Static Analysis Report - 2026-02-21

[github-actions[bot]]

Analysis Summary

Daily static analysis scan of 156 agentic workflows completed using actionlint, zizmor, and poutine. This is the first scan — no historical baseline exists yet.

• Tools Used: actionlint 1.7.11, zizmor, poutine
• Workflows Scanned: 156
• Compiler Result: 0 errors, 25 warnings
• Total Tool Findings: 755 (actionlint: 719, zizmor: 11, compiler warnings: 25)

Findings by Tool

Tool	Total	Critical	High	Medium	Warning	Info/Style
zizmor (security)	11	0	0	0	1	10
poutine (supply chain)	0	0	0	0	0	0
actionlint (linting)	719	—	—	—	—	719
compiler	25	—	—	—	25	—

---

Clustered Findings

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
pr_runs_on_self_hosted	⚠️ Warning	1	smoke-copilot-arm
unverified_script_exec	ℹ️ Info	4	copilot-setup-steps, daily-copilot-token-report
github_action_from_unverified_creator_used	ℹ️ Info	4	(4 separate action references)
unpinnable_action	ℹ️ Info	2	daily-perf-improver/build-steps, daily-test-improver/coverage-steps

Poutine Supply Chain Findings

No findings reported by poutine on this scan.

Actionlint Linting Issues

Expression errors (267 total):

Issue Type	Count	Unique Workflows
pre_activation undefined in needs	208	104
matched_command undefined in pre_activation outputs	37	37
precompute undefined	12	1
check_ci_status undefined	6	1
release undefined	3	1
output property undefined	1	1

ShellCheck warnings (452 total):

SC Code	Severity	Count	Unique Workflows	Description
SC2129	Style	162	156	Use { cmd1; cmd2; } >> file instead of individual redirects
SC1003	Info	158	23	Single quote escape syntax
SC2086	Info	132	66	Double-quote variables to prevent word splitting/globbing

Compiler Warnings (25 total)

Warning Type	Count
Fixed cron schedule (should use fuzzy)	8
Experimental safe-inputs feature	6
Unresolved action version (hardcoded pin used)	7
Experimental rate-limit feature	3
Unsupported tool (copilot + web-search)	1

---

Top Priority Issues

1. PR Runs on Self-Hosted Runner (zizmor)

• Tool: zizmor
• Severity: ⚠️ Warning
• Affected: smoke-copilot-arm.lock.yml (line 349, runs-on: ubuntu-24.04-arm)
• Impact: PRs running on self-hosted runners can be exploited by malicious PR authors to gain access to secrets or the runner environment. Self-hosted ARM runners are not GitHub-managed and carry elevated risk.
• Reference: (woodruffw.github.io/redacted)

2. Unverified Script Execution (zizmor)

• Tool: zizmor
• Severity: ℹ️ Info
• Count: 4 occurrences across 2 files
• Affected: copilot-setup-steps.yml (lines 17, 42), daily-copilot-token-report.lock.yml (lines 366, 378)
• Impact: curl | bash and curl | sh patterns execute remote scripts without integrity checks. A compromised CDN or MITM attack could inject malicious code.
• Reference: (woodruffw.github.io/redacted)

3. Expression: pre_activation Undefined (actionlint)

• Tool: actionlint
• Severity: Error (linting)
• Count: 208 occurrences, 104 workflows affected
• Description: Compiled .lock.yml files reference needs.pre_activation.outputs.activated and needs.pre_activation.outputs.matched_command, but actionlint cannot verify these output properties exist in the pre_activation job's type definition.
• Impact: Type-safety risk — if the pre_activation job changes its output schema, dependent jobs silently break at runtime.

4. SC2086 – Unquoted Variable Expansion (shellcheck)

• Tool: actionlint/shellcheck
• Severity: Info
• Count: 132 occurrences, 66 workflows affected
• Description: Shell variables referenced without double quotes, risking word splitting and glob expansion.
• Example: echo "has_content=true" >> $GITHUB_OUTPUT → echo "has_content=true" >> "$GITHUB_OUTPUT"

---

Fix Suggestion: Expression - pre_activation Undefined

Issue: actionlint expression type error — job output properties undefined
Severity: Error (linting)
Affected Workflows: 104 workflows, 208 occurrences

Prompt to Copilot Agent:

You are fixing an actionlint type-checking issue in GitHub Actions workflow files.

**Vulnerability**: Actionlint cannot verify job output properties referenced via `needs.pre_activation.outputs`
**Rule**: `[expression]` — property not defined in object type
**Documentation**: https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-syntax-expression

**Current Issue**:
Many compiled `.lock.yml` workflow files reference outputs from a `pre_activation` job
(specifically `outputs.activated` and `outputs.matched_command`), but actionlint reports
these as undefined because the job's `outputs:` block doesn't explicitly declare them.

Error messages seen:
- `property "pre_activation" is not defined in object type {}`
- `property "matched_command" is not defined in object type {activated: string}`

**Required Fix**:
Ensure the `pre_activation` job has an explicit `outputs:` block that maps each output
to the step output that produces it.

