You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue: if_always_true - Conditional expression always evaluates to true Affected: .github/workflows/dev-hawk.lock.yml Impact: Workflow logic error that may cause incorrect execution flow Action Required: Fix the conditional logic in the workflow
🟡 Medium: Zizmor Security Finding (1 workflow)
Issue: artipacked - Credential persistence through GitHub Actions artifacts Severity: Medium Affected: .github/workflows/hourly-ci-cleaner.lock.yml Reference: (docs.zizmor.sh/redacted) Impact: Potential credential leakage through workflow artifacts
🟡 High Priority: Default Permissions on Risky Events (14 workflows)
Obfuscation Details: Low severity warnings about obfuscated GitHub Actions features usage. Most findings relate to environment variable patterns that look unusual but are part of the standard workflow generation process.
Poutine Supply Chain Findings
Issue Type
Severity
Count
Workflows Affected
default_permissions_on_risky_events
Warning
14
14
if_always_true
Error
1
1
unverified_script_exec
Note
4
2
github_action_from_unverified_creator_used
Note
4
1
unpinnable_action
Note
3
3
Actionlint Linting Issues
Issue Type
Severity
Count
Workflows Affected
SC2129
Style
144
144
SC1003
Info
140
21
SC2086
Info
3
1
Missing permissions
Warning
2
2
SC2129 Analysis: Shellcheck suggests using { cmd1; cmd2; } >> file instead of individual redirects. This is a style suggestion affecting 144 workflows (all workflows that create prompts).
SC1003 Analysis: Shellcheck info about single quote escaping in complex environment variable setup scripts. Affects 21 workflows with advanced shell configurations.
Historical Trends
Previous Scan: 2026-01-29 Total Findings Then: 304 issues Total Findings Now: 579 issues Change: +275 issues (+90.5%)
Analysis of Change
The significant increase in findings is primarily due to:
New workflows added: 145 workflows scanned today vs 143 yesterday (+2 workflows)
More comprehensive scanning: Today's scan includes full actionlint output with detailed shellcheck findings
Expanded poutine findings: More detailed supply chain analysis captured more informational notes
The core security issues remain stable:
Default permissions warnings: 14 workflows (unchanged from yesterday)
Critical/High severity issues: Still minimal, primarily in style and informational categories
Fix Suggestions
1. Fix Default Permissions on Risky Events (Priority: High)
Issue: 14 workflows using default permissions on risky events Severity: Warning Tool: Poutine
Automated Fix Prompt for Copilot Agent:
## Security Fix Required: Default Permissions on Risky Events
You are fixing a **supply chain security vulnerability** identified by poutine.
### Problem
14 workflows are triggered by risky events (like `issue_comment`, `pull_request_target`) but use default permissions (read-write access to most resources). This violates the principle of least privilege.
### Required Action
For each workflow below, add explicit minimal permissions to the frontmatter:
**Affected Source Workflows** (edit the `.md` files, NOT `.lock.yml`):
-`.github/workflows/ai-moderator.md`-`.github/workflows/archie.md`-`.github/workflows/brave.md`-`.github/workflows/cloclo.md`-`.github/workflows/grumpy-reviewer.md`-`.github/workflows/mergefest.md`-`.github/workflows/pdf-summary.md`-`.github/workflows/plan.md`-`.github/workflows/pr-nitpick-reviewer.md`-`.github/workflows/q.md`-`.github/workflows/scout.md`-`.github/workflows/security-review.md`-`.github/workflows/tidy.md`-`.github/workflows/unbloat-docs.md`### Fix Template**Before**:
```yaml
---
name: Example Workflowon:
issue_comment:
types: [created]
---
```**After**:
```yaml
---
name: Example Workflowon:
issue_comment:
types: [created]permissions:
contents: readissues: writepull-requests: write
---
```### Common Permission Patterns- For workflows that read data and create reports: `contents: read, issues: write, pull-requests: read`- For workflows that respond to comments: `contents: read, issues: write, pull-requests: write`- For workflows that modify code: `contents: write, issues: write, pull-requests: write`### Validation
After fixing, re-run the workflow compilation to verify the poutine warning is resolved.
### References-[GitHub Actions Security Hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)-[Poutine Security Scanner](https://github.com/boostsecurityio/poutine)
Recommendations
Immediate Actions (Critical/High Priority)
Fix if_always_true error in dev-hawk.lock.yml - Logic error that needs immediate attention
Investigate artipacked medium severity in hourly-ci-cleaner.lock.yml - Potential credential leakage
Add explicit permissions to 14 workflows with risky event triggers
Short-term Actions (Medium Priority)
Review and validate the 63 workflows flagged for "obfuscation" by zizmor
Address the template-injection low severity finding in mcp-inspector.lock.yml
Fix the 2 workflows with missing permissions warnings
Long-term Actions (Low Priority/Informational)
SC2129 (144 workflows): Consider refactoring prompt creation scripts to use grouped redirects
Establish automated scanning: Integrate all three tools into CI/CD pre-commit workflow
Next Steps
Fix critical if_always_true error in dev-hawk workflow
Investigate and fix artipacked issue in hourly-ci-cleaner workflow
Apply permission fixes to 14 workflows using the automated fix prompt above
Review obfuscation findings to understand if they're false positives or real concerns
Update workflow creation guidelines to include explicit permissions
Consider adding zizmor, poutine, and actionlint to pre-commit hooks
Summary Statistics
Total Workflows: 145
Clean Workflows: 1 (0.7%)
Workflows with Issues: 144 (99.3%)
Average Issues per Workflow: 4.0
Most Affected Workflow: typist.lock.yml (21 issues)
Security Issues: 155 (zizmor + poutine)
Code Quality Issues: 436 (actionlint)
View Top 15 Most Affected Workflows
Workflow
Issues
Primary Types
typist.lock.yml
21
SC2129, SC1003
semantic-function-refactor.lock.yml
13
SC2129, SC1003
go-logger.lock.yml
11
SC2129, SC1003
step-name-alignment.lock.yml
9
SC2129, SC1003
layout-spec-maintainer.lock.yml
9
SC2129, SC1003
glossary-maintainer.lock.yml
9
SC2129, SC1003
delight.lock.yml
9
SC2129, SC1003
daily-file-diet.lock.yml
9
SC2129, SC1003
daily-doc-updater.lock.yml
9
SC2129, SC1003
daily-compiler-quality.lock.yml
9
SC2129, SC1003
sergo.lock.yml
7
SC2129, SC1003
go-fan.lock.yml
7
SC2129, SC1003
daily-testify-uber-super-expert.lock.yml
7
SC2129, SC1003
workflow-skill-extractor.lock.yml
5
SC2129
instructions-janitor.lock.yml
5
SC2129
Analysis Notes
Tool Coverage:
✅ zizmor: Security-focused scanner for GitHub Actions
✅ poutine: Supply chain security analyzer
✅ actionlint: Comprehensive workflow linting with shellcheck integration
False Positive Rate: The "obfuscation" warnings (126 occurrences) appear to be primarily related to standard workflow compilation patterns and may have a high false positive rate. These should be reviewed but are likely acceptable.
