expression / permissions errors.

(a name="runner-guard-analysis")(/a)

Runner-Guard Taint Analysis Findings

Runner-Guard score/grade: not emitted in this run's output.

Rule ID Name Severity Count Affected Workflows
RGS-004 Comment-Triggered Workflow Without Author Authorization Check high 305 q, dev-hawk, ai-moderator (.lock.yml)
RGS-012 Secret Exfiltration via Outbound HTTP Request high 10 daily-byok-ollama-test, daily-model-inventory, daily-multi-device-docs-tester, docs-noob-tester, visual-regression-checker
RGS-018 Suspicious Payload Execution Pattern high 4 daily-byok-ollama-test, daily-cli-performance, daily-sentrux-report, smoke-claude
RGS-005 Excessive Permissions on Untrusted Trigger medium 8 ai-moderator, q
RGS-019 Step Output Interpolated in run Block medium 2 error-message-lint.yml, windows-cli-integration.yml
RGS-007 Unpinned Third-Party Action Using Mutable Tag medium 1 publish-safe-outputs-node.yml

Issues created: none. Every Critical/High rule+file combination was previously filed and closed after review:

Per closed-policy issue #31043, when a closed issue already exists for the same rule ID + affected file, the finding is skipped rather than recreated. All of today's High findings meet that condition, so 0 new issues and 0 comments were emitted.

Top Priority Issues

1. RGS-004 — Comment-Triggered Workflow Without Author Authorization Check

2. actionlint SC2086 — Double quote to prevent globbing and word splitting

  • Tool: actionlint · Count: 7 · Severity: warning (real)
  • Affected: daily-geo-optimizer, impeccable-skills-reviewer, mattpocock-skills-reviewer, pr-code-quality-reviewer (.lock.yml)
  • Impact: Genuinely actionable — an unquoted expansion can word-split or glob on unexpected input. This is the best candidate for an automated fix (see below).

Fix Suggestion for actionlint SC2086 (unquoted variable expansion)

Issue: Unquoted shell variable/command-substitution used in run: blocks, risking word-splitting and glob expansion.
Severity: Warning (real code-quality/correctness risk)
Affected Workflows: 4 workflows

Note: the findings are in generated .lock.yml files. The fix must be applied to the source .md workflow run: steps (or the gh-aw shared script templates), then recompiled with gh aw compile.

Prompt to Copilot Agent:

You are fixing a shell-quoting issue (shellcheck SC2086) flagged by actionlint in
GitHub Actions workflows generated by gh-aw.

Vulnerability: SC2086 — "Double quote to prevent globbing and word splitting"
Reference: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-shellcheck-integration
ShellCheck: (www.shellcheck.net/redacted)

Current Issue:
A `run:` block expands a shell variable or command substitution WITHOUT double
quotes. If the value contains spaces, tabs, newlines, or glob characters (* ? [ ]),
the shell will split it into multiple words or expand globs, producing incorrect
behavior or subtle bugs.

Required Fix:
1. Locate the flagged expansion in the SOURCE `.md` workflow (not the compiled
   `.lock.yml`). The compiled line/column maps back to a `run:` step in the markdown.
2. Wrap every parameter expansion and command substitution in double quotes:
   `$VAR` -> `"$VAR"`, `${VAR}` -> `"${VAR}"`, `$(cmd)` -> `"$(cmd)"`.
3. Do NOT quote where word-splitting is intentional (e.g. building an argument
   list); in those cases use a bash array instead and expand with `"${arr[@]}"`.
4. Recompile with `gh aw compile` and confirm actionlint reports 0 SC2086 for the file.

Example:
Before:
  run: |
    echo Processing $FILE_PATH
    rm -rf $BUILD_DIR/output

After:
  run: |
    echo "Processing $FILE_PATH"
    rm -rf "$BUILD_DIR/output"

Apply this fix to the source workflows for these compiled files:
- daily-geo-optimizer.lock.yml:1628
- impeccable-skills-reviewer.lock.yml:560
- mattpocock-skills-reviewer.lock.yml:707
- pr-code-quality-reviewer.lock.yml:594

All Findings Details

Detailed findings by tool

Zizmor (552, all Low/Informational)

  • template-injection ×264 — ${{ ... }} interpolation in run:/with: of generated jobs. Informational; gh-aw sanitizes untrusted inputs via env-var extraction before shell use.
  • adhoc-packages ×257 — ad-hoc apt-get install / pip install / npm install in setup steps. Low.
  • obfuscation ×30 — obfuscated GitHub Actions usage (e.g. ${{ ... }} in indices). Low.
  • superfluous-actions ×1 — Informational.

Poutine (19)

  • untrusted_checkout_exec ×10 (error) — smoke-workflow-call{,-with-inputs}; all lines carry # poutine:ignore untrusted_checkout_exec — running trusted internal ${RUNNER_TEMP}/gh-aw/actions/*.sh scripts.
  • github_action_from_unverified_creator_used ×8 (note) — safedep/pmg, super-linter, astral-sh/setup-uv, actions-ecosystem/action-add-labels, gaurav-nelson/github-action-markdown-link-check — all SHA-pinned.
  • pr_runs_on_self_hosted ×1 (warning) — smoke-copilot-arm on ubuntu-24.04-arm.

Actionlint (39, all shellcheck)

  • SC2016 ×21 (info) — literal ${{...}}/awk $n in single quotes; false positives.
  • SC2086 ×7 (info) — real quoting fix (see Fix Suggestion): daily-geo-optimizer, impeccable-skills-reviewer, mattpocock-skills-reviewer, pr-code-quality-reviewer.
  • SC2038 ×6 (info) — find|xargs; prefer -print0 | xargs -0: repository-quality-improver, spec-extractor, unbloat-docs.
  • SC2034 ×2 (warning) — unused i var in daily-byok-ollama-test.
  • SC2188 / SC2129 / SC2005 ×1 each.

Runner-Guard (330) — see Runner-Guard Analysis above.

Historical Trends

Metric 2026-07-07 2026-07-08 Δ
zizmor 548 552 +4
poutine 22 19 −3
actionlint 39 39 0
runner-guard 333 330 −3
Total 942 940 −2
  • New issue types: none.
  • Resolved / dropped: poutine unverified_script_exec (was 3) → 0 today; runner-guard RGS-012 6→5 files, RGS-018 6→4 findings.
  • Long-run stability: zizmor High = 0 for 20+ consecutive days; actionlint has stayed at ~37–40 (down from 1200+ in May after the bundled-actionlint upgrade to 1.7.12).

Recommendations

  1. Immediate: None required — 0 Critical, and all High runner-guard/poutine findings are triaged false positives or poutine:ignore-annotated trusted internal scripts.
  2. Short-term: Apply the SC2086 quoting fix (4 source workflows) — the only genuinely actionable code-quality item.
  3. Long-term: Consider teaching runner-guard about the gh-aw activation-job authorization model to suppress the recurring RGS-004 class at the source, ending the daily false-positive churn ([deep-report] Static-analysis RGS-* security issues recreated daily after closure (no dedup-by-rule) #31043).
  4. Prevention: Keep new command-triggered workflows on centralized routing (on.slash_command.strategy: centralized) — the compiler warned 1 of 52 slash-command entries is not yet centralized.

Next Steps

References:

Generated by 📊 Static Analysis Report · 244.7 AIC · ⌖ 28.5 AIC · ⊞ 9.9K ·

  • expires on Jul 14, 2026, 9:51 PM UTC-08:00

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions