🔍 Static Analysis Security Report - 2026-01-14

[github-actions[bot]]

🔍 Static Analysis Report - 2026-01-14

Analysis Summary

This report presents findings from a comprehensive static analysis scan of all agentic workflow files in the githubnext/gh-aw repository using multiple security and code quality tools.

• Tools Used: zizmor (security), actionlint (linting + shellcheck)
• Total Findings: 688 issues detected
• Workflows Scanned: 124
• Workflows Affected: 122 (98.4%)
• Compilation Success Rate: 100% (124/124 workflows compiled successfully)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Informational
zizmor (security)	123	0	1	2	1	119
actionlint (linting)	319	-	-	-	-	197 errors, 122 info
compiler (warnings)	246	-	-	-	-	246 warnings
TOTAL	688	0	1	2	1	240

---

Clustered Findings by Tool and Type

🔐 Zizmor Security Findings

Zizmor is a static analysis tool specifically designed to find security vulnerabilities in GitHub Actions workflows.

Issue Type	Severity	Count	% of Workflows	Documentation
template-injection	Informational	119	95.2% (118/124)	docs.zizmor.sh
artipacked	Medium	2	0.8% (1/124)	docs.zizmor.sh
unpinned-uses	High	1	0.8% (1/124)	docs.zizmor.sh
template-injection	Low	1	0.8% (1/124)	docs.zizmor.sh

Key Observations:

• Template injection (Informational) is pervasive across 95% of workflows
• The "Informational" severity indicates reduced risk due to safe-inputs feature
• Only 1 High severity issue found (unpinned-uses in release.md)
• 2 Medium severity issues (artipacked in release.md)

🔍 Actionlint + Shellcheck Findings

Actionlint validates workflow syntax and integrates shellcheck for bash script analysis.

Issue Type	Severity	Count	% of Workflows	Documentation
shellcheck-issues	Error	197	95.2% (118/124)	actionlint docs
unverified-script-exec	Info	122	96.8% (120/124)	actionlint docs

Key Observations:

• Shellcheck findings: 197 issues across 118 workflows
  • Most common: SC2155 (declare and assign separately)
  • Shell scripting quality issues that could lead to subtle bugs
• Unverified script execution: 120 workflows download and execute remote scripts
  • Primarily the gh-aw-firewall installation script
  • Flagged for security awareness but may be acceptable with proper validation

⚠️ Compiler Warnings

Warning Type	Count	Description
unable-to-resolve-actions	179	Cannot dynamically resolve action versions (using hardcoded pins)
missing-permissions	4	Missing required GitHub permissions for toolsets
web-search-unsupported	2	Engine doesn't support web-search tool
experimental-features	4	Using experimental features (safe-inputs)

Breakdown of Unable-to-Resolve Actions:

• actions/github-script@v8: 126 occurrences
• actions/upload-artifact@v6: 38 occurrences
• actions/setup-node@v6: 7 occurrences
• actions/checkout@v5: 6 occurrences
• Other: 2 occurrences

---

🎯 Top Priority Issues

1. Template Injection (Informational) - Most Pervasive

• Tool: zizmor
• Count: 119 findings
• Severity: Informational (risk mitigated by safe-inputs)
• Affected: 118 workflows (95.2%)
• Description: GitHub Actions expressions (${{ }}) used directly in shell commands
• Impact: Potential code injection if user-controlled input is not properly sanitized
• Reference: https://docs.zizmor.sh/audits/#template-injection

Why this matters: Even with safe-inputs protection, following the environment variable pattern is a security best practice that:

• Makes code review easier
• Reduces attack surface
• Prevents accidental bypasses of sanitization
• Improves code maintainability

2. Shellcheck Issues - Code Quality Concern

• Tool: actionlint + shellcheck
• Count: 197 errors
• Severity: Error
• Affected: 118 workflows (95.2%)
• Description: Shell scripting issues like SC2155 (declare and assign separately)
• Impact: Potential bugs, masked return values, unexpected behavior
• Reference: https://www.shellcheck.net/

3. Unpinned Action Reference - High Severity

• Tool: zizmor
• Count: 1 finding
• Severity: High
• Affected: .github/workflows/release.md
• Description: Action reference not pinned to specific commit SHA
• Impact: Supply chain security risk - action could be compromised
• Reference: https://docs.zizmor.sh/audits/#unpinned-uses

4. Credential Persistence (Artipacked) - Medium Severity

• Tool: zizmor
• Count: 2 findings
• Severity: Medium
• Affected: .github/workflows/release.md
• Description: Credentials may persist in GitHub Actions artifacts
• Impact: Secrets could be exposed through artifact downloads
• Reference: https://docs.zizmor.sh/audits/#artipacked

---

🔧 Detailed Fix Suggestion: Template Injection (Informational)

Since template injection affects 95% of workflows, I've created a comprehensive fix guide.

