🔍 Static Analysis Report - November 14, 2025

[github-actions[bot]]

🔍 Static Analysis Report - November 14, 2025

Executive Summary

Comprehensive static analysis scan completed on 70 agentic workflows using three security tools: zizmor (security), poutine (supply chain), and actionlint (linting). The scan identified 1 HIGH severity security issue, 2 MEDIUM severity issues, and 2 LOW severity issues requiring attention.

Key Finding: The ci-doctor.md workflow uses the workflow_run trigger, which is fundamentally insecure and poses a HIGH risk for privilege escalation and secret exposure.

Full Static Analysis Report

Analysis Overview

• Date: November 14, 2025
• Tools Used: zizmor (security), poutine (supply chain security), actionlint (linting)
• Workflows Scanned: 70 successfully compiled
• Compilation Failures: 1 workflow (typist.md)
• Total Security Findings: 5 issues from zizmor
• Severity Breakdown: 1 High, 2 Medium, 2 Low

Findings by Tool

Tool	Total Findings	Critical	High	Medium	Low
zizmor (security)	5	0	1	2	2
poutine (supply chain)	0	0	0	0	0
actionlint (linting)	0	0	0	0	0

---

🔴 Critical Findings

1. Dangerous Workflow Trigger (HIGH SEVERITY)

Issue: dangerous-triggers - Use of fundamentally insecure workflow trigger
Severity: 🔴 High
Tool: zizmor
Reference: (redacted)#dangerous-triggers

Affected Workflow:

• ci-doctor.md (line 47)

Description:
The CI Doctor workflow uses the workflow_run trigger, which is fundamentally insecure because:

• Privilege Escalation Risk: Triggered workflows inherit permissions/secrets from the triggering workflow
• Branch Protection Bypass: Can execute on protected branches via unprotected branches
• Secret Exposure: Secrets available even when triggered by untrusted code
• No Review Gate: Executes automatically without code review

Security Impact:
An attacker could potentially:

• Execute arbitrary code with elevated permissions
• Access repository secrets
• Modify protected branches
• Bypass security controls and code review

Recommended Fix:
Replace workflow_run trigger with a scheduled trigger that uses the GitHub API to check for failed workflow runs. This approach is safer because it doesn't execute in response to potentially malicious triggers.

# Current (Insecure)
on:
  workflow_run:
    branches: [main]
    types: [completed]
    workflows:
      - Daily Perf Improver
      - Daily Test Coverage Improver

# Recommended (Secure)
on:
  schedule:
    - cron: '*/30 * * * *'  # Check every 30 minutes
  workflow_dispatch:

permissions:
  actions: read
  contents: read
  issues: write

jobs:
  check-failures:
    runs-on: ubuntu-latest
    steps:
      - name: Check recent workflow runs
        uses: actions/github-script@v7
        with:
          script: |
            const workflows = ['Daily Perf Improver', 'Daily Test Coverage Improver'];
            for (const workflow of workflows) {
              const runs = await github.rest.actions.listWorkflowRuns({
                owner: context.repo.owner,
                repo: context.repo.repo,
                workflow_id: workflow,
                per_page: 5,
                status: 'completed',
                branch: 'main'
              });
              // Process failed runs
            }

---

🟡 High Priority Findings

2. Excessive Permissions (MEDIUM SEVERITY)

Issue: excessive-permissions - Overly broad permissions granted
Severity: 🟡 Medium
Tool: zizmor
Reference: (redacted)#excessive-permissions

Affected Workflow:

• ci-doctor.md (2 locations: lines 57, 570)

Locations:

1. Line 57: Workflow-level permissions set to permissions: read-all
2. Line 570: Job-level excessive permissions for agent job

Description:
The workflow grants broader permissions than necessary, violating the principle of least privilege. This increases the attack surface if the workflow is compromised.

Recommended Fix:
Specify only the exact permissions needed:

# Current (Too Broad)
permissions: read-all

# Recommended (Specific)
permissions:
  actions: read
  contents: read
  issues: write
  pull-requests: read

---

🟢 Medium Priority Findings

3. Template Injection Risk (LOW SEVERITY)

Issue: template-injection - Code injection via template expansion
Severity: 🟢 Low
Tool: zizmor
Reference: (redacted)#template-injection

Affected Workflows (2):

1. mcp-inspector.md (line 1130) - "Setup MCPs" step name
2. copilot-session-insights.md (line 205) - continue-on-error directive

Description:
Potential for code injection if untrusted data flows into template expressions. While marked as Low severity, this could escalate if combined with other vulnerabilities.

