Skip to content

[static-analysis] Report - 2026-06-24Β #41170

Description

@github-actions

πŸ” Static Analysis Report β€” 2026-06-24

Analysis Summary

  • Tools Used: zizmor, poutine, actionlint, runner-guard
  • Workflows Scanned: 251
  • Total Findings: 1,371 (zizmor 550 Β· poutine 20 Β· actionlint 469 Β· runner-guard 332)
  • New GitHub issues created: 0 (all high-severity runner-guard rule+file combos already tracked by closed issues β€” see Runner-Guard section)

Findings by Tool

Tool Total Critical High Medium Low Info
zizmor (security) 550 0 0 1 279 270
poutine (supply chain) 20 0 8 err 1 warn β€” 11 note
actionlint (linting) 469 β€” β€” β€” β€” β€”
runner-guard (taint) 332 0 318 14 0 0

No Critical findings from any tool. zizmor High has been 0 for 7 consecutive days. Runner-guard "high" volume is dominated by RGS-004 (302) concentrated in 3 comment-triggered workflows.

Clustered Findings by Tool and Type

Zizmor Security Findings

Issue Type Severity Count Notes
template-injection Informational 269 gh-aw step-name ${{ }} expansion β€” by design
adhoc-packages Low 246 CLI/agent installs (npm i -g, binaries) β€” by design
obfuscation Low 29 ${{ '' }} empty-string placeholders in generated env
template-injection Low 4 β€”
excessive-permissions Medium 1 only remaining Medium
superfluous-actions Informational 1 β€”

Poutine Supply Chain Findings

Issue Type Level Count Affected
untrusted_checkout_exec error 8 smoke-workflow-call.lock.yml, smoke-workflow-call-with-inputs.lock.yml β€” all carry poutine:ignore (known FPs)
github_action_from_unverified_creator_used note 8 astral-sh/setup-uv, safedep/pmg, super-linter, actions-ecosystem, gaurav-nelson
unverified_script_exec note 3 trufflehog, ollama, gh-aw installer (curl | sh)
pr_runs_on_self_hosted warning 1 smoke-copilot-arm.lock.yml (ubuntu-24.04-arm)

Actionlint Linting Issues

Issue Type Count Notes
syntax-check 415 False positive β€” bundled actionlint rejects gh-aw queue: concurrency extension; affects all 251 lock files
shellcheck 34 mostly SC2016 (expressions in single quotes)
expression 19 gh-aw generated output-prop refs (activation, pre_activation, activated, ...)
permissions 1 vulnerability-alerts unknown scope

Runner-Guard Taint Analysis Findings

Rule Name Severity Count Affected Workflows
RGS-004 Comment-Triggered Workflow Without Author Authorization Check high 302 q.lock.yml (121), dev-hawk.lock.yml (92), ai-moderator.lock.yml (89)
RGS-012 Secret Exfiltration via Outbound HTTP Request high 10 daily-model-inventory (4), daily-byok-ollama-test (2), visual-regression-checker (2), docs-noob-tester (1), daily-multi-device-docs-tester (1)
RGS-018 Suspicious Payload Execution Pattern high 6 smoke-codex, smoke-claude, daily-sentrux-report, daily-cli-performance, daily-byok-ollama-test
RGS-005 Excessive Permissions on Untrusted Trigger medium 8 ai-moderator (4), q (3), agentic_commands.yml (1)
RGS-007 Unpinned Third-Party Action Using Mutable Tag medium 4 publish-safe-outputs-node.yml (3), aoai-endpoint-smoke-test.yml (1)
RGS-019 Step Output Interpolated in run Block medium 2 error-message-lint.yml, windows-cli-integration.yml

Issues created: none.

Dedup result: All high-severity runner-guard rule+file combinations (RGS-004, RGS-012, RGS-018) already map to closed GitHub issues β€” verified this run via gh api search/issues:

Per the dedup policy (a closed issue for the same rule + file β‡’ skip; do not recreate), 0 new issues are created and 0 comments are added. The only open [static-analysis] issue is #40977 (yesterday's daily report). RGS-005/007/019 are Medium severity and below the issue-creation threshold (Critical/High only).

