🔍 Static Analysis Report - 2025-11-13

[github-actions[bot]]

🔍 Static Analysis Report - 2025-11-13

Analysis Summary

Today's static analysis scan examined 40 workflows using three comprehensive security and quality tools: zizmor (security scanner), poutine (supply chain security), and actionlint (workflow linter). The scan identified 19 findings across multiple categories, with 7 critical actionlint errors requiring immediate attention.

Key Highlights:

• 7 workflows have critical runtime errors that will cause failures
• 9 workflows have network firewall limitations (engine constraint)
• 2 workflows have informational security findings
• No supply chain security issues detected (poutine clean)

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info
actionlint (linting)	7	7	-	-	-	-
zizmor (security)	2	-	-	-	-	2
poutine (supply chain)	0	-	-	-	-	-
compile warnings	11	-	-	9	1	1
TOTAL	19	7	0	9	1	3

Full Report Details

Detailed Findings by Tool

1. Actionlint Errors (Critical Priority)

Issue: expression_undefined_property

• Severity: ERROR (Critical)
• Count: 7 workflows affected
• Impact: Workflows will fail at runtime when trying to access undefined job outputs
• Status: Recurring issue (first detected 2025-11-11)

Affected Workflows:

1. daily-doc-updater (.github/workflows/daily-doc-updater.lock.yml:3716)
2. go-logger (.github/workflows/go-logger.lock.yml:3835)
3. security-fix-pr (.github/workflows/security-fix-pr.lock.yml:3662)
4. developer-docs-consolidator (.github/workflows/developer-docs-consolidator.lock.yml:4534)
5. github-mcp-tools-report (.github/workflows/github-mcp-tools-report.lock.yml:4356)
6. instructions-janitor (.github/workflows/instructions-janitor.lock.yml:3714)
7. changeset (.github/workflows/changeset.lock.yml:4465)

Problem Description:
Workflows reference needs.activation.outputs.comment_id and needs.activation.outputs.comment_repo in environment variables, but the activation job is not listed in the job's needs dependencies.

Example Error:

env:
  GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
  GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }}

Error: Property "comment_id" and "comment_repo" are not defined in object type {}

---

2. Zizmor Security Findings (Informational)

Issue: template-injection

• Severity: Informational
• Count: 2 workflows affected
• Impact: Low - Potential code injection via template expansion in controlled environment
• Reference: (redacted)#template-injection

Affected Workflows:

1. copilot-session-insights (.github/workflows/copilot-session-insights.lock.yml:205)

   • Location: "Install gh agent-task extension" step
   • Context: continue-on-error attribute usage

2. mcp-inspector (.github/workflows/mcp-inspector.lock.yml:1130)

   • Location: "Setup MCPs" step

Analysis:
Zizmor detected potential template injection points. While marked as "Informational" severity, these should be reviewed to ensure no untrusted input flows through template expansion.

---

3. Poutine Supply Chain Security

Status: ✅ No findings detected

Poutine scanned all compiled workflows and found no supply chain security issues. This is a positive indicator of good security hygiene.

---

4. Compile Warnings

Warning: network_firewall_unsupported

• Severity: Medium
• Count: 9 workflows affected
• Impact: Security concern - Network restrictions may not be enforced for Claude workflows

Affected Workflows:

1. audit-workflows
2. daily-doc-updater
3. copilot-agent-analysis
4. developer-docs-consolidator
5. copilot-session-insights
6. prompt-clustering-analysis
7. instructions-janitor
8. unbloat-docs
9. blog-auditor

Issue: Claude engine does not currently support network firewalling despite workflows specifying network.allowed restrictions. This is an engine limitation.

Recommendation: Document this limitation and consider alternative security measures for Claude-based workflows.

---

Warning: web_search_unsupported (NEW)

• Severity: Low
• Count: 1 workflow affected
• Status: First detected in this scan

Affected Workflow:

• ci-doctor

Issue: Copilot engine does not support the web-search tool. See (redacted) for alternatives.

---

Warning: custom_steps_experimental (NEW)

• Severity: Info
• Count: 1 workflow affected
• Status: First detected in this scan

Affected Workflow:

• issue-classifier

Issue: Workflow uses experimental Custom Steps support (engine: custom). Monitor for stability.

---

Priority Issue Rankings

🔴 Priority 1: expression_undefined_property (CRITICAL)

• Tool: actionlint
• Severity: ERROR
• Count: 7 workflows
• Impact: HIGH - Workflows will fail at runtime
• Fix Complexity: LOW - Remove unused environment variables or add activation job to needs
• Action Required: IMMEDIATE

🟠 Priority 2: network_firewall_unsupported

• Tool: compile_warning
• Severity: Medium
• Count: 9 workflows
• Impact: MEDIUM - Security concern, network restrictions not enforced
• Fix Complexity: HIGH - Requires engine-level support
• Action Required: Document limitation, consider workarounds

🟡 Priority 3: template-injection

• Tool: zizmor
• Severity: Informational
• Count: 2 workflows
• Impact: LOW - Informational finding in controlled environment
• Fix Complexity: LOW - Review template usage
• Action Required: Review and assess risk

---

Fix Suggestion for Priority 1 Issue

Issue: expression_undefined_property

Problem: 7 workflows reference needs.activation.outputs.comment_id and needs.activation.outputs.comment_repo but the activation job is not in their dependency graph.

