🔍 Static Analysis Report - January 28, 2026

[github-actions[bot]]

Analysis Summary

Comprehensive static analysis completed on 141 workflows using three security and quality tools: actionlint, zizmor, and poutine.

• Total Findings: 755
• Tools Used: actionlint (linting), zizmor (security), poutine (supply chain)
• Workflows Scanned: 141
• Workflows Affected: 141 (100%)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Workflows Affected
actionlint	487	-	27 (expression errors)	-	460	141
zizmor	126	-	-	-	126 (Low)	63
poutine	142	-	-	14 (warning)	128	70

Priority Classification

🔴 High Priority (27 findings)

Actionlint Expression Errors - Will cause workflow failures

• Missing create_pull_request job in dependency chain
• Affects 27 workflows
• Impact: Runtime failures, blocked automation

🟡 Medium Priority (14 findings)

Default Permissions on Risky Events - Security concern

• Using default write permissions on risky triggers
• Affects 14 workflows: cloclo, q, plan, brave, mergefest, pdf-summary, grumpy-reviewer, pr-nitpick-reviewer, archie, security-review, scout, ai-moderator, tidy, unbloat-docs
• Impact: Potential privilege escalation, violates least-privilege principle

🟢 Low Priority (714 findings)

• Shellcheck SC2129 (319): Style issue - redirect optimization
• Obfuscation warnings (126): Expected for agentic workflows
• Other linting issues (269): Code quality improvements

---

Top Issues by Type

1. Shellcheck SC2129 (319 occurrences)

Issue: Using multiple individual redirects instead of grouped redirects

Example:

# Current (triggers warning)
echo "line1" >> file
echo "line2" >> file
echo "line3" >> file

# Recommended
{
  echo "line1"
  echo "line2"
  echo "line3"
} >> file

Severity: Low (style issue, no functional impact)

Status: Acceptable - minor code quality improvement

---

2. Expression Errors (27 occurrences) 🔴

Issue: Property "create_pull_request" not defined in needs dependency chain

Example workflow locations:

• ci-coach.lock.yml:1604:40
• cloclo.lock.yml:1384:40
• code-scanning-fixer.lock.yml:1120:40
• code-simplifier.lock.yml:1259:40
• daily-doc-updater.lock.yml:1101:40

Severity: High - causes workflow failures

Impact: These workflows will fail when they attempt to reference needs.create_pull_request.outputs or needs.create_pull_request.result

View Detailed Fix Instructions

Fix Template: Actionlint Expression Errors

Problem: Workflows reference needs.create_pull_request but this job isn't in the needs: array.

Solution Options:

Option A: Add the missing dependency

jobs:
  update_cache_memory:
    needs: [activation, detection, agent, safe_outputs, create_pull_request]
    if: needs.create_pull_request.result == 'success'

Option B: Remove the invalid reference

jobs:
  update_cache_memory:
    needs: [activation, detection, agent, safe_outputs]
    # Remove condition that references create_pull_request

Option C: Use a different job's output

jobs:
  update_cache_memory:
    needs: [activation, detection, agent, safe_outputs]
    if: needs.agent.outputs.has_patch == 'true'

All 27 affected workflows:

1. ci-coach
2. cloclo
3. code-scanning-fixer
4. code-simplifier
5. daily-doc-updater
6. daily-workflow-updater
7. dependabot-bundler
8. developer-docs-consolidator
9. dictation-prompt
10. github-mcp-tools-report
11. issue-copilot-usage-analyzer
12. labeler
13. label-issues-guide
14. malicious-code-scanner
15. manager
16. merge-train-conductor
17. mirror-manager
18. new-repo-setup
19. package-updater
20. pr-context-analyzer
21. pr-polish
22. refactoring-coach
23. secret-prevention-educator
24. self-review
25. test-improver
26. unbloat-docs
27. unittest-runner

---

3. Default Permissions on Risky Events (14 occurrences) 🟡

Issue: Workflows use default (write) permissions with risky trigger events

Affected workflows:

1. cloclo
2. q
3. plan
4. brave
5. mergefest
6. pdf-summary
7. grumpy-reviewer
8. pr-nitpick-reviewer
9. archie
10. security-review
11. scout
12. ai-moderator
13. tidy
14. unbloat-docs

Severity: Medium - security concern

Risk: These workflows run on workflow_dispatch or issue_comment triggers with default write permissions, violating least-privilege principle.

View Security Fix Instructions

Fix Template: Default Permissions

Problem: Risky trigger events with default write permissions

Solution: Add explicit permissions in workflow frontmatter

For read-only agents (analysis, reports):

---
title: My Analyzer
permissions:
  contents: read
on:
  workflow_dispatch:
---

For comment-only agents (reviewers, moderators):

---
title: My Reviewer
permissions:
  contents: read
  issues: write
  pull-requests: write
on:
  workflow_dispatch:
  issue_comment:
---

For code-modifying agents (auto-fixers, updaters):

---
title: My Auto-fixer
permissions:
  contents: write
  pull-requests: write
on:
  workflow_dispatch:
---

Reference: GitHub Security Hardening Guide

---

4. Obfuscation Warnings (126 occurrences) 🟢

Issue: Dynamic command execution detected by zizmor

Affected: 63 workflows (all agentic workflows with dynamic agent output)

Severity: Low

Status: Expected and Acceptable ✅

Rationale:

• This is a core feature of gh-aw's agentic workflow pattern
• Agents generate dynamic commands at runtime
• Required for AI-driven automation flexibility

Mitigation: Runtime safety checks already in place via:

• Sandboxed execution environment
• Limited permissions scope
• Audit logging of agent commands
• Secret verification before execution

View Technical Context

Why Obfuscation is Expected in gh-aw

Agentic workflows intentionally use dynamic execution:

- name: Execute agent commands
  run: |
    ${{ needs.agent.outputs.bash_commands }}

This pattern enables:

• AI agents to generate contextual commands
• Flexible automation without hardcoded scripts
• Adaptive workflow behavior

Trade-offs:

• ✅ Enables agent flexibility
• ✅ Core feature of agentic workflows
• ⚠️ Reduces static auditability (accepted)
• ✅ Mitigated by runtime monitoring

Current safety measures:

1. Agent execution in sandboxed environment
2. Limited permissions (read-only for most agents)
3. Secret verification before sensitive operations
4. Audit logging of all agent commands
5. Firewall checks on agent output

---

Historical Trends

Comparison: 2026-01-26 vs 2026-01-28

Metric	Previous (Jan 26)	Current (Jan 28)	Change
Actionlint Total	0	487	+487
Zizmor Total	0	126	+126
Poutine Total	0	142	+142

Analysis:

• Previous scan (Jan 26) appears to have been incomplete or used different tooling
• Today's scan represents the first comprehensive multi-tool analysis
• Baseline established for future trend tracking

New Issue Types Identified:

• ✅ Expression errors (actionlint) - High priority
• ✅ Default permissions (poutine) - Medium priority
• ✅ Obfuscation warnings (zizmor) - Low priority, expected
• ✅ Shellcheck style issues - Low priority

---

Recommendations

Immediate Actions (This Week)

1. Fix Expression Errors (27 workflows) 🔴

   • These will cause runtime failures
   • Add create_pull_request to needs dependencies OR remove invalid references
   • Priority: Critical
   • Fix template: /tmp/gh-aw/cache-memory/fix-templates/actionlint-expression-errors.md

2. Add Explicit Permissions (14 workflows) 🟡

   • Security improvement per least-privilege principle
   • Add permissions: blocks to workflow frontmatter
   • Priority: High
   • Fix template: /tmp/gh-aw/cache-memory/fix-templates/poutine-default-permissions.md

Short-term Actions (Next 2 Weeks)

3. Review Shellcheck SC2129 Warnings

   • Optimize redirect patterns for code quality
   • Priority: Low
   • Impact: Code cleanliness, minor performance improvement

4. Document Obfuscation Trade-offs

   • Add documentation explaining why dynamic execution is intentional
   • Document safety measures in place
   • Priority: Low
   • Fix template: /tmp/gh-aw/cache-memory/fix-templates/zizmor-obfuscation.md

