Static Analysis Report - 2026-03-16

[github-actions[bot]]

Analysis Summary

Daily static analysis scan of 172 agentic workflows using three tools: zizmor (security), poutine (supply chain), and actionlint (linting). All 172 workflows compiled successfully with 0 errors. The most notable finding is the poutine untrusted_checkout_exec ERROR persisting for a second consecutive day in smoke test workflows — this requires attention.

• Tools Used: zizmor v0.9+, poutine, actionlint v1.7.11
• Workflows Scanned: 172 (−1 from yesterday)
• Total Raw Findings: 3,784 (zizmor: 3,724 · poutine: 18 · actionlint: 42)
• Compilation Warnings: 38 (−2 from yesterday)
• Run: §23131351651

Findings by Tool

Tool	Total	Critical	High	Error	Warning	Medium	Low	Info/Note
zizmor (security)	3,724	—	—	—	—	3,701	20	3
poutine (supply chain)	18	—	—	6 ⚠️	1	—	—	11
actionlint (linting)	42	—	—	42	—	—	—	—

Delta vs Yesterday (2026-03-15)

Metric	Yesterday	Today	Change
Workflows	173	172	−1
Actionlint	43	42	✅ −1 (workflow-call error resolved)
Zizmor raw	3,744	3,724	−20 (proportional)
Poutine	18	18	⚠️ 0 (untrusted_checkout_exec unresolved, day 2)
Compiler warnings	40	38	−2

---

Clustered Findings by Tool and Type

Zizmor Security Findings (3,724 raw, 4 unique types)

Issue Type	Severity	Count	Affected
secrets-outside-env	Medium	~3,700	172 workflows (all)
artipacked	Medium	1	daily-copilot-token-report
obfuscation	Low	20	20 workflows
template-injection	Informational	3	contribution-check

Poutine Supply Chain Findings (18 raw, 5 rule types)

Rule	Severity	Count	Affected Workflows
untrusted_checkout_exec	ERROR	6	smoke-workflow-call, smoke-workflow-call-with-inputs
pr_runs_on_self_hosted	Warning	1	smoke-copilot-arm
github_action_from_unverified_creator_used	Note	7	copilot-setup-steps, daily-copilot-token-report, mcp-inspector, link-check (×2), super-linter, vet
unverified_script_exec	Note	2	copilot-setup-steps, daily-copilot-token-report
unpinnable_action	Note	2	daily-perf-improver/build-steps, daily-test-improver/coverage-steps

Actionlint Linting Issues (42 errors)

Rule	Count	Affected Workflows	Notes
permissions	40	~40 Copilot workflows	⚠️ Known false positive: copilot-requests is a valid GitHub Copilot permission scope
expression	1	ace-editor (line 527)	needs.activation.outputs.activated property undefined
shellcheck (SC2129)	1	release (line 1277)	Style: use { cmd1; cmd2; } >> file instead of individual redirects

---

Top Priority Issues

1. 🔴 Poutine: untrusted_checkout_exec (ERROR) — Day 2 Unresolved

• Tool: poutine
• Count: 6 findings across 2 workflows
• Severity: ERROR (highest poutine severity)
• Affected: smoke-workflow-call.lock.yml (lines 173, 274, 278), smoke-workflow-call-with-inputs.lock.yml (lines 170, 274, 278)
• Description: These workflows checkout potentially untrusted code and then execute bash scripts. Poutine detects this as arbitrary code execution risk — a malicious PR author could inject code into the checked-out branch that executes during the workflow run.
• Impact: A threat actor submitting a PR to this repository could execute arbitrary code on the Actions runner if these workflows trigger on PR events.
• Reference: (docs.poutine.sh/redacted)

2. 🟡 Zizmor: secrets-outside-env (Medium) — Systemic, All Workflows

• Tool: zizmor
• Count: ~3,700 raw across 172 workflows
• Severity: Medium
• Description: GitHub Actions secrets are referenced directly in run: steps rather than being passed via a dedicated env: block. This pattern can expose secrets in logs, error messages, or to downstream steps that shouldn't access them.
• Reference: (docs.zizmor.sh/redacted)
• Note: This is a systemic pattern in gh-aw workflows by design (secrets passed via platform environment variables). The count is high but largely a systematic pattern, not individual workflow bugs.

3. 🟡 Actionlint: expression in ace-editor (Error)

• Tool: actionlint
• Location: ace-editor.lock.yml:527:9
• Description: needs.activation.outputs.activated — property activated not defined in the output type of the activation job.
• Impact: This may cause the post_ace_link job to never run, or run unconditionally.

---

Fix Suggestion for untrusted_checkout_exec (Top Priority)

Issue: Arbitrary code execution from untrusted PR code in smoke workflows
Severity: ERROR
Affected Workflows: 2 workflows (6 poutine findings)

Prompt to Copilot Agent:

You are fixing a security vulnerability identified by poutine in GitHub Actions workflows.

**Vulnerability**: untrusted_checkout_exec
**Rule**: (docs.poutine.sh/redacted)

**Affected workflows**:
- .github/workflows/smoke-workflow-call.md
- .github/workflows/smoke-workflow-call-with-inputs.md

**Current Issue**:
These workflows check out code (potentially from untrusted PRs) and then immediately execute
bash scripts from the checked-out repository. If a malicious PR modifies scripts under
/opt/gh-aw/actions/, those scripts would execute with full runner permissions.

Poutine is flagging the `bash` invocations at:
- smoke-workflow-call: lines 173, 274, 278 in the compiled lock file
- smoke-workflow-call-with-inputs: lines 170, 274, 278 in the compiled lock file

**Required Fix Options** (choose one based on workflow intent):

Option A - If the workflow should only run on trusted code (not on PRs from forks):
Add a permission check or trigger guard to prevent execution on untrusted PRs:
```yaml
on:
  push:
    branches: [main]
  workflow_call:  # only allow trusted callers
# Remove pull_request triggers or add:
  pull_request:
    types: [opened, synchronize]
# Add job condition:
    if: github.event.pull_request.head.repo.full_name == github.repository

Option B - Separate trusted and untrusted code execution:
Run the checkout and bash scripts in separate jobs where the bash job does NOT
have access to the checked-out untrusted code.

Option C - Use actions/checkout with persist-credentials: false and avoid
running scripts from the checkout directory on untrusted code.

Example pattern (Option A):

Before:

jobs:
  activation:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@...
      - run: bash /opt/gh-aw/actions/create_prompt_first.sh

After (with trust gate):

jobs:
  activation:
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@...
      - run: bash /opt/gh-aw/actions/create_prompt_first.sh

Please review these two workflow files and apply the appropriate fix based on their
actual triggers and intended use case.

---

### All Findings Details

<details>
<summary><b>Poutine Findings — Full Detail</b></summary>

#### `smoke-workflow-call` — untrusted_checkout_exec (×3)
- Line 173: `run: | bash /opt/gh-aw/actions/create_prompt_first.sh`
- Line 274: `run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh`
- Line 278: `run: bash /opt/gh-aw/actions/print_prompt_summary.sh`

#### `smoke-workflow-call-with-inputs` — untrusted_checkout_exec (×3)
- Line 170: `run: | bash /opt/gh-aw/actions/create_prompt_first.sh`
- Line 274: `run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh`
- Line 278: `run: bash /opt/gh-aw/actions/print_prompt_summary.sh`

#### `smoke-copilot-arm` — pr_runs_on_self_hosted (×1)
- Line 318: `runs-on: ubuntu-24.04-arm` in PR-triggered job

#### `github_action_from_unverified_creator_used` (×7)
| Location | Action |
|----------|--------|
| `copilot-setup-steps.yml:42` | `astral-sh/setup-uv@eac588ad...` |
| `daily-copilot-token-report.lock.yml:336` | `astral-sh/setup-uv@eac588ad...` |
| `mcp-inspector.lock.yml:394` | `astral-sh/setup-uv@e06108dd...` |
| `link-check.yml:35` | `gaurav-nelson/github-action-markdown-link-check@5c5dfc0a...` |
| `link-check.yml:43` | `gaurav-nelson/github-action-markdown-link-check@5c5dfc0a...` |
| `super-linter.lock.yml:1208` | `super-linter/super-linter@61abc07d...` |
| `vet.yml:25` | `safedep/vet-action@v1` ⚠️ (not SHA-pinned) |

#### `unverified_script_exec` (×2)
- `copilot-setup-steps.yml:17`: `curl -fsSL https://raw.githubusercontent.com/.../install-gh-aw.sh | bash`
- `daily-copilot-token-report.lock.yml:324`: same install script

</details>

<details>
<summary><b>Actionlint Findings — Full Detail</b></summary>

#### `ace-editor.lock.yml:527:9` — expression error
```yaml
# needs.activation.outputs.activated is not defined in output type
if: needs.activation.outputs.activated == 'true'

The activation job does not declare activated as an output. The output may be named differently in the lock file.

release.lock.yml:1277:9 — shellcheck SC2129

# Current (multiple individual redirects):
echo "## Manual Sync Actions Required" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"

# Suggested fix:
{
  echo "## Manual Sync Actions Required"
  echo ""
} >> "$GITHUB_STEP_SUMMARY"

permissions errors (×40) — Known false positive

All Copilot-engine workflows include copilot-requests: write permission. actionlint v1.7.11 does not recognize this as a valid permission scope, but it is a valid GitHub Copilot API permission. No action required.

Zizmor: obfuscation findings (Low, ×20)

Pattern: GH_AW_WIKI_NOTE: $\{\{ '' }} at column 32 — using $\{\{ '' }} as an empty string expression rather than a plain empty string. Affects 20 workflows:

agent-performance-analyzer, audit-workflows, copilot-agent-analysis, copilot-cli-deep-research, copilot-pr-nlp-analysis, copilot-pr-prompt-analysis, copilot-session-insights, daily-cli-performance, daily-code-metrics, daily-copilot-token-report, daily-news, daily-testify-uber-super-expert, deep-report, delight, discussion-task-miner, firewall-escape, metrics-collector, pr-triage-agent, security-compliance, workflow-health-manager

Fix: Replace $\{\{ '' }} with an empty string "" or omit the env var if unused.

---

Historical Trends

Date	Workflows	Actionlint	Zizmor (raw)	Poutine	Compiler Warnings
2026-03-08	166	41	4	9	25
2026-03-09	166	41	3,545 ⚠️	9	25
2026-03-10	166	41	3,565	9	25
2026-03-11	166	41	3,565	12	25
2026-03-14	174	43	3,746	12	40
2026-03-15	173	43	3,744	18 🔴	40
2026-03-16	172	42 ✅	3,724	18 ⚠️	38

Key Events:

• 2026-03-09: Major zizmor increase — secrets-outside-env audit added (~3,541 new raw findings)
• 2026-03-14: +8 workflows; 2 new actionlint rule types; +15 compiler warnings
• 2026-03-15: NEW CRITICAL — poutine untrusted_checkout_exec (ERROR) appeared in smoke workflows
• 2026-03-16: untrusted_checkout_exec still unresolved (day 2); workflow-call actionlint error resolved

---

Recommendations

1. Immediate (P0): Investigate and fix untrusted_checkout_exec in smoke-workflow-call.md and smoke-workflow-call-with-inputs.md — these are ERROR-severity poutine findings now entering their second day unresolved.
2. Short-term (P1): Fix expression error in ace-editor.lock.yml:527 — the activated output property may be missing from the job definition.
3. Short-term (P1): Fix shellcheck SC2129 in release.lock.yml:1277 — consolidate multiple >> redirects.
4. Medium-term (P2): Consider pinning safedep/vet-action@v1 to a SHA for supply chain safety (currently the only non-SHA-pinned action among poutine findings).
5. Long-term (P3): The 3,700+ secrets-outside-env findings are systemic to the gh-aw workflow pattern. Evaluate whether adding environment: blocks to agent jobs would reduce exposure.
6. Hygiene: Replace $\{\{ '' }} obfuscation patterns with plain empty strings across the 20 affected workflows.

Next Steps

• Fix untrusted_checkout_exec in smoke-workflow-call workflows (use fix suggestion prompt above with Copilot)
• Fix ace-editor expression error for activated output
• Fix release SC2129 shellcheck style issue
• Pin safedep/vet-action to SHA
• Assess whether to suppress copilot-requests permission false positives in actionlint config

References:

• §23131351651 — today's workflow run
• §23105049532 — yesterday's run (poutine untrusted_checkout_exec first appeared)
• (docs.poutine.sh/redacted)

AI generated by Static Analysis Report · history

• expires on Mar 17, 2026, 6:52 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Static Analysis Report.

A newer discussion is available at Discussion #21350.