Recommended Fix:
Review template expressions to ensure no untrusted user input is interpolated. Use environment variables or intermediate steps to sanitize inputs before template expansion.

---

📊 Additional Findings (Non-Security)

Outdated Action SHAs (3 workflows)

• ci-doctor.md: actions/github-script@v8 (60a0d83 → ed59741)
• dictation-prompt.md: actions/upload-artifact@v5 (ea165f8 → 330a01c)
• test-secret-masking.md: actions/github-script@v8 (60a0d83 → ed59741)

Recommendation: Update action references to use the latest commit SHAs for improved security.

Missing Permissions (2 workflows)

• daily-multi-device-docs-tester.md: Missing pull-requests: read
• example-permissions-warning.md: Missing multiple write permissions

Recommendation: Add required permissions to workflow frontmatter or reduce toolsets that require them.

Network Firewalling Warnings (10 workflows)

Multiple Claude-based workflows specify network restrictions, but the Claude engine doesn't support network firewalling. Affected workflows:

• static-analysis-report.md
• audit-workflows.md
• example-workflow-analyzer.md
• unbloat-docs.md
• blog-auditor.md
• daily-multi-device-docs-tester.md
• developer-docs-consolidator.md
• instructions-janitor.md
• prompt-clustering-analysis.md
• copilot-session-insights.md

Note: Network may not be properly sandboxed for these workflows.

---

🔧 Fix Recommendation: dangerous-triggers

Priority: IMMEDIATE

Workflow: ci-doctor.md
Vulnerability: dangerous-triggers (High Severity)

Detailed Fix Instructions

The CI Doctor workflow monitors completed workflow runs for failures. The current implementation uses the insecure workflow_run trigger. Here's a secure alternative:

Step 1: Change Trigger to Schedule

on:
  schedule:
    - cron: '*/30 * * * *'  # Run every 30 minutes
  workflow_dispatch:  # Allow manual triggers

Step 2: Use GitHub API to Query Workflow Runs

jobs:
  check-failures:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      issues: write
    steps:
      - name: Check recent workflow runs via API
        uses: actions/github-script@v7
        with:
          script: |
            const targetWorkflows = [
              'Daily Perf Improver',
              'Daily Test Coverage Improver'
            ];
            
            const thirtyMinutesAgo = new Date(Date.now() - 30 * 60 * 1000);
            
            for (const workflowName of targetWorkflows) {
              // Get workflow ID from name
              const workflows = await github.rest.actions.listRepoWorkflows({
                owner: context.repo.owner,
                repo: context.repo.repo
              });
              
              const workflow = workflows.data.workflows.find(
                w => w.name === workflowName
              );
              
              if (!workflow) continue;
              
              // Get recent runs
              const runs = await github.rest.actions.listWorkflowRuns({
                owner: context.repo.owner,
                repo: context.repo.repo,
                workflow_id: workflow.id,
                branch: 'main',
                per_page: 10
              });
              
              // Check for failures in last 30 minutes
              const recentFailures = runs.data.workflow_runs.filter(run => {
                const runDate = new Date(run.created_at);
                return run.conclusion === 'failure' && runDate >= thirtyMinutesAgo;
              });
              
              // Process failures (existing CI Doctor logic)
              for (const run of recentFailures) {
                console.log(`Found failure: ${run.html_url}`);
                // Your existing CI Doctor analysis here
              }
            }

Benefits of This Approach:

• ✅ No exposure to untrusted code execution
• ✅ Maintains all existing functionality
• ✅ More predictable execution schedule
• ✅ Can still trigger manually for debugging
• ✅ Follows security best practices
• ✅ Uses minimal required permissions

Implementation Notes:

1. The scheduled run frequency can be adjusted based on needs (currently 30 minutes)
2. The 30-minute lookback window prevents duplicate processing
3. Manual trigger via workflow_dispatch allows on-demand execution
4. All existing CI Doctor logic can be preserved in the processing steps

---

📈 Compilation Status

Successfully Compiled: 70 workflows ✅

All compiled workflows and their lock files are available in .github/workflows/*.lock.yml

Failed Compilation: 1 workflow ❌

• typist.md - zizmor security scan failed with exit code 1

Recommendation: Investigate typist.md compilation failure separately.