The Problem

Workflows use GitHub context expressions directly in shell commands:

- name: Comment on issue
  run: |
    echo "Processing: ${{ github.event.issue.title }}"
    gh issue comment ${{ github.event.issue.number }} --body "${{ github.event.issue.body }}"

Risk: If an attacker controls github.event.issue.title (e.g., creates an issue with a malicious title), they could inject shell commands.

The Solution: Use Environment Variables

- name: Comment on issue
  env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
    ISSUE_NUMBER: ${{ github.event.issue.number }}
    ISSUE_BODY: ${{ github.event.issue.body }}
  run: |
    echo "Processing: ${ISSUE_TITLE}"
    gh issue comment "${ISSUE_NUMBER}" --body "${ISSUE_BODY}"

Why this works: Environment variables are set before shell interpretation, preventing injection attacks.

Copilot Agent Fix Prompt

Fix template injection vulnerabilities in this workflow by converting inline 
GitHub context expressions (${{ }}) to environment variables.

TASK:
1. Find all occurrences of ${{ github.event.* }} in 'run:' blocks
2. For each occurrence:
   - Add an 'env:' block to the step (or extend existing)
   - Move the expression to env with a descriptive variable name (e.g., ISSUE_TITLE)
   - Replace inline usage with ${VAR_NAME} syntax
   - Ensure proper quoting in shell commands

EXAMPLE:
Before:
  run: echo "${{ github.event.issue.title }}"

After:
  env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
  run: echo "${ISSUE_TITLE}"

Apply this pattern to all template injection points while preserving functionality.

Complete fix guide: See /tmp/gh-aw/cache-memory/fix-templates/zizmor-template-injection-informational.md for detailed instructions.

---

📊 Historical Trends

Comparing with previous security scans:

Date	Total Findings	Workflows Scanned	Change
2026-01-14 (today)	688	124	+124 (+22.0%) ⚠️
2026-01-13	564	124	+320 (+131.1%)
2026-01-12	244	118	baseline

Trend Analysis

Findings Increased:

• Total findings increased from 564 to 688 (+124 findings, +22.0%)
• More comprehensive analysis with multiple tools
• Better detection of existing issues (not new vulnerabilities)

Key Changes:

• Workflow count increased from 118 to 124 (+6 workflows)
• Shellcheck integration now finding 197 code quality issues
• Compiler warnings tracked separately (246 warnings)

New Issues Detected (2026-01-14):

• Comprehensive shellcheck integration (197 errors)
• Unverified script execution tracking (122 info messages)
• More granular compiler warnings (246 warnings)

Resolved Issues:

• No issues were marked as resolved (findings remain consistent)
• Existing template injection warnings still present

---

📋 Complete Affected Workflows List

High Severity Issues (1 workflow)

Unpinned Action References:

• .github/workflows/release.md

Medium Severity Issues (1 workflow)

Artipacked (Credential Persistence):

• .github/workflows/release.md

Low Severity Issues (1 workflow)

Template Injection (Low):

• .github/workflows/mcp-inspector.md

Informational: Template Injection (118 workflows)

All workflows except: ci-doctor.md, mcp-inspector.md, release.md, security-compliance.md, security-fix-pr.md, welcome.md

Shellcheck Issues (118 workflows)

Most workflows contain shellcheck findings. Top affected workflows include: ai-moderator, archie, artifacts-summary, audit-workflows, blog-auditor, brave, breaking-change-checker, campaign-generator, changeset, ci-coach, cli-consistency-checker, cli-version-checker, and 106 more.

Unverified Script Execution (120 workflows)

Nearly all workflows (96.8%) download and execute the gh-aw-firewall installation script from a remote source. This is flagged for awareness but may be acceptable given the controlled source.

Missing Permissions (4 workflows)

1. .github/workflows/ai-moderator.md - missing issues: read, pull-requests: read
2. .github/workflows/daily-choice-test.md - missing pull-requests: read
3. .github/workflows/duplicate-code-detector.md - missing issues: read, pull-requests: read
4. .github/workflows/example-custom-error-patterns.md - missing issues: read, pull-requests: read

---

🎯 Recommendations

Immediate Actions (High Priority)

1. Fix Unpinned Action in release.md (High Severity)

   • Pin the action to a specific commit SHA
   • Use Dependabot to keep pinned actions updated
   • Timeline: Fix within 1 week

2. Review Artipacked Issues in release.md (Medium Severity)

   • Audit artifact uploads for credential exposure
   • Use actions/upload-artifact exclude patterns for sensitive files
   • Timeline: Fix within 2 weeks

3. Add Missing Permissions (4 workflows)

   • Add required issues: read and pull-requests: read permissions
   • Or remove toolsets that require these permissions
   • Timeline: Fix within 1 week

Short-term Actions (Medium Priority)

4. Address Template Injection Warnings (118 workflows)

   • Although marked "Informational", adopt environment variable pattern
   • Start with 10-15 highest-traffic workflows
   • Create automated fix script using the provided template
   • Timeline: Complete within 1 month

5. Fix Critical Shellcheck Issues (197 errors)

   • Prioritize SC2155 (declare and assign separately)
   • Focus on workflows that handle sensitive data
   • Use shellcheck locally before committing
   • Timeline: Address top 50 issues within 2 weeks

6. Review Unverified Script Execution (120 workflows)

   • Validate the gh-aw-firewall script source
   • Consider caching or vendoring the script
   • Add checksum verification
   • Timeline: Implement verification within 3 weeks

Long-term Actions (Maintenance)

7. Establish Automated Static Analysis

   • Add pre-commit hooks for zizmor and actionlint
   • Integrate into CI/CD pipeline
   • Block PRs with High/Critical findings
   • Timeline: Implement within 2 months

8. Update Workflow Templates

   • Create secure workflow templates with environment variables
   • Document security best practices for workflow authors
   • Provide copy-paste examples
   • Timeline: Complete within 2 months

9. Resolve Action Resolution Warnings (179 warnings)

   • Investigate why dynamic resolution fails
   • Update action version pins if needed
   • Consider using a GitHub App for better rate limits
   • Timeline: Investigate within 1 month

10. Enable Additional Security Features

    • Consider GitHub's Secret Scanning for workflows
    • Enable Dependabot security updates for actions
    • Review CODEOWNERS for workflow changes
    • Timeline: Configure within 2 months

---

📈 Success Metrics

To track progress on security improvements:

1. Reduction in High/Medium Findings: Target 0 High, 0 Medium by end of Q1 2026
2. Template Injection Pattern Adoption: Convert 80% of workflows to env var pattern by end of Q1
3. Shellcheck Error Rate: Reduce from 197 to <50 by end of Q2 2026
4. Permission Completeness: 100% of workflows have correct permissions within 2 weeks
5. Automated Scanning: CI/CD integration complete within 2 months

---

🔗 Additional Resources

• Zizmor Documentation: https://docs.zizmor.sh/
• Actionlint Documentation: https://github.com/rhysd/actionlint
• GitHub Actions Security Hardening: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
• Safe Inputs Feature: https://githubnext.github.io/gh-aw/guides/safe-inputs/
• Shellcheck Wiki: https://www.shellcheck.net/wiki/

---

📁 Scan Artifacts

All scan data has been saved to the cache memory for future reference:

• Scan Data: /tmp/gh-aw/cache-memory/security-scans/2026-01-14.json
• Scan Index: /tmp/gh-aw/cache-memory/security-scans/index.json
• Fix Templates: /tmp/gh-aw/cache-memory/fix-templates/zizmor-template-injection-informational.md
• Workflow Lists: /tmp/gh-aw/agent/workflows-by-issue.json
• Actionlint Findings: /tmp/gh-aw/agent/actionlint-findings.json

---

Next Steps

• Review and prioritize recommendations with team
• Assign owners for High/Medium severity fixes
• Create issues for tracking remediation work
• Schedule follow-up scan for 2026-01-21 (1 week)
• Begin template injection pattern migration pilot (10 workflows)

Questions or concerns? Reply to this discussion or tag the security team.

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

🎉 Yo ho ho! Plan Command found the treasure and completed successfully! ⚓💰

[DataWizual-Labs]

This is a massive report, and fixing 600+ issues manually is a nightmare. I have already developed and launched Sentinel Core specifically to automate the enforcement of these findings (like unpinned-uses and template-injection).

It is a finished, production-ready gate. Instead of just reporting, Sentinel acts as a hard-fail barrier: it blocks any workflow that violates these security invariants before it even runs. I wrote a technical breakdown of this deterministic enforcement logic here: https://dev.to/eldor_zufarov_1966/stop-hope-based-security-why-your-cicd-needs-a-deterministic-gate-2i07

This is how you move from just seeing 600 errors to making them impossible to commit.