🔍 Static Analysis Report - January 31, 2026

[github-actions[bot]]

Analysis Summary

Comprehensive security and code quality scan of 147 agentic workflows using three static analysis tools: zizmor (security), poutine (supply chain), and actionlint (linting with shellcheck).

• Total Findings: 471 issues identified
• Workflows Scanned: 147
• Workflows Affected: 69 workflows have at least one issue
• Critical/High Severity: 0 (no critical security vulnerabilities)
• Medium Severity (Warnings): 14 (security best practice violations)
• Low/Info Severity: 457 (code quality and style improvements)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info/Style
zizmor (security)	145	0	0	14	126	5
poutine (supply chain)	0	-	-	-	-	-
actionlint (linting)	326	0	0	0	0	326
TOTAL	471	0	0	14	126	331

---

Top Priority Issues

1. Default Permissions on Risky Events ⚠️ HIGH PRIORITY

• Tool: zizmor
• Count: 14 workflows
• Severity: Warning (Medium-High)
• Impact: Security - Excessive permissions on user-triggerable workflows
• Reference: (docs.zizmor.sh/redacted)

Affected Workflows: ai-moderator, archie, brave, cloclo, grumpy-reviewer, mergefest, pdf-summary, plan, pr-nitpick-reviewer, q, scout, security-review, tidy, unbloat-docs

Why This Matters: These workflows trigger on risky events like issue_comment (which external contributors can trigger) but don't explicitly restrict permissions. They default to write access for repository contents, issues, and pull requests. This violates the principle of least privilege.

Risk Scenario: An attacker could:

1. Comment on an issue/PR to trigger the workflow
2. Exploit any input processing vulnerability
3. Use write permissions to modify code, exfiltrate secrets, or create malicious commits

Recommended Fix: Add explicit minimal permissions to each workflow:

permissions:
  contents: read          # Read repository only
  issues: write          # Post comments
  pull-requests: write   # Post PR comments

2. Obfuscated GitHub Actions Usage

• Tool: zizmor
• Count: 126 occurrences across 63 workflows
• Severity: Low
• Impact: Auditability - Makes workflows harder to review
• Reference: (docs.zizmor.sh/redacted)

Pattern Detected: Static values wrapped in unnecessary expression syntax:

• GH_AW_CACHE_DESCRIPTION: ${{ '' }} (empty string)
• GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }} (static path)

Why This Matters: While not a direct security vulnerability, obfuscation:

• Makes security audits more difficult
• Can hide the true nature of values
• Reduces workflow transparency
• May mask malicious intent in PRs

Recommended Fix: Remove unnecessary expression wrappers:

# Before
GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }}

# After
GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory/

3. ShellCheck Style Issues

• Tool: actionlint (shellcheck)
• Count: 324 issues
• Severity: Info/Style
• Impact: Code quality only

Most Common:

• SC2129 (155 occurrences): Multiple redirects to same file
• SC1003 (166 occurrences): Single quote escaping suggestions
• SC2086 (3 occurrences): Missing quotes in variable expansion

Priority: LOW - These are style improvements with no security impact.

---

Detailed Findings by Tool

Zizmor Security Findings

Issue Type	Severity	Count	Workflows
default_permissions_on_risky_events	Warning	14	14
obfuscation	Low	126	63
unpinnable_action	Info	3	3
unverified_script_exec	Info	2	1

View Obfuscation-Affected Workflows (63 total)