Before (missing outputs declaration):
```yaml
jobs:
  pre_activation:
    runs-on: ubuntu-latest
    steps:
      - id: check
        run: |
          echo "activated=true" >> $GITHUB_OUTPUT
          echo "matched_command=..." >> $GITHUB_OUTPUT
```

After (with explicit outputs):
```yaml
jobs:
  pre_activation:
    runs-on: ubuntu-latest
    outputs:
      activated: $\{\{ steps.check.outputs.activated }}
      matched_command: $\{\{ steps.check.outputs.matched_command }}
    steps:
      - id: check
        run: |
          echo "activated=true" >> $GITHUB_OUTPUT
          echo "matched_command=..." >> $GITHUB_OUTPUT
```

**Note**: Since this affects `.lock.yml` files (generated output), the fix likely needs
to be applied in the workflow compiler/generator template rather than individual workflow
files. Check the compiler source to ensure `pre_activation` job declarations always
include the `outputs:` mapping.

---

View All Zizmor Findings

smoke-copilot-arm.lock.yml — pr_runs_on_self_hosted

• Severity: Warning
• Location: Line 349
• Finding: runs-on: ubuntu-24.04-arm — pull request workflow runs on self-hosted runner
• Reference: (woodruffw.github.io/redacted)

copilot-setup-steps.yml — unverified_script_exec (×2)

• Location: Line 17 — curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash
• Location: Line 42 — curl -LsSf (astral.sh/redacted) | sh
• Severity: Info
• Reference: (woodruffw.github.io/redacted)

daily-copilot-token-report.lock.yml — unverified_script_exec (×2)

• Location: Line 366 — curl -fsSL ... install-gh-aw.sh | bash
• Location: Line 378 — curl -LsSf (astral.sh/redacted) | sh
• Severity: Info

Unpinnable Actions

• .github/actions/daily-perf-improver/build-steps/action.yml — unpinnable_action (info)
• .github/actions/daily-test-improver/coverage-steps/action.yml — unpinnable_action (info)

Unverified Creator Actions (×4)

• 4 actions from unverified creators (info-level), no specific names reported in output

View Top Affected Workflows (expression errors)

pre_activation undefined (104 workflows, first 20):
artifacts-summary, audit-workflows, blog-auditor, bot-detection, chroma-issue-indexer, ci-coach, claude-code-user-docs-review, cli-consistency-checker, cli-version-checker, codex-github-remote-mcp-test, commit-changes-analyzer, contribution-check, copilot-agent-analysis, copilot-cli-deep-research, copilot-pr-merged-report, copilot-pr-nlp-analysis, copilot-pr-prompt-analysis, copilot-session-insights, daily-assign-issue-to-user, daily-choice-test … and 84 more.

matched_command undefined (37 workflows):
agent-performance-analyzer, agent-persona-explorer, ai-moderator, auto-triage-issues, breaking-change-checker, changeset, ci-doctor, code-scanning-fixer, code-simplifier, daily-file-diet, daily-issues-report, daily-observability-report, daily-safe-output-optimizer, daily-team-status, daily-testify-uber-super-expert, dependabot-burner, dev-hawk, example-custom-error-patterns, firewall-escape, issue-monster … and 17 more.

View Compiler Warnings Detail

Fixed schedule warnings — 8 workflows with fixed cron times should use fuzzy schedules:

• Hourly */6h → every 6h
• Hourly */4h → every 4h
• Daily 9:00 UTC → daily
• Daily 7:00 UTC → daily
• Weekly Sunday 6:00 UTC → weekly on sunday
• Weekly Monday 7:00 UTC → weekly on monday
• Weekly Monday 15:00 UTC → weekly on monday
• (One duplicate hourly entry)

Action version warnings — hardcoded pins used for:

• actions/github-script@v7 → pinned to v7.1.0
• actions/setup-node@v6 → pinned to v6.2.0
• actions/setup-go@v6 → pinned to v6.2.0
• actions/setup-go@v5 → pinned to v5.6.0
• actions/checkout@v6 → pinned to v6.0.2
• docker/setup-buildx-action@v3 → pinned to v3.12.0
• docker/build-push-action@v6 → pinned to v6.19.2

Permission warning — example-permissions-warning.md missing required permissions for contents: write, issues: write, pull-requests: write.

---

Historical Trends

This is the first scan — no prior data available for comparison. Results have been stored in cache memory at /tmp/gh-aw/cache-memory/security-scans/2026-02-21.json to establish a baseline for future trend analysis.

---

Recommendations

1. Immediate: Review smoke-copilot-arm — the sole zizmor warning (pr_runs_on_self_hosted) is the highest-severity finding. Evaluate whether PR triggers on self-hosted ARM runner are necessary.
2. Short-term: Address unverified_script_exec in copilot-setup-steps.yml — either pin the install scripts to SHA-verified versions or use checksums.
3. Medium-term: Investigate and resolve the 208 actionlint pre_activation expression errors in the compiler output — these likely indicate missing outputs: declarations in generated YAML.
4. Ongoing: Fix SC2086 (66 workflows) by quoting $GITHUB_OUTPUT and other variable expansions in shell scripts.
5. Process: Consider adopting fuzzy cron schedules for the 8 workflows using fixed times to reduce load spikes.

Next Steps

• Fix pr_runs_on_self_hosted in smoke-copilot-arm workflow
• Add script integrity checks for curl | bash patterns in copilot-setup-steps.yml
• Investigate compiler output for missing pre_activation job outputs: declarations
• Apply SC2086 variable quoting fixes across 66 workflows
• Adopt fuzzy cron schedules for 8 workflows

References:

• §22251902773

AI generated by Static Analysis Report

• expires on Feb 28, 2026, 6:31 AM UTC

[pelikhan]

/plan