Static Analysis Report - 2026-03-17

[github-actions[bot]]

Analysis Summary

Daily static analysis scan of 172 workflows using zizmor, poutine, and actionlint. Today's scan identifies a new High severity finding (unpinned-uses in issue-monster) and notes that the critical untrusted_checkout_exec poutine finding remains unresolved for a third consecutive day.

• Tools Used: zizmor v?, poutine v?, actionlint 1.7.11
• Total Raw Findings: 3,816 (3,756 zizmor + 18 poutine + 42 actionlint)
• Workflows Scanned: 172
• Workflows Affected: 172 (zizmor), 5 (poutine), 3 (actionlint)
• New Issues: 1 (unpinned-uses High - issue-monster)
• Persisting Critical: poutine untrusted_checkout_exec day 3 unresolved

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info/Note
zizmor (security)	3,756	0	1	3,732	20	3
poutine (supply chain)	18	0	0	0 (6 error)	1 (warning)	11 (note)
actionlint (linting)	42	—	—	—	—	42 (error)
compiler	41	—	—	—	—	41 (warning)

---

🔴 New Issue Today

unpinned-uses (High) — issue-monster workflow

First detected: 2026-03-17
Location: issue-monster.lock.yml:1414
Code: uses: actions/github-script@v8
Reference: (docs.zizmor.sh/redacted)

The issue-monster workflow references actions/github-script using the mutable @v8 tag instead of a pinned SHA. If the tag is ever moved to a malicious commit, the workflow will silently execute attacker-controlled code with full access to the workflow's secrets and permissions.

---

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
secrets-outside-env	Medium	~3,730	All 172 workflows
artipacked	Medium	1	daily-copilot-token-report
secrets-inherit	Medium	1	smoke-call-workflow
unpinned-uses	High ⚠️ NEW	1	issue-monster
obfuscation	Low	20	20 workflows
template-injection	Informational	3	contribution-check

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Workflows
untrusted_checkout_exec	Error 🔴 (day 3)	6	smoke-workflow-call, smoke-workflow-call-with-inputs
pr_runs_on_self_hosted	Warning	1	smoke-copilot-arm
github_action_from_unverified_creator_used	Note	7	link-check, mcp-inspector, super-linter, vet, copilot-setup-steps, daily-copilot-token-report
unverified_script_exec	Note	2	copilot-setup-steps, daily-copilot-token-report
unpinnable_action	Note	2	daily-perf-improver/build-steps, daily-test-improver/coverage-steps

Actionlint Linting Issues

Issue Type	Count	Severity	Affected Workflows	Notes
permissions	40	error	40 workflows	Known false positive: copilot-requests is a valid GitHub Copilot permission
expression	1	error	ace-editor	needs.activation.outputs.activated property type mismatch
shellcheck	1	error	release	SC2129: use { cmd1; cmd2; } >> file instead of individual redirects

---

Top Priority Issues

1. 🆕 unpinned-uses (High) — issue-monster

• Tool: zizmor
• Count: 1 (new today)
• Location: issue-monster.lock.yml:1414 — actions/github-script@v8
• Impact: Supply chain attack vector; mutable tag can be silently redirected to malicious code
• Reference: (docs.zizmor.sh/redacted)

2. 🔴 untrusted_checkout_exec (Error) — day 3 unresolved

• Tool: poutine
• Count: 6 findings in 2 workflows
• Affected: smoke-workflow-call, smoke-workflow-call-with-inputs
• Impact: Arbitrary code execution risk from untrusted PR branches running bash scripts
• Status: Introduced 2026-03-15, still unresolved after 3 days

3. secrets-outside-env (Medium) — systemic

• Tool: zizmor
• Count: ~3,730 across all 172 workflows
• Impact: Secrets exposed in workflow logs rather than protected environment variables
• Reference: (docs.zizmor.sh/redacted)

---

Fix Suggestion: unpinned-uses in issue-monster

Issue: actions/github-script@v8 used without SHA pin
Severity: High
Affected Workflows: 1 (issue-monster)

Prompt to Copilot Agent:

You are fixing a security vulnerability identified by zizmor in a GitHub Actions workflow.

**Vulnerability**: unpinned-uses — Unpinned action reference
**Rule**: (docs.zizmor.sh/redacted)
**Severity**: High
**Location**: `.github/workflows/issue-monster.md` (compiled line 1414)

**Current Issue**:
The workflow uses `actions/github-script@v8` — a mutable tag reference. If the `v8` tag is
reassigned (intentionally or via compromise), the workflow silently executes attacker-controlled
code with access to repository secrets and permissions.

**Required Fix**:
1. Look up the current commit SHA for `actions/github-script` tag `v8`:
   `gh api repos/actions/github-script/git/ref/tags/v8 --jq .object.sha`
2. In `.github/workflows/issue-monster.md`, find the step using `actions/github-script@v8`
3. Replace with the full SHA and add a version comment

**Example**:
Before:
```yaml
uses: actions/github-script@v8
```

After:
```yaml
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v8
```

Note: The `.lock.yml` is auto-generated from the `.md` source. Always edit the `.md` file.
After fixing, the workflow will be recompiled automatically on next run.

Please apply this fix to `.github/workflows/issue-monster.md`.

---

All Findings Details

issue-monster.lock.yml

• Line 1414: unpinned-uses (High) — actions/github-script@v8 not pinned to SHA
• Multiple lines: secrets-outside-env (Medium)

smoke-workflow-call.lock.yml

• Line 173: untrusted_checkout_exec (Error) — bash execution with untrusted checkout
• Line 275: untrusted_checkout_exec (Error)
• Line 279: untrusted_checkout_exec (Error)
• Line 846: secrets-inherit (Medium)

smoke-workflow-call-with-inputs.lock.yml

• Line 170: untrusted_checkout_exec (Error)
• Line 275: untrusted_checkout_exec (Error)
• Line 279: untrusted_checkout_exec (Error)

smoke-copilot-arm.lock.yml

• Line 319: pr_runs_on_self_hosted (Warning) — runs-on: ubuntu-24.04-arm

daily-copilot-token-report.lock.yml

• Line 308: artipacked (Medium) — credential persistence via artifact
• Line 325: unverified_script_exec (Note) — curl | bash from raw.githubusercontent.com
• Line 337: github_action_from_unverified_creator_used (Note) — astral-sh/setup-uv

contribution-check.lock.yml

• Lines 322, 330: template-injection (Informational) ×3

ace-editor.lock.yml

• Line 548: actionlint expression error — activated property not in output type

release.lock.yml

• Line 1277: actionlint shellcheck SC2129 — use grouped redirects

link-check.yml

• Lines 35, 43: github_action_from_unverified_creator_used (Note) — gaurav-nelson/github-action-markdown-link-check ×2

copilot-setup-steps.yml

• Line 17: unverified_script_exec (Note) — curl | bash
• Line 42: github_action_from_unverified_creator_used (Note) — astral-sh/setup-uv

super-linter.lock.yml

• Line 1087: github_action_from_unverified_creator_used (Note) — super-linter/super-linter

mcp-inspector.lock.yml

• Line 395: github_action_from_unverified_creator_used (Note) — astral-sh/setup-uv

vet.yml

• Line 25: github_action_from_unverified_creator_used (Note) — safedep/vet-action@v1

All other 161+ workflows

• secrets-outside-env (Medium) — secrets referenced without dedicated environment

---

Historical Trends

Date	Workflows	Actionlint	Zizmor Raw	Poutine Raw	Compiler ⚠️
2026-03-12	166	41	3,565	12	25
2026-03-14	174	43	3,746	12	40
2026-03-15	173	43	3,744	18 🔴	40
2026-03-16	172	42	3,724	18	38
2026-03-17	172	42	3,756 ⚠️	18 🔴	41

Notable changes since 2026-03-09 (when zizmor secrets-outside-env audit was introduced):

• Zizmor grew from 4 → 3,756 unique findings (secrets-outside-env across all 172 workflows)
• Poutine critical untrusted_checkout_exec appeared 2026-03-15 and remains unresolved (day 3)
• Today's new finding: unpinned-uses High in issue-monster (+1)

New Issues This Scan

• unpinned-uses (High) in issue-monster — actions/github-script@v8 (first seen today)

Still Unresolved Critical Issues

• poutine untrusted_checkout_exec (6 errors, day 3) — smoke-workflow-call, smoke-workflow-call-with-inputs

---

Recommendations

1. Immediate — Fix unpinned-uses (High) in issue-monster.md: pin actions/github-script@v8 to SHA
2. Immediate — Investigate and fix poutine untrusted_checkout_exec in smoke-workflow-call* (day 3 unresolved)
3. Short-term — Fix actionlint expression error in ace-editor (activated property type mismatch)
4. Short-term — Fix actionlint shellcheck SC2129 in release.lock.yml (grouped redirects)
5. Long-term — Address secrets-outside-env systematically across all 172 workflows (use dedicated env: blocks for secrets)
6. Ongoing — Review artipacked finding in daily-copilot-token-report (persist-credentials: false)

Next Steps

• Pin actions/github-script@v8 to SHA in issue-monster.md (see fix prompt above)
• Investigate smoke-workflow-call* untrusted_checkout_exec — consider adding pull-request trigger guards
• Review ace-editor.md for activated output type definition
• Audit PR-triggering workflows that run on self-hosted runners (smoke-copilot-arm)

References:

• §23181676878
• §23131351651 (previous scan, 2026-03-16)
• §23105049532 (2026-03-15, poutine critical introduced)

AI generated by Static Analysis Report · history

• expires on Mar 18, 2026, 6:42 AM UTC