Real Security Concerns: The 14 workflows with default permissions on risky events represent genuine security risks that should be addressed promptly using the least-privilege principle.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Analysis Summary
Comprehensive static analysis completed on 145 agentic workflows using three security and code quality tools.
Scan Details:
Findings by Tool
Priority Issues
🔴 Critical: Poutine Error (1 workflow)
Issue:
if_always_true- Conditional expression always evaluates to trueAffected:
.github/workflows/dev-hawk.lock.ymlImpact: Workflow logic error that may cause incorrect execution flow
Action Required: Fix the conditional logic in the workflow
🟡 Medium: Zizmor Security Finding (1 workflow)
Issue:
artipacked- Credential persistence through GitHub Actions artifactsSeverity: Medium
Affected:
.github/workflows/hourly-ci-cleaner.lock.ymlReference: (docs.zizmor.sh/redacted)
Impact: Potential credential leakage through workflow artifacts
🟡 High Priority: Default Permissions on Risky Events (14 workflows)
Issue:
default_permissions_on_risky_events(Poutine warning)Severity: Warning
Affected Workflows: 14
Impact: Workflows triggered by risky events (issue_comment, pull_request_target) using default read-write permissions
View Affected Workflows
.github/workflows/ai-moderator.lock.yml.github/workflows/archie.lock.yml.github/workflows/brave.lock.yml.github/workflows/cloclo.lock.yml.github/workflows/grumpy-reviewer.lock.yml.github/workflows/mergefest.lock.yml.github/workflows/pdf-summary.lock.yml.github/workflows/plan.lock.yml.github/workflows/pr-nitpick-reviewer.lock.yml.github/workflows/q.lock.yml.github/workflows/scout.lock.yml.github/workflows/security-review.lock.yml.github/workflows/tidy.lock.yml.github/workflows/unbloat-docs.lock.ymlClustered Findings
Zizmor Security Findings
Obfuscation Details: Low severity warnings about obfuscated GitHub Actions features usage. Most findings relate to environment variable patterns that look unusual but are part of the standard workflow generation process.
Poutine Supply Chain Findings
Actionlint Linting Issues
SC2129 Analysis: Shellcheck suggests using
{ cmd1; cmd2; } >> fileinstead of individual redirects. This is a style suggestion affecting 144 workflows (all workflows that create prompts).SC1003 Analysis: Shellcheck info about single quote escaping in complex environment variable setup scripts. Affects 21 workflows with advanced shell configurations.
Historical Trends
Previous Scan: 2026-01-29
Total Findings Then: 304 issues
Total Findings Now: 579 issues
Change: +275 issues (+90.5%)
Analysis of Change
The significant increase in findings is primarily due to:
The core security issues remain stable:
Fix Suggestions
1. Fix Default Permissions on Risky Events (Priority: High)
Issue: 14 workflows using default permissions on risky events
Severity: Warning
Tool: Poutine
Automated Fix Prompt for Copilot Agent:
Recommendations
Immediate Actions (Critical/High Priority)
if_always_trueerror indev-hawk.lock.yml- Logic error that needs immediate attentionartipackedmedium severity inhourly-ci-cleaner.lock.yml- Potential credential leakageShort-term Actions (Medium Priority)
template-injectionlow severity finding inmcp-inspector.lock.ymlLong-term Actions (Low Priority/Informational)
Next Steps
if_always_trueerror in dev-hawk workflowartipackedissue in hourly-ci-cleaner workflowSummary Statistics
typist.lock.yml(21 issues)View Top 15 Most Affected Workflows
Analysis Notes
Tool Coverage:
False Positive Rate: The "obfuscation" warnings (126 occurrences) appear to be primarily related to standard workflow compilation patterns and may have a high false positive rate. These should be reviewed but are likely acceptable.
Real Security Concerns: The 14 workflows with default permissions on risky events represent genuine security risks that should be addressed promptly using the least-privilege principle.
References:
/tmp/gh-aw/compile-output.txt/tmp/gh-aw/cache-memory/security-scans/2026-01-30.json/tmp/gh-aw/cache-memory/fix-templates/Beta Was this translation helpful? Give feedback.
All reactions