Long-term Actions

5. Integrate Static Analysis in CI

   • Add actionlint to pre-commit checks
   • Run zizmor and poutine on PR reviews
   • Fail CI on High severity issues

6. Enhance Compiler Validation

   • Add validation for needs dependency references
   • Warn on missing permissions for risky events
   • Auto-suggest permission blocks

---

Detailed Findings by Workflow

View Complete Workflow Findings

Note: Full detailed findings available in scan data file:
/tmp/gh-aw/cache-memory/security-scans/2026-01-28.json

Summary by severity:

• 🔴 High: 27 workflows with expression errors
• 🟡 Medium: 14 workflows with permission issues
• 🟢 Low: 141 workflows with style warnings

Most affected workflows (by total findings):

1. All 141 workflows have shellcheck SC2129 warnings
2. 63 workflows have obfuscation warnings (agentic workflows)
3. 27 workflows have expression errors
4. 14 workflows have permission warnings

---

Fix Templates and Resources

All fix templates saved to persistent cache:

1. Expression Errors: /tmp/gh-aw/cache-memory/fix-templates/actionlint-expression-errors.md
2. Default Permissions: /tmp/gh-aw/cache-memory/fix-templates/poutine-default-permissions.md
3. Obfuscation (Context): /tmp/gh-aw/cache-memory/fix-templates/zizmor-obfuscation.md

Scan Data: /tmp/gh-aw/cache-memory/security-scans/2026-01-28.json

---

Next Steps

• Critical: Fix 27 expression errors (runtime failures)
• High: Add explicit permissions to 14 workflows
• Medium: Review and optimize shellcheck warnings
• Low: Document obfuscation as intentional pattern
• Future: Integrate static analysis into CI/CD pipeline

---

Tool Information

Actionlint v1.7.10

• Validates GitHub Actions workflow syntax
• Integrates shellcheck and pyflakes
• Catches runtime errors before execution

Zizmor

• Security scanner for GitHub Actions
• Detects obfuscation and security anti-patterns
• Focus: Workflow auditability

Poutine

• Supply chain security auditing
• Detects permission issues
• Focus: Least-privilege and secure defaults

---

Scan completed: 2026-01-28
Next scheduled scan: Daily (automated)
Historical data: 80+ previous scans available in cache

AI generated by Static Analysis Report

• expires on Feb 4, 2026, 2:41 PM UTC

[pelikhan]

/plan

[github-actions[bot]]

🎉 Yo ho ho! Plan Command found the treasure and completed successfully! ⚓💰

[github-actions[bot]]

Planning Complete ✅

I've analyzed the static analysis report and created 5 actionable sub-issues to address the findings:

Created Issues

1. 🔴 High Priority (3 issues) - Fix 27 expression errors across all affected workflows

   • Issue 1: Fix ci-coach, cloclo, code-scanning-fixer, code-simplifier, daily-doc-updater (5 workflows)
   • Issue 2: Fix daily-workflow-updater, dependabot-bundler, developer-docs-consolidator, dictation-prompt, github-mcp-tools-report (5 workflows)
   • Issue 3: Fix remaining 17 workflows (labeler through unittest-runner)

2. 🟡 Medium Priority (1 issue) - Security improvements

   • Issue 4: Add explicit permissions to 14 workflows with risky trigger events

3. 🟢 Low Priority (1 issue) - Documentation

   • Issue 5: Document obfuscation warnings as expected pattern in agentic workflows

Priority Rationale

The expression errors are split into 3 issues for manageability (5, 5, and 17 workflows each). These are critical because they cause runtime failures.

The permissions issue addresses all 14 affected workflows in a single issue since the fix pattern is consistent.

The documentation issue provides context for future static analysis runs to prevent false positives.

Next Steps

• All issues are now ready for assignment to GitHub Copilot agents
• They will be automatically grouped under a parent tracking issue
• Issues should be worked in priority order: 🔴 → 🟡 → 🟢

The planning is complete and actionable work items are ready for execution.