🔍 Static Analysis Report - February 13, 2026

[github-actions[bot]]

Analysis Summary

Scanned: 150 agentic workflows
Tools Used: actionlint (with shellcheck), poutine, zizmor
Total Findings: 329 (↑1 from previous scan)

Overall Status: ✅ STABLE

The security posture remains strong with strict mode compilation. Most findings (98.2%) are code style and linting suggestions from shellcheck, not security vulnerabilities.

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info/Style
actionlint (shellcheck)	323	0	0	0	0	323
poutine (supply chain)	6	0	0	1	0	5
zizmor (security)	0	0	0	0	0	0

🎉 Key Improvement: Zizmor Security Issue Resolved

The artipacked vulnerability (credential persistence through artifacts) detected yesterday in daily-copilot-token-report.lock.yml has been RESOLVED. This brings zizmor findings down to zero for the first time.

Detailed Findings

1. Actionlint / Shellcheck Issues (323 total)

SC2129: Redirect Style Suggestion (165 occurrences)

• Severity: Style (not a security issue)
• Description: Suggests using command grouping { cmd1; cmd2; } >> file instead of multiple individual redirects
• Impact: Code readability and minor performance optimization
• Status: Informational only

View Affected Workflows (Sample)

• agent-performance-analyzer.lock.yml
• agent-persona-explorer.lock.yml
• ai-moderator.lock.yml
• archie.lock.yml
• artifacts-summary.lock.yml
• audit-workflows.lock.yml
• auto-triage-issues.lock.yml
• blog-auditor.lock.yml
• bot-detection.lock.yml
• brave.lock.yml
• breaking-change-checker.lock.yml
• changeset.lock.yml
• ...and 153 more workflows

SC1003: Single Quote Escaping Info (158 occurrences)

• Severity: Info (not a security issue)
• Description: Informational message about proper single quote escaping syntax in shell strings
• Impact: None - this is an informational message, not an error
• Status: Informational only

View Affected Workflows (Sample)

• copilot-agent-analysis.lock.yml
• copilot-cli-deep-research.lock.yml
• daily-compiler-quality.lock.yml
• daily-doc-updater.lock.yml
• daily-file-diet.lock.yml
• daily-mcp-concurrency-analysis.lock.yml
• daily-syntax-error-quality.lock.yml
• daily-testify-uber-super-expert.lock.yml
• ...and 12 more workflows

2. Poutine Supply Chain Findings (6 total)

⚠️ Unverified Script Execution (4 occurrences) - MEDIUM PRIORITY

Severity: Medium
Security Impact: Scripts downloaded from internet and executed without verification

Affected Files:

1. .github/workflows/copilot-setup-steps.yml:42 - curl -LsSf (astral.sh/redacted) | sh
2. .github/workflows/copilot-setup-steps.yml:17 - curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash
3. .github/workflows/daily-copilot-token-report.lock.yml:145 - UV installer
4. .github/workflows/daily-copilot-token-report.lock.yml:133 - gh-aw installer

Risk: If upstream sources are compromised, malicious code could execute in CI/CD pipeline.

Recommended Fixes:

1. Use official GitHub Actions instead of curl piping (e.g., astral-sh/setup-uv@v4)
2. Download, verify checksum, then execute
3. Pin to specific commit SHAs instead of refs/heads/main
4. Vendor scripts in repository under .github/scripts/

Unpinnable Action (2 occurrences) - INFO ONLY

Severity: Info
Impact: None - this is expected behavior for composite actions

Affected Files:

• .github/actions/daily-perf-improver/build-steps/action.yml
• .github/actions/daily-test-improver/coverage-steps/action.yml

Note: Composite actions cannot be pinned to SHA, only to tags/branches. This is by design and not a security concern.

3. Zizmor Security Findings (0 total)

🎉 No security vulnerabilities detected by zizmor!

The artipacked issue from yesterday's scan has been successfully resolved.

4. Compiler Warnings (27 total)

View Compiler Warning Details

Experimental Features in Use

• safe-inputs: 9 workflows

  • copilot-cli-deep-research.md
  • daily-choice-test.md
  • daily-observability-report.md
  • daily-performance-summary.md
  • go-fan.md
  • slide-deck-maintainer.md
  • smoke-claude.md
  • smoke-codex.md
  • smoke-copilot.md

• rate-limit: 4 workflows

  • agent-persona-explorer.md
  • audit-workflows.md
  • duplicate-code-detector.md
  • weekly-issue-summary.md

• custom-steps: 2 workflows

Action Resolution Warnings (14 occurrences)

Actions that could not be resolved dynamically and fell back to hardcoded pins:

• actions/ai-inference@v2 (2x)
• docker/* actions (5x)
• actions/* actions (7x)

Other Warnings

• Engine compatibility: 2 workflows (copilot engine doesn't support web-search tool)
• Permissions: 1 workflow (example-permissions-warning.md - intentional example)
• Schedule optimization: 4 workflows (fixed schedules should use fuzzy timing)

Historical Trend Analysis

Comparison with Previous Scan (2026-02-12)

Metric	Yesterday	Today	Change	Status
Total Findings	328	329	+1	➡️ Stable
Zizmor	1	0	-1	✅ IMPROVED
Poutine	7	6	-1	✅ IMPROVED
Actionlint/Shellcheck	320	323	+3	⚠️ Slight increase

Recent Trends (7-day view)

Date       | Total | Zizmor | Poutine | Actionlint
-----------|-------|--------|---------|------------
2026-02-07 | 336   | 2      | 10      | 324
2026-02-08 | 334   | 2      | 10      | 322
2026-02-09 | 334   | 2      | 10      | 322
2026-02-10 | 334   | 2      | 10      | 322
2026-02-11 | 334   | 2      | 10      | 322
2026-02-12 | 328   | 1      | 7       | 320
2026-02-13 | 329   | 0      | 6       | 323
-----------|-------|--------|---------|------------
Change:    | -7    | -2     | -4      | -1

Overall Trend: ✅ IMPROVING - 7 fewer findings over the past week, with security issues decreasing significantly.

🎯 Top Priority Issue: Unverified Script Execution

The most significant security finding is the unverified script execution pattern in 4 locations.

Fix Recommendation for Unverified Script Execution

Current Vulnerable Pattern

# ⚠️ INSECURE - No verification before execution
curl -LsSf (astral.sh/redacted) | sh
curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash

Recommended Solution 1: Use Official Actions (Best)

# ✅ SECURE - Use official GitHub Action
- name: Install UV (Python package manager)
  uses: astral-sh/setup-uv@v4
  with:
    version: "0.5.0"

Recommended Solution 2: Download, Verify, Execute

# ✅ SECURE - Verify before execution
- name: Install UV with verification
  run: |
    curl -LsSf (astral.sh/redacted) -o /tmp/uv-install.sh
    echo "EXPECTED_SHA256  /tmp/uv-install.sh" | sha256sum -c -
    bash /tmp/uv-install.sh

Recommended Solution 3: Pin to Specific Commit

# ✅ MORE SECURE - Pin to specific commit instead of branch
- name: Install gh-aw
  run: |
    curl -fsSL https://raw.githubusercontent.com/github/gh-aw/COMMIT_SHA/install-gh-aw.sh | bash

Recommended Solution 4: Vendor the Script

# ✅ SECURE - Vendor script in repository
- name: Install from vendored script
  run: bash .github/scripts/install-gh-aw.sh

Implementation Priority

🔴 High Priority (Should Fix)

1. Unverified script execution (4 occurrences)
   • Replace UV installer with official astral-sh/setup-uv action
   • Vendor or pin gh-aw installer script

🟡 Medium Priority (Consider Fixing)

2. Schedule optimization (4 workflows)
   • Use fuzzy scheduling to distribute load

🟢 Low Priority (Optional)

3. Shellcheck style suggestions (323 occurrences)
   • These are code style suggestions, not security issues
   • Can be addressed gradually or ignored

Recommendations

Immediate Actions

1. ✅ Celebrate: The artipacked security issue has been resolved!
2. 🔧 Fix unverified script execution in 4 locations using recommended solutions above
3. 📊 Monitor trend: Continue daily scans to track improvements

Short-term (This Week)

1. Review and update schedule timings to use fuzzy intervals
2. Consider creating a codemod to automatically fix shellcheck style issues
3. Document the decision to accept or address shellcheck suggestions

Long-term (This Month)

1. Establish automated static analysis in pre-commit hooks
2. Create workflow templates that follow security best practices by default
3. Add supply chain security documentation to developer guides

Security Posture Assessment

✅ Strengths

• Zero critical or high severity issues
• Strict mode compilation enforces security best practices
• Improving trend: 7 fewer findings over past week
• Zizmor clean: No security vulnerabilities detected
• Action pinning: All GitHub Actions properly pinned to SHAs

⚠️ Areas for Improvement

• Script verification: 4 instances of unverified script execution
• Code style: 323 shellcheck style suggestions (non-security)

📈 Overall Rating: STRONG (8.5/10)

The repository maintains excellent security practices with strict mode compilation, action pinning, and firewall restrictions. The main area for improvement is eliminating unverified script execution patterns.

References

• Workflow Run: §22003446152
• Compilation Output: /tmp/gh-aw/compile-output.txt
• Historical Data: /tmp/gh-aw/cache-memory/security-scans/

---

Next Scan

Next scheduled scan: 2026-02-14 (daily at 6:00 UTC)

Note: This report is generated automatically by the Static Analysis Report workflow. Data is persisted in cache memory for historical trend analysis.

AI generated by Static Analysis Report

• expires on Feb 20, 2026, 9:34 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-20T21:34:48.023Z.

Closed by Workflow