Static Analysis Report - 2026-04-08

[github-actions[bot]]

Analysis Summary

⚠️ Compilation Failed: Today's scan could not complete. The compile step failed with ✗ unknown flag: --runner-guard because this run executes on branch copilot/add-runner-guard-arg-to-compile, which adds the --runner-guard flag to the compile command — but the flag is not yet implemented in the tool. No static analysis results were produced for this run.

The report below is based on the last successful scan: 2026-04-04 (§23986109480).

• Tools Used: zizmor, poutine, actionlint, runner-guard
• Scan Status: ❌ Failed (unknown flag: --runner-guard)
• Last Successful Scan: 2026-04-04
• Total Findings (last scan): 9,956
• Workflows Scanned (last scan): 181
• Workflows Affected: 181 (all)

Findings by Tool (2026-04-04)

Tool	Total	Critical	High	Medium	Low	Informational
zizmor (security)	4,924	0	1,117	3,703	22	82
poutine (supply chain)	65	0	0	16	0	49
actionlint (linting)	4,967	—	—	—	—	—
runner-guard (taint analysis)	N/A	—	—	—	—	—

Compilation Failure Root Cause

The static analysis workflow passed --runner-guard to the compile command, but this flag does not yet exist in the tool. The open PR on branch copilot/add-runner-guard-arg-to-compile is implementing this flag. Until the PR is merged and the tool is updated, any workflow run that uses --runner-guard will fail immediately.

Impact: No zizmor, poutine, actionlint, or runner-guard results were collected for 2026-04-08.

Resolution: Merge the copilot/add-runner-guard-arg-to-compile PR to add the --runner-guard flag to the compile command.

Clustered Findings by Tool and Type (from 2026-04-04)

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
secrets-outside-env	Medium	7,398*	All 181
unpinned-uses	High	2,182*	All 181 (via gh-aw-actions/setup@v0.65.6)
template-injection	High	214*	~20+ workflows
obfuscation	Low	44*	~20 workflows
artipacked	Medium	6*	~1 workflow
secrets-inherit	Medium	2*	~1 workflow
github-env	High	2*	dev-hawk

*Note: counts reflect raw zizmor findings which may differ from deduplicated totals.

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Workflows
untrusted_checkout_exec	Error	34	smoke-workflow-call, smoke-workflow-call-with-inputs
default_permissions_on_risky_events	Warning	14	~15 workflows
github_action_from_unverified_creator_used	Note	9	~6 workflows
unverified_script_exec	Note	4	copilot-setup-steps, daily-copilot-token-report
unpinnable_action	Note	2	daily-perf-improver, daily-test-improver
pr_runs_on_self_hosted	Warning	2	dev, smoke-copilot-arm

Actionlint Linting Issues

Issue Type	Count	Affected Workflows
SC2086 (unquoted variables)	4,680	All 181
SC2129 (grouped redirects)	176	Many
permissions (unknown copilot-requests scope)	85	Many
expression (undefined output properties)	13	Some
runner-label (unknown aw-gpu-runner-T4)	12	Some

Runner-Guard Taint Analysis Findings

Runner-Guard Score: N/A — scan could not run due to compilation failure.

Issues created: none (no findings available)

Top Priority Issues

1. Unpinned Actions (unpinned-uses) — High Severity

• Tool: zizmor
• Count: 2,182 findings across all 181 workflows
• Severity: High
• Affected: All workflows (via github/gh-aw-actions/setup@v0.65.6 tag reference)
• Description: Action references pinned to a tag rather than a commit SHA. Tags can be moved, allowing a compromised tag to inject malicious code.
• Impact: Supply chain attack vector — a compromised gh-aw-actions/setup tag could execute arbitrary code across every workflow in this repo.
• Reference: (docs.zizmor.sh/redacted)

2. Template Injection — High Severity

• Tool: zizmor
• Count: 214 findings (~20+ workflows)
• Severity: High
• Affected: audit-workflows, auto-triage-issues, contribution-check, copilot-pr-nlp-analysis, copilot-session-insights, and others
• Description: GitHub Actions expression syntax (${{ ... }}) used directly in run: steps where untrusted data (issue titles, PR bodies, user inputs) flows into shell execution.
• Impact: Remote code execution if an attacker controls the expression input (e.g., a crafted issue title).
• Reference: (docs.zizmor.sh/redacted)

3. Untrusted Checkout Execution — Error

• Tool: poutine
• Count: 34 findings
• Severity: Error
• Affected: smoke-workflow-call, smoke-workflow-call-with-inputs
• Description: Workflows execute code from untrusted pull request checkouts.
• Reference: (docs.poutine.sh/redacted)

Fix Suggestion for Template Injection

Issue: Template injection via ${{ github.event.* }} in run: steps
Severity: High
Affected Workflows: ~20+ workflows

Prompt to Copilot Agent:

You are fixing a security vulnerability identified by zizmor: template injection.

**Vulnerability**: Template Injection
**Rule**: template-injection — (docs.zizmor.sh/redacted)
**Severity**: High

**Current Issue**:
GitHub Actions expression syntax (`${{ }}`) is used directly inside `run:` shell steps
where user-controlled data flows into the shell. An attacker can craft issue/PR content
with shell metacharacters (e.g., `$(malicious-command)`) that execute during the workflow run.

