Static Analysis Report - February 2, 2026

[github-actions[bot]]

Analysis Summary

Static analysis scan completed on 150 workflow files using three tools: actionlint (with shellcheck integration), zizmor (GitHub Actions security scanner), and poutine (supply chain security).

• Tools Used: actionlint (v1.7.10), zizmor, poutine
• Total Findings: 286 issues identified
• Workflows Scanned: 150
• Workflows Affected: 149 (99.3%)
• Clean Workflows: 1

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Style
actionlint (shellcheck)	160	0	0	0	0	160
zizmor (security)	126	0	0	0	126	0
poutine (supply chain)	0	0	0	0	0	0

Additional Warnings

• Permission Warnings: 5 workflows (test files with missing permissions)
• Experimental Features: 11 workflows using experimental features
• Unresolved Actions: 3 workflows with action resolution warnings

---

Key Findings

1. ShellCheck SC2129 - Style Issue (actionlint)

Impact: 157 occurrences across 149 workflows
Severity: Style (not a security issue)
Issue: Individual redirects should be grouped

The most common finding is ShellCheck rule SC2129, which suggests using grouped commands with a single redirect instead of multiple individual redirects to the same file.

Example Pattern:

# Current (flagged)
echo "Line 1" >> "$FILE"
echo "Line 2" >> "$FILE"

# Recommended
{
  echo "Line 1"
  echo "Line 2"
} >> "$FILE"

Root Cause: This appears in compiled .lock.yml files, likely generated by the workflow compiler. The issue is in how prompt scripts construct output.

Affected Workflows: Essentially all 149 workflows are affected by this pattern.

2. Zizmor Obfuscation - Low Severity Warning

Impact: 126 occurrences across 63 workflows
Severity: Low (code quality issue)
Issue: Unnecessary use of expression syntax for literal values

Zizmor flags the use of ${{ '' }} and ${{ 'literal-string' }} as potential obfuscation. While marked as a security concern, this appears to be unintentional - likely a compiler template issue.

Example Pattern:

# Current (flagged)
env:
  GH_AW_CACHE_DESCRIPTION: ${{ '' }}
  GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }}

# Recommended
env:
  GH_AW_CACHE_DESCRIPTION: ''
  GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory/

Root Cause: The compiler wraps literal values in expression syntax when they should be plain strings.

View Affected Workflows (63 total)

agent-persona-explorer, audit-workflows, ci-coach, ci-doctor, claude-code-user-docs-review, cli-version-checker, cloclo, code-scanning-fixer, copilot-agent-analysis, copilot-pr-nlp-analysis, copilot-pr-prompt-analysis, copilot-session-insights, daily-code-metrics, daily-compiler-quality, daily-copilot-token-report, daily-doc-updater, daily-firewall-report, daily-issues-report, daily-news, daily-performance-summary, daily-repo-chronicle, daily-safe-output-optimizer, deep-report, dependabot-bundler, developer-docs-consolidator, firewall-escape, github-mcp-structural-analysis, github-mcp-tools-report, glossary-maintainer, go-fan, go-logger, grumpy-reviewer, instructions-janitor, jsweep, lockfile-stats, mcp-inspector, org-health-report, pdf-summary, poem-bot, portfolio-analyst, pr-nitpick-reviewer, prompt-clustering-analysis, python-data-charts, q, safe-output-health, schema-consistency-checker, scout, secret-scanning-triage, security-fix-pr, security-review, sergo, slide-deck-maintainer, smoke-claude, smoke-codex, smoke-copilot, stale-repo-identifier, static-analysis-report, step-name-alignment, super-linter, technical-doc-writer, test-create-pr-error-handling, unbloat-docs, weekly-issue-summary

3. ShellCheck SC2086 - Info Level

Impact: 3 occurrences in 1 workflow (ci-coach)
Severity: Info
Issue: Missing quotes around variable expansion

# Issue: Variables should be quoted to prevent word splitting
$GITHUB_STEP_SUMMARY  # Should be "$GITHUB_STEP_SUMMARY"

4. Permission Warnings

Impact: 5 workflows (test files)
Severity: Configuration warning
Issue: Missing required permissions for GitHub toolsets

Affected test workflows:

• example-permissions-warning.md
• test-dispatcher.md
• test-project-url-default.md
• test-workflow.md
• test-yaml-import.md

These are intentional for testing purposes.

---

Clustered Findings by Tool and Type

Actionlint (ShellCheck Integration)

Issue Type	Severity	Count	Workflows Affected
SC2129	style	157	149
SC2086	info	3	1

Total actionlint findings: 160

Zizmor (Security Scanner)

Issue Type	Severity	Count	Workflows Affected
obfuscation	Low	126	63

Total zizmor findings: 126

Poutine (Supply Chain Security)

No findings detected. All workflows passed supply chain security checks.

---

Fix Suggestions for SC2129 (Top Issue by Volume)

The SC2129 shellcheck warning affects virtually all workflows. Since these are compiled .lock.yml files, the fix should be applied at the compiler level rather than editing individual workflow files.

Fix Approach

**Issue**: ShellCheck SC2129 - Individual redirects should be grouped
**Severity**: Style
**Affected Workflows**: 149 workflows

**Fix Strategy**: Update the workflow compiler to generate grouped redirects

**Current Generated Pattern:**
```bash
bash /opt/gh-aw/actions/create_prompt_first.sh
cat << 'PROMPT_EOF' > "$GH_AW_PROMPT"
[content]
PROMPT_EOF

echo "metadata" >> "$METADATA_FILE"
echo "more data" >> "$METADATA_FILE"
```

**Recommended Generated Pattern:**
```bash
bash /opt/gh-aw/actions/create_prompt_first.sh
cat << 'PROMPT_EOF' > "$GH_AW_PROMPT"
[content]
PROMPT_EOF

{
  echo "metadata"
  echo "more data"
} >> "$METADATA_FILE"
```

**Implementation Steps:**
1. Locate the compiler code that generates shell script steps
2. Identify where multiple `>>` redirects are emitted to the same file
3. Update the code generation to group consecutive redirects using `{ }` syntax
4. Regenerate all `.lock.yml` files
5. Verify actionlint passes without SC2129 warnings

Alternative: Suppress the Warning

If the individual redirects are intentional for error handling or clarity:

# shellcheck disable=SC2129
echo "Line 1" >> "$FILE"
echo "Line 2" >> "$FILE"

---

Fix Suggestions for Obfuscation (Zizmor)

The zizmor obfuscation warning affects 63 workflows and should also be fixed at the compiler level.

Fix Approach

**Issue**: Zizmor obfuscation - Literal values wrapped in expression syntax
**Severity**: Low
**Affected Workflows**: 63 workflows

**Fix Strategy**: Update the workflow compiler to avoid expression syntax for literals

**Current Generated Pattern:**
```yaml
env:
  GH_AW_CACHE_DESCRIPTION: ${{ '' }}
  GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }}
```

**Recommended Generated Pattern:**
```yaml
env:
  GH_AW_CACHE_DESCRIPTION: ''
  GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory/
```

**Implementation Steps:**
1. Update the compiler's template engine
2. Detect when `${{ }}` expressions contain only literal strings
3. Emit plain strings instead of wrapped expressions
4. For empty strings, consider omitting the variable entirely if optional
5. Regenerate all `.lock.yml` files
6. Verify zizmor passes without obfuscation warnings

---

Historical Context

This is the baseline static analysis report for the gh-aw repository. Future scans will compare against this baseline to track:

• New issues introduced
• Resolved issues fixed
• Trends over time
• Regression patterns

Scan results have been stored in the persistent cache at /tmp/gh-aw/cache-memory/security-scans/2026-02-02.json for future reference.

---

Recommendations

Priority 1: Code Quality (Low Urgency)

1. Fix SC2129 at compiler level: Update shell script generation to group redirects
2. Fix obfuscation at compiler level: Remove expression syntax from literal values
3. Fix SC2086 in ci-coach: Add quotes around variable expansions

Priority 2: Documentation

4. Document why test workflows have permission warnings: Add comments explaining intentional configuration
5. Document experimental features usage: Track which workflows use experimental features and why

Priority 3: Process Improvements

6. Integrate static analysis into CI: Add pre-commit hooks or CI checks for actionlint and zizmor
7. Automated fix validation: Create tests to verify fixes don't break workflow functionality
8. Compiler improvements: Consider adding a linting phase to the compiler itself

---

Impact Assessment

Overall Risk: Low

• ