[static-analysis] Report - 2026-06-06

[github-actions]

🔍 Static Analysis Report — 2026-06-06

Analysis Summary

All agentic workflows were compiled with four static analysis tools. Posture is stable vs the previous scan. This run compiled 235 workflows (down from 240 — fewer .md sources this run), which accounts for small decreases in raw counts. No new vulnerability classes; the long-standing High items (dev-hawk github-env; runner-guard RGS-004/012/018 on generated .lock.yml) persist and already map to closed/accepted issues.

• Tools: zizmor, poutine, actionlint, runner-guard v2.6.0
• Total Findings: 1,847 (zizmor 70 · poutine 24 · actionlint 1,445 · runner-guard 308)
• Workflows Scanned: 235 · Runner-Guard issues created: 0

Tool	Total	High	Medium	Low	Info
zizmor	70	2	2	26	40
poutine	24	12 error	—	1 warn	11 note
actionlint	1,445	—	—	—	—
runner-guard	308	298	10	—	—

Clustered Findings

Zizmor

Type	Sev	Count	Affected
template-injection	Info	39	ai-moderator, smoke-service-ports, ...
obfuscation	Low	22	agentic-token-audit, audit-workflows, smoke-ci, ...
template-injection	Low	4	(generated steps)
github-env	High	2	dev-hawk.lock.yml L766, L1672
excessive-permissions	Med	1	dependabot-repair.lock.yml L381
artipacked	Med	1	daily-geo-optimizer.lock.yml L1475
superfluous-actions	Info	1	smoke-codex.lock.yml

Poutine

Type	Sev	Count	Affected
untrusted_checkout_exec	error	12	smoke-workflow-call(-with-inputs), dependabot-worker (all # poutine:ignore)
github_action_from_unverified_creator_used	note	8	hippo-embed, super-linter, smoke-codex, dataflow-pr-discussion-dataset, mcp-inspector (SHA-pinned)
unverified_script_exec	note	3	copilot-setup-steps, daily-byok-ollama-test, smoke-codex
pr_runs_on_self_hosted	warning	1	smoke-copilot-arm

Actionlint

shellcheck 927 · syntax-check 387 · permissions 109 · expression 22. All in generated run:/YAML; no behavioral errors.

Runner-Guard Taint Analysis (308; High 298 · Medium 10; no numeric score emitted)

Rule	Name	Sev	Count	Affected
RGS-004	Comment-Triggered Workflow w/o Author Auth Check	High	282	q (116), dev-hawk (85), ai-moderator (81)
RGS-012	Secret Exfiltration via Outbound HTTP	High	10	daily-model-inventory, visual-regression-checker, daily-byok-ollama-test, docs-noob-tester, daily-multi-device-docs-tester
RGS-018	Suspicious Payload Execution Pattern	High	6	smoke-codex, smoke-claude, daily-sentrux-report, daily-cli-performance, daily-byok-ollama-test, copilot-setup-steps
RGS-005	Excessive Permissions on Untrusted Trigger	Med	8	agentic_commands, ai-moderator, q
RGS-007	Unpinned Third-Party Action	Med	1	aoai-endpoint-smoke-test
RGS-019	Step Output Interpolated in run	Med	1	error-message-lint

Issues created: none. Per dedup policy + antipattern issue #31043 ("RGS-* issues recreated daily after closure"), each High rule+file was checked against open and closed issues:

• RGS-004 q/dev-hawk/ai-moderator → all listed in closed [static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check (16 workflows) #30284 (also [static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check in 16 workflows #29694) → skip.
• RGS-012 files → closed [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-model-inventory.lock.yml #30776, [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in visual-regression-checker.lock.yml #30947, [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-byok-ollama-test.lock.yml #35652, [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in daily-multi-device-docs-tester.lock.yml #33477, [static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in docs/visual workflows #29885 → skip.
• RGS-018 files → closed [static-analysis] RGS-018: Suspicious Payload Execution Pattern in copilot-setup-steps.yml #33476, [static-analysis] RGS-018: Suspicious Payload Execution Pattern in daily-byok-ollama-test.lock.yml #35653, [static-analysis] RGS-018: Suspicious Payload Execution Pattern (34 workflows) #30532/[static-analysis] RGS-018: Suspicious Payload Execution Pattern in multiple workflows #30777/[static-analysis] RGS-018: Suspicious Payload Execution Pattern in 36 workflows #29461 (aggregate) → skip.