**Example Vulnerable Pattern**:
```yaml
- name: Process issue
  run: |
    echo "Issue title: ${{ github.event.issue.title }}"
    gh issue comment ${{ github.event.issue.number }} --body "Processing..."

Required Fix:

1. Move the expression into an environment variable at the step level.
2. Reference the environment variable using $ENV_VAR in the shell (not ${{ }}).
3. Never interpolate user-controlled expressions directly into run: shell scripts.

Fixed Pattern:

- name: Process issue
  env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
    ISSUE_NUMBER: ${{ github.event.issue.number }}
  run: |
    echo "Issue title: $ISSUE_TITLE"
    gh issue comment "$ISSUE_NUMBER" --body "Processing..."

Please apply this fix to all affected workflows that use ${{ github.event.* }},
${{ github.head_ref }}, ${{ github.actor }}, ${{ inputs.* }}, or similar
user-controlled expressions directly in run: steps.

Key workflows to fix (from zizmor findings):

• audit-workflows.lock.yml
• auto-triage-issues.lock.yml
• contribution-check.lock.yml
• copilot-pr-nlp-analysis.lock.yml
• copilot-session-insights.lock.yml
• copilot-token-audit.lock.yml
• daily-code-metrics.lock.yml
• daily-firewall-report.lock.yml
• daily-integrity-analysis.lock.yml
• deep-report.lock.yml

<details>
<summary>Historical Trends (all scans)</summary>

| Date | Total | Zizmor | Poutine | Actionlint | Workflows | Status |
|------|-------|--------|---------|------------|-----------|--------|
| 2026-03-29 | 7,383 | 3,455 | 6 | 3,928 | 178 | ✅ |
| 2026-03-30 | 8,520 | 3,953 | 6 | 4,561 | 178 | ✅ |
| 2026-03-31 | 8,562 | 3,977 | 19 | 4,566 | 178 | ✅ |
| 2026-04-01 | 8,601 | 3,992 | 19 | 4,590 | 179 | ✅ |
| 2026-04-02 | 8,600 | 3,762 | 19 | 4,819 | 179 | ✅ |
| 2026-04-03 | 9,757 | 4,789 | 39 | 4,929 | 183 | ✅ |
| 2026-04-04 | 9,956 | 4,924 | 65 | 4,967 | 181 | ✅ |
| 2026-04-08 | N/A | N/A | N/A | N/A | 0 | ❌ (compile failed) |

**Trend observations**:
- Total findings grew from 7,383 → 9,956 (+35%) over 7 scans as new workflows were added
- Poutine findings spiked from 6 to 65 between 2026-03-29 and 2026-04-04 — new supply chain rules being enforced
- Actionlint SC2086 (unquoted variables) is the dominant issue at ~4,680 findings and grows with every new workflow added
- Template injection findings (High severity) remain stable but unresolved at ~24 high-severity cases

</details>

### Recommendations

1. **Immediate**: Merge `copilot/add-runner-guard-arg-to-compile` PR to restore daily static analysis scans
2. **Short-term**: Fix template injection in the ~20 affected workflows (highest severity, exploitable)
3. **Short-term**: Pin `github/gh-aw-actions/setup` to a SHA instead of a tag (`@v0.65.6` → `@<SHA>`)
4. **Medium-term**: Address poutine `untrusted_checkout_exec` in smoke workflow tests
5. **Long-term**: Add workflow linting pre-commit hook to catch SC2086 before merge (4,680 existing instances growing with repo)
6. **Prevention**: Update workflow templates to use `env:` blocks for all user-controlled expression values

### Next Steps

- [ ] Merge `copilot/add-runner-guard-arg-to-compile` to fix the `--runner-guard` flag
- [ ] Verify next daily scan completes successfully with runner-guard enabled
- [ ] Apply template injection fixes to top 20 affected workflows
- [ ] Pin `gh-aw-actions/setup` to commit SHA in the shared setup action
- [ ] Review `default_permissions_on_risky_events` for the 14 affected poutine workflows

**References:**
- [§23986109480](https://github.com/github/gh-aw/actions/runs/23986109480) — last successful scan (2026-04-04)
- [§24138856641](https://github.com/github/gh-aw/actions/runs/24138856641) — current failed run (2026-04-08)




> Generated by [Static Analysis Report](https://github.com/github/gh-aw/actions/runs/24138856641/agentic_workflow) · ● 139.3K · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw+%22gh-aw-workflow-call-id%3A+github%2Fgh-aw%2Fstatic-analysis-report%22&type=discussions)
> - [x] expires <!-- gh-aw-expires: 2026-04-09T13:54:42.136Z --> on Apr 9, 2026, 1:54 PM UTC

<!-- gh-aw-agentic-workflow: Static Analysis Report, engine: claude, model: auto, id: 24138856641, workflow_id: static-analysis-report, run: https://github.com/github/gh-aw/actions/runs/24138856641 -->

<!-- gh-aw-workflow-id: static-analysis-report -->
<!-- gh-aw-workflow-call-id: github/gh-aw/static-analysis-report -->