Top Priority Issue

RGS-004 β€” Comment-Triggered Workflow Without Author Authorization Check

  • Tool: runner-guard Β· Severity: high Β· Count: 302 (94% of runner-guard high volume)
  • Affected: q.lock.yml, dev-hawk.lock.yml, ai-moderator.lock.yml
  • Description: Workflows triggered by issue_comment / pull_request_review_comment / workflow_run that access secrets or have write permissions without verifying github.event.comment.author_association.
  • Impact: Any external user could trigger privileged operations by commenting β€” if the guard were missing.
  • Status: These three workflows do include author_association gating in their pre_activation jobs (see closed fix fix(rgs-004): add author_association guard to pre_activation jobs for comment-triggered workflowsΒ #29481); runner-guard flags every run: block in the lock file rather than recognising the centralized upstream guard. Tracked + reviewed + closed repeatedly. Treated as a known low-actionability pattern.

Fix Suggestion β€” RGS-007 (genuinely actionable, hand-authored files)

Selected because it is a real fix on source .yml files (not generated lock files) and has no existing issue.

Issue: Third-party actions pinned to mutable tags. Severity: Medium. Affected: 2 workflows, 4 references.

Prompt to Copilot Agent:

You are fixing a supply-chain finding (RGS-007) from runner-guard.

Vulnerability: Third-party GitHub Actions are referenced by mutable tags. Mutable tags
(`@v2`, `@v4`.1.0, ...) can be force-pushed to a malicious commit at any time, so the workflow
may execute attacker code without review. Only full 40-char commit SHAs are immutable.

Pin each third-party action to its commit SHA, keeping the version as a trailing comment:
- .github/workflows/publish-safe-outputs-node.yml
    docker/login-action@v4.2.0        -> docker/login-action@<sha> # v4.2.0
    docker/setup-buildx-action@v4.1.0 -> docker/setup-buildx-action@<sha> # v4.1.0
- .github/workflows/aoai-endpoint-smoke-test.yml
    azure/login@v2                    -> azure/login@<sha> # v2

Resolve each SHA from the action's release tag
(`gh api repos/<owner>/<repo>/git/refs/tags/<tag>`), update the `uses:` lines,
change no behaviour, and re-run `gh aw compile` if any lock files are regenerated.

Example:
Before:  uses: docker/login-action@v4.2.0
After:   uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v4.2.0

Historical Trends

Tool 2026-06-23 2026-06-24 Ξ”
zizmor 570 550 βˆ’20
poutine 20 20 0
actionlint 467 469 +2
runner-guard 332 332 0
  • zizmor βˆ’20: adhoc-packages 262β†’246 (βˆ’16), template-injection (Info) 273β†’269 (βˆ’4). High remains 0 (7th straight day).
  • poutine flat: identical rule mix; untrusted_checkout_exec all poutine:ignore-annotated.
  • actionlint +2: syntax-check 413β†’415 (still the queue extension false positive on all lock files).
  • runner-guard flat: identical rule+file mix, zero new combos β†’ no new issues.

New issue types: none. Resolved issue types: none.

Recommendations

  1. Immediate: None outstanding β€” no Critical findings; all High runner-guard combos already triaged + closed.
  2. Short-term (genuinely actionable): Pin the 4 RGS-007 mutable-tag actions to SHAs (fix prompt above). Optional: review RGS-019 step-output interpolation in error-message-lint.yml and windows-cli-integration.yml.
  3. Tooling hygiene: Suppress the bundled-actionlint queue false positive (415 findings) β€” e.g. configure actionlint to recognise the gh-aw queue: concurrency extension β€” so real linting regressions are not buried.
  4. Long-term: Keep static analysis in CI; teach runner-guard about the centralized author_association guard to cut RGS-004 noise (302 findings) at source.

Next Steps

  • Apply RGS-007 SHA-pinning fix (2 workflows, 4 refs)
  • Configure actionlint to accept the gh-aw queue: concurrency key (clears 415 FPs)
  • Review RGS-019 step-output interpolation (2 source workflows)
  • No action required for RGS-004/012/018 β€” tracked + closed
Methodology & data provenance

Parsed from /tmp/gh-aw/agent/compile-output.txt (compile of 251 workflows with zizmor/poutine/actionlint/runner-guard). Counts extracted by rule + severity + affected file. Dedup performed live via gh api search/issues. Scan data persisted to cache-memory/security-scans/2026-06-24.json and index.json (33 scans tracked).

References:

Generated by πŸ“Š Static Analysis Report Β· 217.7 AIC Β· βŒ– 36 AIC Β· ⊞ 6.5K Β· β—·

  • expires on Jun 30, 2026, 10:10 PM UTC-08:00

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions