[static-analysis] Report - 2026-04-19

[github-actions]

Analysis Summary

Daily static analysis scan of all agentic workflow files in github/gh-aw.

• Tools Used: zizmor, poutine, actionlint, runner-guard
• Total Findings: ~242 (110 actionlint + 108 zizmor + 24 poutine + 0 runner-guard)
• Workflows Scanned: 196
• Workflows Affected: ~58
• Workflow Run: §24637453783

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Informational/Note
zizmor (security)	108	0	1	1	21	85
poutine (supply chain)	24	0	0	0	0	24 (8 errors, 1 warn, 15 notes)
actionlint (linting)	110	—	—	—	—	110 errors
runner-guard (taint analysis)	0	0	0	0	0	0

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
github-env	High	1	dev-hawk
secrets-inherit	Medium	1	smoke-call-workflow
obfuscation	Low	21	agent-performance-analyzer, audit-workflows, copilot-agent-analysis, copilot-cli-deep-research, copilot-pr-nlp-analysis, copilot-pr-prompt-analysis, copilot-session-insights, copilot-token-audit, copilot-token-optimizer, daily-cli-performance, daily-code-metrics, daily-news, daily-testify-uber-super-expert, deep-report, delight, discussion-task-miner, firewall-escape, metrics-collector, pr-triage-agent, security-compliance, workflow-health-manager
template-injection	Informational	85	~28 workflows (3 instances each — "Start MCP Gateway" step pattern)

Poutine Supply Chain Findings

Issue Type	Severity	Count	Affected Workflows
untrusted_checkout_exec	error	8	smoke-workflow-call, smoke-workflow-call-with-inputs
pr_runs_on_self_hosted	warning	1	smoke-copilot-arm
unverified_script_exec	note	4	copilot-setup-steps.yml, copilot-token-audit, copilot-token-optimizer
github_action_from_unverified_creator_used	note	9	astral-sh/setup-uv, gaurav-nelson/github-action-markdown-link-check, super-linter/super-linter, actions-ecosystem/action-add-labels
unpinnable_action	note	2	daily-perf-improver, daily-test-improver

Actionlint Linting Issues

Issue Type	Count	Affected Workflows
permissions — unknown scope copilot-requests	99	~50 workflows (2× each)
expression — undefined output/context property	11	ace-editor (activated), smoke-claude (artifact_prefix ×2), smoke-workflow-call (4×job.*), smoke-workflow-call-with-inputs (4×job.*)

Runner-Guard Taint Analysis Findings

Runner-guard ran successfully and produced no findings in this scan (2nd consecutive clean scan).

Issues created: none (no Critical/High runner-guard findings)

Top Priority Issues

1. github-env — Dangerous Environment File Usage

• Tool: zizmor
• Count: 1
• Severity: High
• Affected: dev-hawk.md (compiled line 1387, step id ghes-host-config)
• Description: A run: step writes to $GITHUB_ENV, deriving GH_HOST from GITHUB_SERVER_URL. If attacker-controlled input can influence values written to $GITHUB_ENV, this enables environment variable injection persisting across all subsequent steps.
• Impact: Potential environment variable poisoning affecting all subsequent steps in the job
• Reference: (docs.zizmor.sh/redacted)

2. untrusted_checkout_exec — Arbitrary Code Execution (Poutine)

• Tool: poutine
• Count: 8 occurrences across 2 workflows
• Severity: error
• Affected: smoke-workflow-call.md, smoke-workflow-call-with-inputs.md
• Description: Bash scripts executed after checkout of potentially untrusted code. Note: all instances have # poutine:ignore untrusted_checkout_exec suppressions — risk is acknowledged.

3. permissions:copilot-requests — Unknown Permission Scope (Actionlint)

• Tool: actionlint
• Count: 99
• Severity: error
• Affected: ~50 workflows
• Description: actionlint 1.7.12 does not recognize copilot-requests as a valid permission scope. Likely false positives — copilot-requests is a newer permission not yet in actionlint's schema.

Fix Suggestion for github-env (Highest Real Severity)

Issue: Dangerous use of $GITHUB_ENV in dev-hawk.md
Severity: High
Affected Workflows: 1

Prompt to Copilot Agent:

You are fixing a security vulnerability identified by zizmor in .github/workflows/dev-hawk.md.

**Vulnerability**: Dangerous use of GITHUB_ENV environment file
**Rule**: github-env — (docs.zizmor.sh/redacted)
**Severity**: High

**Current Issue**:
The step with id `ghes-host-config` (around compiled line 1387) writes to $GITHUB_ENV,
setting GH_HOST derived from GITHUB_SERVER_URL. Writing to $GITHUB_ENV can be exploited
if attacker-controlled input reaches the written value.

**Required Fix (Option A — preferred)**:
Replace $GITHUB_ENV writes with $GITHUB_OUTPUT and reference via step outputs.

Before:
  - id: ghes-host-config
    shell: bash
    run: |
      GH_HOST=$(echo "$GITHUB_SERVER_URL" | sed 's|https://||')
      echo "GH_HOST=$GH_HOST" >> $GITHUB_ENV

After:
  - id: ghes-host-config
    shell: bash
    run: |
      GH_HOST=$(echo "$GITHUB_SERVER_URL" | sed 's|https://||')
      echo "gh_host=$GH_HOST" >> $GITHUB_OUTPUT

Then update downstream steps to use:
  env:
    GH_HOST: $\{\{ steps.ghes-host-config.outputs.gh_host }}

**Alternative Fix (Option B)**:
Add a suppression if value is guaranteed to come only from trusted GITHUB_SERVER_URL:
  # zizmor: ignore[github-env] — value derived exclusively from trusted GITHUB_SERVER_URL

Please apply Option A (preferred) to .github/workflows/dev-hawk.md.

All Findings Details

Actionlint Expression Errors (11 instances)

ace-editor.lock.yml

• Line 611: needs.activation.outputs.activated — property activated not defined in activation output type
  • Condition: if: needs.activation.outputs.activated == 'true'

smoke-claude.lock.yml

• Lines 873, 2500: needs.activation.outputs.artifact_prefix — property not defined
  • Used as: name: $\{\{ needs.activation.outputs.artifact_prefix }}apm

smoke-workflow-call-with-inputs.lock.yml

• Lines 122–125: job.workflow_repository, job.workflow_sha, job.workflow_ref, job.workflow_file_path — not in actionlint's job context schema

smoke-workflow-call.lock.yml

• Lines 129–132: Same 4 job.* properties not in actionlint schema

Zizmor Findings Detail

dev-hawk.lock.yml — github-env (High)

• Line: 1387, step id: ghes-host-config
• Description: Writes to $GITHUB_ENV, setting GH_HOST derived from GITHUB_SERVER_URL

smoke-call-workflow.lock.yml — secrets-inherit (Medium)

• Line: 913
• Description: Calls ./.github/workflows/smoke-workflow-call.lock.yml — secrets unconditionally inherited by the called workflow

Obfuscation (Low) — GH_AW_WIKI_NOTE: $\{\{ '' }}

Pattern: empty string expression $\{\{ '' }} used in env var — flagged as obfuscated usage.
Affected 21 workflows (see table above).

Template-Injection (Informational)

Step name pattern "Start MCP Gateway" and "Execute GitHub Copilot CLI" in ~28 workflows triggers informational warnings. Likely false positives from step-name analysis rather than actual injection vectors.

Poutine Findings Detail

smoke-workflow-call.lock.yml — untrusted_checkout_exec (error, 4 instances)

Lines 203, 230, 331, 336 — bash scripts run after untrusted checkout (all have # poutine:ignore suppressions)

smoke-workflow-call-with-inputs.lock.yml — untrusted_checkout_exec (error, 4 instances)

Lines 196, 223, 332, 337 — same pattern

smoke-copilot-arm.lock.yml — pr_runs_on_self_hosted (warning)

Line 424: Job agent runs on ubuntu-24.04-arm self-hosted runner

Unverified Script Execution (notes)

curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash
Affected: copilot-token-optimizer, copilot-token-audit (×2), copilot-setup-steps.yml

Unverified Creator Actions (notes)

• astral-sh/setup-uv@eac588ad... — copilot-token-optimizer, copilot-token-audit, copilot-setup-steps.yml
• astral-sh/setup-uv@08807647... — mcp-inspector
• gaurav-nelson/github-action-markdown-link-check@5c5dfc0a... — link-check.yml (×2)
• super-linter/super-linter@9e863354... — super-linter.lock.yml
• actions-ecosystem/action-add-labels@c96b68fe... — smoke-codex.lock.yml

Unpinnable Actions (notes)

• .github/actions/daily-perf-improver/build-steps/action.yml
• .github/actions/daily-test-improver/coverage-steps/action.yml

Historical Trends

• Previous Scan: 2026-04-17 (§24583641830, issue #26933)
• Previous Total Findings: ~240 (194 workflows)
• Current Total Findings: ~242 (196 workflows, +2 new workflows)
• Change: +2 findings (+0.8%) — attributable to 2 new workflows added

Recurring Issues (seen in both scans)

• github-env in dev-hawk (zizmor High) — not yet fixed (2nd consecutive scan)
• untrusted_checkout_exec in smoke-workflow-call workflows (poutine error) — not yet fixed
• permissions:copilot-requests across ~50 workflows (actionlint) — not yet fixed
• secrets-inherit in smoke-call-workflow (zizmor Medium) — not yet fixed

New Issues

None identified beyond the 2 additional workflows added.

Resolved Issues

None since previous scan.

Recommendations

1. Immediate: Fix github-env High severity finding in dev-hawk.md — refactor to use $GITHUB_OUTPUT instead of $GITHUB_ENV
2. Short-term: Add actionlint configuration to allowlist copilot-requests permission scope — eliminates 99 false-positive errors
3. Short-term: Fix expression errors for undefined output properties in ace-editor, smoke-claude, and smoke-workflow-call workflows
4. Medium-term: Address secrets-inherit in smoke-call-workflow — consider explicit secret passing instead of unconditional inheritance
5. Long-term: Replace curl | bash install patterns with pinned releases to reduce poutine supply chain notes
6. Prevention: Update workflow templates to avoid $\{\{ '' }} obfuscation patterns (21 workflows affected)

Next Steps

• Fix github-env High severity in dev-hawk.md (see fix prompt above)
• Add actionlint config to ignore copilot-requests permission scope
• Fix expression errors for undefined output properties
• Review secrets-inherit in smoke-call-workflow.md
• Consider pinning astral-sh/setup-uv and other third-party actions

References:

• §24637453783
• §24583641830 (previous scan)

Generated by Static Analysis Report · ● 237K · ◷

• expires on Apr 26, 2026, 7:46 PM UTC

[pelikhan]

/q enable running-guard

[github-actions]

🔧 Pay attention, 007! Q is preparing your gadgets for this issue comment...