🔍 Static Analysis Report - January 24, 2026

[github-actions[bot]]

Analysis Summary

Static analysis scan completed successfully using three security and code quality tools across all agentic workflows.

• Tools Used: actionlint (with shellcheck & pyflakes), zizmor, poutine
• Total Findings: 272 issues
• Workflows Scanned: 141
• Workflows with Issues: 141 (98%)
• Compilation Status: 141 successful

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info/Style
actionlint	264	0	0	0	0	264
shellcheck (SC2129)	139	-	-	-	-	139 (style)
shellcheck (SC1003)	82	-	-	-	-	82 (info)
shellcheck (SC2166)	15	-	-	-	-	15 (warning)
shellcheck (SC2086)	3	-	-	-	-	3 (info)
expression errors	27	-	-	-	-	27 (error)
permissions warnings	5	-	-	-	-	5 (warning)
zizmor	1	0	0	0	1	0
poutine	7	0	0	0	0	7

Key Insight: All findings are informational, style-related, or low severity. No critical security vulnerabilities detected.

Top Priority Issues

1. SC2129 - Multiple File Redirects (Actionlint/Shellcheck)

• Count: 139 workflows affected (all workflows)
• Severity: Style
• Type: Code quality / best practices
• Impact: Minor performance, readability

Description: Shell scripts perform multiple redirect operations to the same file instead of grouping them together.

Example:

# Current (less efficient)
echo "Line 1" >> file.txt
echo "Line 2" >> file.txt

# Recommended
{ echo "Line 1"; echo "Line 2"; } >> file.txt

Reference: (redacted)

2. SC1003 - Single Quote Escaping (Actionlint/Shellcheck)

• Count: 82 occurrences across 11 workflows
• Severity: Info
• Type: Code quality / syntax
• Impact: None (functional code)

Affected Workflows: copilot-agent-analysis, daily-doc-updater, developer-docs-consolidator, go-fan, go-logger, instructions-janitor, semantic-function-refactor, sergo, step-name-alignment, typist

3. Expression Errors - Missing Job Reference (Actionlint)

• Count: 27 occurrences across 27 workflows
• Severity: Error
• Type: Workflow configuration
• Impact: Potential runtime issues

Description: Property create_pull_request is not defined in the needs object type, suggesting missing job dependencies or incorrect job references.

Affected Workflows (sample): ci-coach, cloclo, code-scanning-fixer, code-simplifier, daily-doc-updater, daily-workflow-updater, dependabot-bundler, developer-docs-consolidator, dictation-prompt, github-mcp-tools-report

Security Findings

Zizmor Security Scanner

Low Severity:

1. template-injection (1 occurrence)
   • File: .github/workflows/mcp-inspector.lock.yml:453:9
   • Description: Code injection via template expansion
   • Severity: Low
   • Reference: (redacted)

Poutine Supply Chain Scanner

Informational:

1. unverified_script_exec (4 occurrences)

   • Files:
     • .github/workflows/copilot-setup-steps.yml (curl | sh patterns)
     • .github/workflows/ubuntu-image-analyzer.lock.yml (Docker & Node.js install)
   • Description: Unverified script execution via curl | sh patterns
   • Risk: Supply chain attack vector

2. unpinnable_action (3 occurrences)

   • Files:
     • .github/actions/daily-perf-improver/build-steps/action.yml
     • .github/actions/daily-test-improver/coverage-steps/action.yml
     • actions/setup/js/node_modules/@actions/github-script/.github/actions/install-dependencies/action.yml
   • Description: Unpinnable CI component used
   • Risk: Limited ability to pin versions for reproducibility

Actionlint Findings by Type

Shellcheck Issues

Code	Severity	Count	Description	Workflows Affected
SC2129	style	139	Multiple redirects to same file	139 (all)
SC1003	info	82	Single quote escape suggestion	11
SC2166	warning	15	Prefer [ p ] && [ q ] over [ p -a q ]	15
SC2086	info	3	Missing quotes for variable expansion	1 (ci-coach)

Expression Errors

Issue Type	Count	Description
Missing create_pull_request job reference	25	Job dependency not found in needs context
Missing validate-secret step reference	2	Step reference not found in job context

Permission Warnings

5 workflows missing required GitHub token permissions:

• daily-semgrep-scan.md
• dev.md
• example-permissions-warning.md
• pr-triage-agent.md
• test-create-pr-error-handling.md

Fix Recommendation: SC2129 (Highest Impact)

The SC2129 issue affects all 139 workflows and represents a consistent pattern that can be systematically fixed.

Detailed Fix Template: /tmp/gh-aw/cache-memory/fix-templates/actionlint-SC2129.md

**Fix Prompt for Automated Correction**:

Issue: Multiple redirects to the same file should be grouped together
Rule: SC2129
Reference: (redacted)

Current Pattern:
```bash
echo "Line 1" >> file.txt
echo "Line 2" >> file.txt
echo "Line 3" >> file.txt
```

Fixed Pattern:
```bash
{
  echo "Line 1"
  echo "Line 2"  
  echo "Line 3"
} >> file.txt
```

Apply this fix to all .github/workflows/*.lock.yml files showing SC2129 warnings.

View All Workflow Findings by Category

Workflows with SC2166 (Deprecated test syntax)

• ai-moderator
• archie
• brave
• cloclo
• craft
• grumpy-reviewer
• mergefest
• pdf-summary
• plan
• poem-bot
• pr-nitpick-reviewer
• q
• scout
• security-review
• tidy

Workflows with Expression Errors (create_pull_request)

• ci-coach
• cloclo
• code-scanning-fixer
• code-simplifier
• daily-doc-updater
• daily-workflow-updater
• dependabot-bundler
• developer-docs-consolidator
• dictation-prompt
• github-mcp-tools-report
• go-fan
• go-logger
• go-pattern-detector
• grumpy-reviewer
• instructions-janitor
• issue-arborist
• jsweep
• mergefest
• semantic-function-refactor
• sergo
• step-name-alignment
• tidy
• typist
• workflow-health-manager
• workflow-normalizer

Analysis Insights

Code Quality Trends:

• Style issues dominate: 221 of 272 issues (81%) are style/info level
• Consistent patterns: SC2129 appears in virtually all workflows, indicating a compiler-level pattern
• Low security risk: Only 1 low-severity security issue found across 141 workflows
• Supply chain awareness: 4 unverified script executions flagged for review

Architectural Observations:

1. The SC2129 and SC1003 issues suggest these are generated by the workflow compiler rather than hand-written issues
2. The expression errors about create_pull_request indicate a potential compiler bug or missing job definition
3. Permission warnings are isolated to specific workflows that may need toolset adjustments

Recommendations

Immediate Actions

1. Investigate expression errors: The 27 workflows with create_pull_request errors may have runtime issues
2. Review template injection: Examine mcp-inspector workflow for potential security improvements
3. Fix permission warnings: Add required permissions to 5 affected workflows

Short-term Improvements

1. Fix SC2129 systematically: Update compiler to generate grouped redirects or apply bulk fix to .lock.yml files
2. Address SC2166 warnings: Replace deprecated -a test syntax with && in 15 workflows
3. Review unverified scripts: Evaluate curl | sh patterns for supply chain risk mitigation

Long-term Strategy

1. Compiler improvements: Many issues stem from code generation patterns that could be improved
2. Pre-commit hooks: Add actionlint to catch issues before workflow deployment
3. Automated fixes: Consider auto-fixing style issues as part of compilation process
4. Security baseline: Establish monthly scanning cadence to track trends

Data Storage

Analysis data has been stored in cache memory for trend tracking:

• Scan summary: /tmp/gh-aw/cache-memory/security-scans/2026-01-24.json
• Vulnerability clusters: /tmp/gh-aw/cache-memory/vulnerabilities/by-tool.json
• Fix templates: /tmp/gh-aw/cache-memory/fix-templates/actionlint-SC2129.md
• Scan index: /tmp/gh-aw/cache-memory/security-scans/index.json

Next Steps

• Fix expression errors in 27 workflows (create_pull_request reference)
• Apply SC2129 fix template to compiler or bulk-fix workflows
• Add missing permissions to 5 workflows
• Review and document security exceptions for unverified script execution
• Consider integrating actionlint into CI/CD pipeline
• Schedule next scan for trend analysis

References:

• §21316585915

AI generated by Static Analysis Report

• expires on Jan 31, 2026, 2:37 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-01-31T14:37:18.479Z.