• agent-persona-explorer.lock.yml
• audit-workflows.lock.yml
• ci-coach.lock.yml
• ci-doctor.lock.yml
• claude-code-user-docs-review.lock.yml
• cli-version-checker.lock.yml
• cloclo.lock.yml
• code-scanning-fixer.lock.yml
• copilot-agent-analysis.lock.yml
• copilot-pr-nlp-analysis.lock.yml
• copilot-pr-prompt-analysis.lock.yml
• copilot-session-insights.lock.yml
• daily-code-metrics.lock.yml
• daily-compiler-quality.lock.yml
• daily-copilot-token-report.lock.yml
• daily-doc-updater.lock.yml
• daily-firewall-report.lock.yml
• daily-issues-report.lock.yml
• daily-news.lock.yml
• daily-performance-summary.lock.yml
• daily-repo-chronicle.lock.yml
• daily-safe-output-optimizer.lock.yml
• deep-report.lock.yml
• dependabot-bundler.lock.yml
• developer-docs-consolidator.lock.yml
• glossary-maintainer.lock.yml
• go-logger.lock.yml
• hourly-ci-cleaner.lock.yml
• issue-monster.lock.yml
• mcp-inspector.lock.yml
• org-health-report.lock.yml
• portfolio-analyst.lock.yml
• prompt-clustering-analysis.lock.yml
• python-data-charts.lock.yml
• repo-audit-analyzer.lock.yml
• safe-output-health.lock.yml
• secret-scanning-triage.lock.yml
• security-alert-burndown.lock.yml
• security-compliance.lock.yml
• sergo.lock.yml
• slide-deck-maintainer.lock.yml
• smoke-claude.lock.yml
• smoke-codex.lock.yml
• smoke-copilot.lock.yml
• smoke-opencode.lock.yml
• stale-repo-identifier.lock.yml
• technical-doc-writer.lock.yml
• weekly-issue-summary.lock.yml
• workflow-generator.lock.yml
• workflow-health-manager.lock.yml
• workflow-normalizer.lock.yml
• workflow-skill-extractor.lock.yml
• (and 12 more)

Poutine Supply Chain Findings

No issues detected ✅

The scan found no supply chain security issues in the workflows.

Actionlint Linting Issues

Issue Type	Count	Description
SC2129 (shellcheck)	155	Multiple redirects to same file (style)
SC1003 (shellcheck)	166	Single quote escaping suggestions
SC2086 (shellcheck)	3	Variable quoting recommendations
expression	2	Expression syntax issues

---

Fix Recommendations & Implementation Guide

Priority 1: Fix Default Permissions (HIGH)

Timeline: Immediate (Week 1)

Action Required: Add explicit permissions to 14 workflows that trigger on risky events.

Fix Template:

# Add this to each affected workflow (.md source file, not .lock.yml)
permissions:
  contents: read
  issues: write
  pull-requests: write

Workflows to Fix:

1. .github/workflows/ai-moderator.md
2. .github/workflows/archie.md
3. .github/workflows/brave.md
4. .github/workflows/cloclo.md
5. .github/workflows/grumpy-reviewer.md
6. .github/workflows/mergefest.md
7. .github/workflows/pdf-summary.md
8. .github/workflows/plan.md
9. .github/workflows/pr-nitpick-reviewer.md
10. .github/workflows/q.md
11. .github/workflows/scout.md
12. .github/workflows/security-review.md
13. .github/workflows/tidy.md
14. .github/workflows/unbloat-docs.md

Testing: After applying the fix:

• Trigger workflow via issue comment
• Verify it can post comments
• Verify it cannot write to repository contents (unless needed)

Priority 2: Fix Obfuscation (MEDIUM)

Timeline: Short-term (Week 2-3)

Action Required: Update the workflow compiler to avoid wrapping static values in expression syntax.

Where to Fix: In the compiler code that generates env: blocks in .lock.yml files.

Logic:

1. Detect if a value is a static string literal
2. If static, emit it directly without ${{ }} wrapper
3. If dynamic (contains variables/expressions), keep the wrapper

Example Compiler Change:

# Before (generates obfuscation)
cache_dir = "${{ '/tmp/gh-aw/cache-memory/' }}"

# After (cleaner)
cache_dir = "/tmp/gh-aw/cache-memory/"

Priority 3: ShellCheck Issues (LOW)

Timeline: Long-term (Optional)

Action Required: Address in compiler if making other changes.

Most common issue (SC2129) is purely stylistic. Consider fixing if:

• Already modifying the compiler
• Want to improve shellcheck compliance score
• Have time for quality improvements

Not recommended to prioritize over security fixes or feature work.

---

Historical Trends

First Scan: This is the baseline scan for the repository.