Not Compiled: 6 workflows ⚠️

The following workflows were not included in this scan (marked as "No" or "N/A" in status):

• daily-firewall-report.md
• dev-hawk.md
• github-mcp-tools-report.md
• repository-quality-improver.md
• smoke-copilot.md
• video-analyzer.md
• test-timestamp-js.md

Recommendation: Attempt to compile these workflows to ensure complete coverage.

---

🎯 Prioritized Action Plan

Immediate Actions (This Week)

1. ✅ Fix dangerous-triggers in ci-doctor.md (HIGH severity)

   • Replace workflow_run trigger with scheduled API-based checks
   • Test thoroughly to ensure functionality is preserved
   • Estimated effort: 2-4 hours

2. ✅ Reduce excessive-permissions in ci-doctor.md (MEDIUM severity)

   • Replace permissions: read-all with specific permissions
   • Review and minimize job-level permissions
   • Estimated effort: 1 hour

Short-term Actions (Next 2 Weeks)

3. 🔍 Review template-injection findings (LOW severity)

   • Audit mcp-inspector.md line 1130
   • Audit copilot-session-insights.md line 205
   • Ensure no untrusted input in template expressions
   • Estimated effort: 2 hours

4. 🔄 Update outdated action SHAs

   • Update 3 workflows with newer action versions
   • Test workflows after updates
   • Estimated effort: 1 hour

5. 🔧 Investigate typist.md compilation failure

   • Debug why zizmor scan failed
   • Fix issues and re-scan
   • Estimated effort: 2 hours

Long-term Actions (Next Month)

6. 📋 Add missing permissions to workflows

   • Fix daily-multi-device-docs-tester.md
   • Fix example-permissions-warning.md
   • Estimated effort: 1 hour

7. 🔐 Review network firewalling warnings

   • Assess 10 Claude-based workflows
   • Determine if network restrictions are necessary
   • Consider alternative solutions if firewalling is required
   • Estimated effort: 4 hours

8. ✅ Compile remaining 6 workflows

   • Investigate why 6 workflows weren't compiled
   • Fix any issues preventing compilation
   • Run full security scan on them
   • Estimated effort: 3 hours

9. 🔁 Establish regular security scanning

   • Set up daily automated static analysis
   • Create alerts for new security findings
   • Track trends over time
   • Estimated effort: 4 hours

---

📚 Resources

• Zizmor Documentation: (redacted)
• GitHub Actions Security Hardening: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
• Poutine Documentation: (supply chain security tool)
• Actionlint Documentation: https://github.com/rhysd/actionlint

---

💾 Scan Data

All scan data has been stored in the cache memory for future reference:

• Raw Findings: /tmp/gh-aw/cache-memory/security-scans/2025-11-14-raw-findings.md
• Scan Index: /tmp/gh-aw/cache-memory/security-scans/index.json
• Vulnerabilities by Tool: /tmp/gh-aw/cache-memory/vulnerabilities/by-tool.json
• Fix Templates: /tmp/gh-aw/cache-memory/fix-templates/

---

🔍 Summary

This static analysis scan provides a comprehensive security review of 70 agentic workflows. The most critical finding is the use of the insecure workflow_run trigger in ci-doctor.md, which poses a HIGH risk for privilege escalation and should be fixed immediately.

Overall, the repository has a relatively strong security posture with only 5 total findings, none of which are CRITICAL severity. The recommended fixes are straightforward and can be implemented with minimal disruption to existing workflows.

Next Steps:

1. Review this report with the team
2. Prioritize fixes based on severity
3. Implement the recommended fix for ci-doctor.md
4. Schedule follow-up scans to track progress
5. Consider integrating static analysis into CI/CD pipeline

---

Quick Stats

Metric	Value
Workflows Scanned	70
High Severity Issues	1
Medium Severity Issues	2
Low Severity Issues	2
Workflows Needing Fixes	3
Estimated Fix Time	6-8 hours

Top Priority

🔴 CRITICAL: Fix dangerous-triggers in ci-doctor.md - Replace insecure workflow_run trigger with secure scheduled API-based workflow monitoring.

Detailed fix instructions are available in the full report above.

---

Scan Date: 2025-11-14
Tools: zizmor v1.x, poutine, actionlint
Generated by: Static Analysis Report Agent

AI generated by Static Analysis Report

[pelikhan]

/plan

[github-actions[bot]]

✅ Agentic Plan Command completed successfully.

[github-actions[bot]]

This discussion was automatically closed because it was created by an agentic workflow more than 1 week ago.