Skip to content

[static-analysis] Report - 2026-07-06 #43713

Description

@github-actions

🔍 Static Analysis Report - 2026-07-06

Analysis Summary

  • Tools Used: zizmor, poutine, actionlint, runner-guard
  • Total Findings: 940 (zizmor 548 · poutine 22 · actionlint 37 · runner-guard 333)
  • Workflows Scanned: 258 — compiled 0 error(s), 185 warning(s)
  • Workflows Affected: ~197 (dominated by informational/low zizmor advisories)

Findings by Tool

Tool Total Critical High Medium Low Info
zizmor (security) 548 0 0 0 289 259
poutine (supply chain) 22 0 0 1 10 (error) 11 (note)
actionlint (linting) 37 - - - - 37 (shellcheck)
runner-guard (taint) 333 0 322 11 - -

No new issues today. All Critical/High runner-guard findings map to rule+file combinations already filed and closed in prior runs; per policy issue #31043, refiling closed RGS-* classes is the duplicate anti-pattern.

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type Severity Count Notes
template-injection Informational (258) / Low (4) 262 ${{ }} expansion in run: blocks of generated lock files
adhoc-packages Low 255 ad-hoc npm/pip/go install in setup steps
obfuscation Low 30 # poutine:ignore comment lines flagged as obfuscated usage
superfluous-actions Informational 1 redundant action reference

Poutine Supply Chain Findings

Issue Type Severity Count Affected Workflows
untrusted_checkout_exec error 10 smoke-workflow-call, smoke-workflow-call-with-inputs (all carry # poutine:ignore)
github_action_from_unverified_creator_used note 8 copilot-setup-steps, smoke-codex, mcp-inspector, link-check, dataflow-pr-discussion-dataset, hippo-embed, super-linter
unverified_script_exec note 3 daily-byok-ollama-test (ollama), copilot-setup-steps (gh-aw), smoke-codex (trufflehog)
pr_runs_on_self_hosted warning 1 smoke-copilot-arm (ubuntu-24.04-arm)

Actionlint Linting Issues (37, all shellcheck)

Code Count Meaning
SC2016 21 single quotes prevent $ expansion (usually intentional)
SC2038 6 find -print piped to xargs — use -print0
SC2086 5 unquoted variable — word splitting/globbing
SC2034 2 variable assigned but unused
SC2188 / SC2129 / SC2005 1 each redirect without command / repeated redirects / useless echo

29 lock files affected (agent-performance-analyzer, audit-workflows, ci-coach, daily-*, portfolio-analyst, pr-triage-agent, etc.).

Runner-Guard Taint Analysis Findings

Rule Name Severity Count Affected
RGS-004 Comment-Triggered Workflow Without Author Authorization Check High 305 q, dev-hawk, ai-moderator
RGS-012 Secret Exfiltration via Outbound HTTP Request High 11 daily-model-inventory, daily-byok-ollama-test, visual-regression-checker, docs-noob-tester, daily-multi-device-docs-tester
RGS-018 Suspicious Payload Execution Pattern High 6 smoke-codex, smoke-claude, daily-sentrux-report, daily-cli-performance, daily-byok-ollama-test, copilot-setup-steps
RGS-005 Excessive Permissions on Untrusted Trigger Medium 8 ai-moderator, q, agentic_commands
RGS-019 Step Output Interpolated in run Block Medium 2 windows-cli-integration, error-message-lint
RGS-007 Unpinned Third-Party Action Medium 1 publish-safe-outputs-node

Issues created: none (dedup — see Runner-Guard Analysis below).

Runner-Guard Analysis

All Critical/High runner-guard findings are stable, recurring, and already tracked:

Per #31043, refiling these closed rule+file combinations daily is the exact duplicate anti-pattern to avoid. Every current high-severity finding has a matching closed issue for its rule class + file → skipped. No open duplicates existed to comment on. 0 new issues created (limit 3).