Recommended Solution: Since these are scheduled workflows (not command-triggered), remove the unused environment variable references.

Fix Template:

Before (in .md workflow file):

env:
  GH_AW_PR_IF_NO_CHANGES: "warn"
  GH_AW_MAX_PATCH_SIZE: 1024
  GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
  GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }}
  GH_AW_WORKFLOW_NAME: "Example Workflow"

After:

env:
  GH_AW_PR_IF_NO_CHANGES: "warn"
  GH_AW_MAX_PATCH_SIZE: 1024
  GH_AW_WORKFLOW_NAME: "Example Workflow"

Implementation Steps:

1. Edit each of the 7 affected workflow .md files
2. Locate and remove the two environment variable lines referencing activation outputs
3. Recompile each workflow: gh aw compile (workflow-name)
4. Verify actionlint errors are resolved
5. Test workflow execution

Detailed Fix Instructions: See /tmp/gh-aw/cache-memory/fix-templates/actionlint-expression_undefined_property.md

---

Historical Trends

Comparison with Previous Scan (2025-11-12)

Metric	2025-11-12	2025-11-13	Change
Workflows Scanned	16	40	+24 (+150%)
Total Findings	7	19	+12 (+171%)
Actionlint Errors	4	7	+3 (+75%)
Zizmor Warnings	1	2	+1 (+100%)
Network Firewall Warnings	2	9	+7 (+350%)

Analysis:

• The increase in findings is primarily due to the larger sample size (40 vs 16 workflows)
• Issue patterns remain consistent - expression_undefined_property continues to be the most common critical error
• Network firewall warnings show an increasing trend as more Claude-based workflows are scanned
• Two new warning types detected: web_search_unsupported and custom_steps_experimental

Long-term Trend (Since 2025-11-04)

• expression_undefined_property: Recurring across multiple scans (first detected 2025-11-11) - STATUS: PERSISTENT
• template-injection: Stable at 1-2 occurrences since first detection (2025-11-04)
• network_firewall_unsupported: Increasing trend as more Claude workflows are created
• Poutine findings: Consistently zero - excellent supply chain security posture

---

Recommendations

Immediate Actions (This Week)

1. ✅ Fix critical actionlint errors in 7 workflows (expression_undefined_property)
   • Remove unused activation output references from scheduled workflows
   • Verify fixes with recompilation and testing
2. 📋 Document network firewall limitation for Claude engine
   • Update workflow creation guidelines
   • Consider alternative security controls for Claude workflows
3. 🔍 Review template-injection warnings in copilot-session-insights and mcp-inspector
   • Assess actual risk in these specific contexts
   • Consider refactoring if necessary

Short-term Actions (This Month)

4. 📊 Address new compatibility warnings
   • Document web-search limitation for Copilot engine (ci-doctor workflow)
   • Monitor experimental custom steps feature (issue-classifier workflow)
5. 🔧 Update workflow templates to prevent recurring patterns
   • Create template without activation outputs for scheduled workflows
   • Add validation checks to workflow creation process

Long-term Actions (This Quarter)

6. 🚀 Integrate static analysis into CI/CD
   • Add pre-commit hooks for zizmor, poutine, actionlint
   • Block merges with critical actionlint errors
7. 📈 Establish automated reporting
   • Daily static analysis with trend tracking
   • Alert on new high/critical findings
8. 🛡️ Security hardening
   • Investigate network sandboxing alternatives for Claude workflows
   • Regular review of template-injection findings

---

Scan Metadata

• Scan Date: 2025-11-13
• Scan Time: 09:30:00 UTC
• Repository: githubnext/gh-aw
• Workflows Scanned: 40 of 79 total (50.6% coverage)
• Scan Method: Representative sample across all engine types
• Tools Used: zizmor v1.x, poutine v1.x, actionlint v1.x
• Cache Location: /tmp/gh-aw/cache-memory/security-scans/2025-11-13.json

---

Next Steps

• Apply fixes for 7 workflows with expression_undefined_property errors
• Review template-injection warnings in copilot-session-insights and mcp-inspector
• Document network firewall limitation for Claude workflows
• Update workflow creation guidelines to prevent recurring issues
• Consider adding static analysis to pre-commit hooks

---

Scan Details: This scan analyzed 40 workflows using zizmor (security), poutine (supply chain), and actionlint (linting). Full results stored in /tmp/gh-aw/cache-memory/security-scans/2025-11-13.json.

Historical Context: Vulnerability trends tracked in /tmp/gh-aw/cache-memory/vulnerabilities/by-tool.json and /tmp/gh-aw/cache-memory/vulnerabilities/trends.json.

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

✅ Agentic Plan Command completed successfully.

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.