Static Analysis Report - February 8, 2026

[github-actions[bot]]

Analysis Summary

Scan Date: February 8, 2026
Repository: github/gh-aw
Workflow Run: §21805666052

• Tools Used: zizmor, actionlint (with shellcheck)
• Total Findings: 337
• Workflows Scanned: 149
• Workflows Affected: 148 (99.3%)
• Critical/High Severity: 0 ✅

Key Findings

Tool	Total	Critical	High	Medium	Low	Warnings	Info/Style
Zizmor (security)	23	0	0	0	0	14	9
Actionlint/Shellcheck	322	-	-	-	-	-	322

Security Status: ✅ No critical or high severity security vulnerabilities detected

Findings by Tool and Type

Zizmor Security Findings

Issue Type	Severity	Count	Affected Workflows
default_permissions_on_risky_events	Warning	14	ai-moderator, archie, brave, cloclo, grumpy-reviewer, mergefest, pdf-summary, plan, pr-nitpick-reviewer, q, scout, security-review, tidy, unbloat-docs
unverified_script_exec	Info	7	copilot-setup-steps, daily-copilot-token-report
unpinnable_action	Info	2	daily-perf-improver/build-steps, daily-test-improver/coverage-steps

Actionlint/Shellcheck Linting Issues

Issue Code	Severity	Count	Description
SC2129	Style	164	Consider using { cmd1; cmd2; } >> file instead of individual redirects
SC1003	Info	158	Single quote escaping suggestion

Top Priority Issue: default_permissions_on_risky_events

Severity: Warning
Affected: 14 workflows
Tool: Zizmor

Description

Workflows triggered by risky events (issue_comment, issues, pull_request_target, workflow_run) are flagged for using default permissions. These events can be triggered by external contributors and run in the base repository context.

Security Impact

• Risky events can be triggered by users with read access
• Default permissions may grant unnecessary write access
• Potential for privilege escalation if exploited
• Could allow unauthorized modification of repository contents

Investigation Note

Initial inspection shows that affected workflows already have permissions: {} set at the top level, which suggests this may be a false positive or a nuance in how the scanner interprets the permissions configuration. The compiled .lock.yml files show proper permission restrictions.

Recommended Action

1. Review each affected workflow to confirm proper permissions
2. Ensure permissions: {} at workflow level
3. Verify job-level permissions are minimal and explicit
4. Consider if the warning indicates a scanner configuration issue

Fix Template for default_permissions_on_risky_events

View Detailed Fix Instructions

Step-by-Step Fix

1. Add Explicit Top-Level Permissions

Always set explicit permissions at the workflow level to {} (no permissions):

name: "Workflow Name"
on:
  issue_comment:
    types: [created]

permissions: {}  # Explicitly deny all permissions at workflow level

jobs:
  # ... jobs follow

2. Grant Minimal Permissions at Job Level

Only grant the specific permissions each job needs:

jobs:
  process-issue:
    permissions:
      issues: write        # Only if needed
      contents: read       # Only if needed
      pull-requests: write # Only if needed
    steps:
      # ... job steps

3. Common Permission Patterns

For issue/comment workflows:

permissions:
  issues: write
  pull-requests: write

For read-only analysis:

permissions:
  contents: read
  issues: read

Verification

Run after making changes:

gh aw compile --zizmor

Example Fix

Before:

name: "AI Moderator"
on:
  issue_comment:
    types: [created]

# No explicit top-level permissions

jobs:
  moderate:
    runs-on: ubuntu-latest
    steps:
      - run: echo "Processing..."

After:

name: "AI Moderator"
on:
  issue_comment:
    types: [created]

permissions: {}  # Explicit restriction

jobs:
  moderate:
    permissions:
      issues: write
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      - run: echo "Processing..."

All Findings by Workflow

View Complete Findings List (148 workflows)

Workflows with Security Warnings

default_permissions_on_risky_events (14 workflows):

1. .github/workflows/ai-moderator.lock.yml
2. .github/workflows/archie.lock.yml
3. .github/workflows/brave.lock.yml
4. .github/workflows/cloclo.lock.yml
5. .github/workflows/grumpy-reviewer.lock.yml
6. .github/workflows/mergefest.lock.yml
7. .github/workflows/pdf-summary.lock.yml
8. .github/workflows/plan.lock.yml
9. .github/workflows/pr-nitpick-reviewer.lock.yml
10. .github/workflows/q.lock.yml
11. .github/workflows/scout.lock.yml
12. .github/workflows/security-review.lock.yml
13. .github/workflows/tidy.lock.yml
14. .github/workflows/unbloat-docs.lock.yml

unverified_script_exec (7 occurrences in 2 files):

• .github/workflows/copilot-setup-steps.yml (2 instances: uv installer, gh-aw installer)
• .github/workflows/daily-copilot-token-report.lock.yml (curl piped to shell)

unpinnable_action (2 files):

• .github/actions/daily-perf-improver/build-steps/action.yml
• .github/actions/daily-test-improver/coverage-steps/action.yml

Shellcheck Issues (148 workflows)

SC2129 - 164 instances across multiple workflows
SC1003 - 158 instances across multiple workflows

Most workflows have 1-2 shellcheck style suggestions. These are non-critical code quality improvements.

Historical Trend Analysis

Comparing with previous scan (2026-02-07):

Metric	2026-02-07	2026-02-08	Change
Total Findings	344	337	-7 (-2.0%)
Critical/High	0	0	No change ✅
Medium Severity	2	0	-2 (improved) ✅
Low Severity	1	0	-1 (improved) ✅
Warnings	14	14	No change
Info/Style	327	331	+4
Workflows Scanned	147	149	+2

Trend Notes

• Improved: Medium and low severity issues eliminated
• Stable: No critical or high severity issues in either scan
• Changed: Different tool configuration (zizmor findings increased from 3 to 23, likely due to broader scanning scope)
• Consistent: Shellcheck style issues remain similar (~322)
• Overall: Security posture remains strong with no critical vulnerabilities

Recommendations

Immediate (Priority 1)

✅ No immediate action required - No critical or high severity issues

Short-term (Priority 2)

1. ⚠️ Investigate default_permissions warnings: Review 14 flagged workflows to determine if warnings are false positives
2. 🔍 Review unverified script execution: Consider verifying checksums for curl | sh installations
3. 📝 Document pinning strategy: Address unpinnable action warnings with documented exceptions

Long-term (Priority 3)

1. 🔧 Address shellcheck style issues: Consider bulk fix for SC2129 (redirect style) and SC1003 (quote escaping)
2. 📊 Automate scanning: Integrate static analysis into pre-commit hooks or PR checks
3. 📚 Update templates: Ensure new workflows follow security best practices
4. 🎯 Tune scanners: Adjust zizmor/poutine configuration to reduce false positives

Next Steps

• Review default_permissions_on_risky_events findings to confirm false positive status
• Consider fix template for shellcheck SC2129 (164 instances)
• Document security scanning process and findings interpretation
• Set up automated security scanning in CI/CD pipeline
• Update workflow creation guidelines with security best practices

Cache Memory Updated

Scan results saved to persistent cache:

• /tmp/gh-aw/cache-memory/security-scans/2026-02-08.json
• /tmp/gh-aw/cache-memory/vulnerabilities/trends.json
• /tmp/gh-aw/cache-memory/fix-templates/zizmor-default_permissions_on_risky_events.md

---

Conclusion: The repository maintains a strong security posture with zero critical or high severity vulnerabilities. The majority of findings (95.5%) are style/linting suggestions from shellcheck. The 14 permission-related warnings warrant investigation but appear to be potential false positives given that workflows already implement proper permission restrictions.

AI generated by Static Analysis Report

• expires on Feb 15, 2026, 9:35 PM UTC

[github-actions[bot]]

🎭 The smoke test agent gracefully passes through...

Just validating that all systems are operational! Everything checks out beautifully. ✨

Timestamp: 2026-02-09T01:13:11Z

AI generated by Smoke Copilot

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-15T21:35:03.123Z.

Closed by Workflow