No open per-finding RGS issues exist, so nothing to comment on. Matches 2026-06-05 precedent (0 created).

Top Priority

zizmor github-env (High) — dev-hawk.lock.yml L766 & L1672. echo ... >> "$GITHUB_ENV" of compiler-generated constants (GH_AW_MCP_CLI_SERVERS, GH_HOST). The audit can't prove the value is constant; if attacker data ever reached the write it could inject env vars (NODE_OPTIONS, LD_PRELOAD) into later steps. Real risk low; worth hardening in the generator. Persists ~15 days. Ref: (docs.zizmor.sh/redacted)

Fix Suggestion — zizmor github-env

Prompt to Copilot Agent:

Fix a High zizmor github-env finding in gh-aw's generator ((docs.zizmor.sh/redacted)
dev-hawk.lock.yml writes compiler constants to "$GITHUB_ENV" from run: blocks:
  echo GH_AW_MCP_CLI_SERVERS='["agenticworkflows","safeoutputs"]' >> "$GITHUB_ENV"
  echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
Writing to $GITHUB_ENV from a run block is a known privilege-escalation vector. Fix the
generator template (not the .lock.yml):
1. Move single-consumer constants to a static env: block on the consuming step.
2. For cross-step values use $GITHUB_OUTPUT with a step id and ${{ steps.<id>.outputs.<key> }}.
3. If a runtime write is unavoidable, add "# zizmor: ignore[github-env]" with justification.
Before:  run: |
           echo GH_AW_MCP_CLI_SERVERS='[...]' >> "$GITHUB_ENV"
After:   env:
           GH_AW_MCP_CLI_SERVERS: '["agenticworkflows","safeoutputs"]'
Recompile all workflows and confirm zizmor reports 0 github-env findings.

Historical Trends

Date	zizmor	poutine	actionlint	runner-guard	workflows
2026-06-03	73	24	~	307	240
2026-06-04	73	24	1,472	307	240
2026-06-05	73	24	1,478	307	240
2026-06-06	70	24	1,445	308	235

Δ vs 06-05: zizmor −3 (obfuscation 25→22) · poutine 0 · actionlint −33 (shellcheck 947→927, syntax 398→387) · runner-guard +1. Decreases track the 5 fewer workflows compiled; per-workflow rates unchanged. No new issue types; none resolved structurally — deltas are compile-set variance.

Recommendations

1. Immediate: Harden the persistent dev-hawk github-env High in the generator (static env:/$GITHUB_OUTPUT). Only actionable High outside the accepted RGS set.
2. Short-term: Confirm RGS-005 permissions on q/ai-moderator/agentic_commands are intentional; else tighten to least-privilege.
3. Long-term: RGS-004/012/018 on generated .lock.yml are accepted (gh-aw injects authz gating; docs testers make legit outbound calls). Add a runner-guard baseline/allowlist so they stop reappearing (goal of [deep-report] Static-analysis RGS-* security issues recreated daily after closure (no dedup-by-rule) #31043).
4. Prevention: Keep # poutine:ignore + SHA-pinning; add the github-env fix to templates.

Next Steps

• Fix zizmor github-env High in dev-hawk generator, recompile
• Review RGS-005 Medium permissions (q/ai-moderator/agentic_commands)
• Establish runner-guard baseline/allowlist ([deep-report] Static-analysis RGS-* security issues recreated daily after closure (no dedup-by-rule) #31043)
• Keep SHA-pinning + poutine:ignore conventions

References: §27054358659 · dedup policy #31043 · RGS-004 closed aggregate #30284

Generated by 📊 Static Analysis Report · 287.2 AIC · ⌖ 33.4 AIC · ◷

• expires on Jun 13, 2026, 6:12 AM UTC