Future Comparisons: Subsequent scans will track:

• New issues introduced
• Issues resolved
• Trend over time (improving or regressing)
• Workflow security posture changes

---

Long-term Recommendations

1. Integrate Static Analysis into CI/CD

Add these tools to the workflow compilation pipeline:

• Run zizmor on all compiled workflows
• Run actionlint for syntax validation
• Fail compilation if security warnings are found
• Block PRs that introduce new security issues

2. Establish Security Guidelines

Create workflow security guidelines:

• Always use explicit permissions on risky events
• Avoid obfuscation patterns
• Pin action versions to commit SHAs
• Validate and sanitize user inputs
• Review 3rd party actions before use

3. Periodic Security Reviews

Schedule regular security scans:

• Daily: Automated scans via this workflow
• Weekly: Review new issues
• Monthly: Audit high-risk workflows
• Quarterly: Comprehensive security review

4. Improve Compiler Security

Enhance the workflow compiler:

• Generate explicit permissions by default
• Emit clean expressions without obfuscation
• Add security annotations in generated workflows
• Validate workflow security before compilation

---

Scan Metadata

Scan Date: 2026-01-31
Repository: githubnext/gh-aw
Branch: main
Workflow Run: §21545944809

Tools Used:

• zizmor: GitHub Actions security scanner
• poutine: Supply chain security analyzer
• actionlint: Workflow linter with shellcheck integration

Scan Coverage:

• Workflows scanned: 147
• Total lines analyzed: ~10.5 MB of workflow YAML
• Compilation successful: 147/147 workflows

---

Next Steps

• Week 1: Fix default permissions on 14 workflows (HIGH PRIORITY)
• Week 2: Update compiler to eliminate obfuscation patterns
• Week 3: Review and address any new issues from updated workflows
• Week 4: Establish automated security scanning in CI/CD
• Ongoing: Monitor scan results and track security metrics

---

Resources

Fix Templates (stored in cache memory):

• /tmp/gh-aw/cache-memory/fix-templates/zizmor-default-permissions.md - Detailed guide for fixing permission issues
• /tmp/gh-aw/cache-memory/fix-templates/zizmor-obfuscation.md - Guide for removing obfuscation
• /tmp/gh-aw/cache-memory/fix-templates/shellcheck-SC2129.md - Shellcheck style improvements

Scan Data:

• Full scan results: /tmp/gh-aw/cache-memory/security-scans/2026-01-31.json
• Vulnerability index: /tmp/gh-aw/cache-memory/vulnerabilities/by-tool.json
• Scan history: /tmp/gh-aw/cache-memory/security-scans/index.json

Documentation:

• [Zizmor Documentation]((docs.zizmor.sh/redacted)
• GitHub Actions Security
• ShellCheck Wiki

AI generated by Static Analysis Report

• expires on Feb 7, 2026, 2:39 PM UTC

[pelikhan]

/plan only item 2, cache dir

[github-actions[bot]]

🎉 Yo ho ho! Plan Command found the treasure and completed successfully! ⚓💰

[github-actions[bot]]

Plan Created ✅

I've broken down Item 2 (Cache Dir Obfuscation) from the static analysis report into 4 actionable sub-issues:

Implementation Plan

1. Update compiler logic - Modify the workflow compiler to detect static string literals and avoid wrapping them in ${{ }} expression syntax

2. Add comprehensive tests - Create unit tests to validate static vs dynamic value detection (plain strings, GitHub context, secrets, expressions, edge cases)

3. Recompile all workflows - Run make recompile to regenerate all 147 workflow .lock.yml files with the cleaned-up environment variables

4. Verify with zizmor - Re-run the security scanner to confirm obfuscation count reduced from 126 to near-zero

Expected Impact

• 126 obfuscation warnings eliminated
• 63 workflows cleaned up
• Improved workflow auditability and transparency
• Cleaner generated YAML (e.g., GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory/ instead of ${{ '/tmp/gh-aw/cache-memory/' }})

All sub-issues have been created and are ready for assignment to Copilot agents. They will be automatically grouped under a parent tracking issue.