Fix Suggestion for RGS-018 (Suspicious Payload Execution — curl | sh installers)

Issue: Piping a remotely fetched script directly into a shell (curl -fsSL ... | sh) gives an upstream host, or anyone who can MITM the download, arbitrary code execution on the runner with access to job secrets.
Severity: High · Affected: 6 workflows (all pre-existing/tracked)

Prompt to Copilot Agent:

You are fixing a security finding (runner-guard RGS-018: Suspicious Payload Execution Pattern).

Vulnerability: A workflow `run:` step pipes a network-fetched script straight into a
shell interpreter (curl ... | sh / | bash). This is unpinned remote code execution on a
runner that holds secrets.

Required Fix (apply the strongest option that works for each tool):
1. Pin to an integrity-verified artifact: download to a file, verify a known SHA-256
   checksum (or minisign/cosign signature), then execute only on match.
2. Prefer a version-pinned GitHub Action from a verified publisher over the installer script.
3. If a vendor installer must be used, pin it to an immutable tag/commit and download +
   inspect + checksum before running — never pipe the raw stream into a shell.

Example — Before:
    - name: Install Ollama
      run: curl -fsSL (ollama.com/redacted) | sh

Example — After:
    - name: Install Ollama
      run: |
        curl -fsSL (ollama.com/redacted) -o /tmp/ollama-install.sh
        echo "<known-sha256>  /tmp/ollama-install.sh" | sha256sum -c -
        sh /tmp/ollama-install.sh

Apply to: daily-byok-ollama-test, smoke-codex (trufflehog), copilot-setup-steps (gh-aw
installer), and review daily-cli-performance / daily-sentrux-report / smoke-claude.
Note: several of these are source .md workflows whose .lock.yml is generated — fix the
source and recompile, do not edit lock files directly.

Historical Trends

Date zizmor poutine actionlint runner-guard
2026-07-03 553 22 40 333
2026-07-04 553 22 40 333
2026-07-05 552 22 40 333
2026-07-06 548 22 37 333
  • zizmor: 552 → 548 (−4) — minor drop in template-injection/adhoc-packages advisories.
  • actionlint: 40 → 37 (−3) — the 3 expression errors present yesterday are resolved; only shellcheck remains.
  • poutine / runner-guard: unchanged.
  • New issue types: none. Resolved: actionlint expression (undefined-property) errors.
Detailed high-severity locations
  • ai-moderator.lock.yml — RGS-004 at lines 1553/1560/1569/1586 (+more); RGS-005 at line 1 (write perms on comment trigger).
  • dev-hawk.lock.yml — RGS-004 at lines 120/128 (+more).
  • smoke-codex.lock.yml — RGS-018 at line 2416 (trufflehog installer); poutine unverified_script_exec at 2418.
  • daily-byok-ollama-test.lock.yml — RGS-018 at 450 + RGS-012; poutine unverified_script_exec at 451 (ollama installer).
  • copilot-setup-steps.yml — RGS-018 at 16 (gh-aw installer); poutine unverified creator (astral-sh/setup-uv) at 43.
  • poutine untrusted_checkout_exec (×10) all in smoke-workflow-call{,-with-inputs}.lock.yml and already carry # poutine:ignore annotations.

Recommendations

  1. Immediate: No unaddressed Critical/High. Every high-severity runner-guard finding is a tracked false-positive or accepted-risk with a closed issue.
  2. Short-term: If RGS-018/RGS-012 noise is unwanted, add scoped # runner-guard:ignore annotations (as already done for poutine untrusted_checkout_exec) at the known installer/telemetry sites so they stop surfacing.
  3. Structural: Consider teaching runner-guard about gh-aw's centralized activation auth gate to eliminate the 305 RGS-004 false positives, or suppress RGS-004 for gh-aw-generated lock files.
  4. Long-term: Keep static analysis in CI (already active); address the low-value shellcheck SC2038/SC2086 items opportunistically in source .md templates.

Next Steps

References:

Generated by 📊 Static Analysis Report · 193.6 AIC · ⌖ 11 AIC · ⊞ 10K ·

  • expires on Jul 12, 2026, 10:21 PM UTC-08:00

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions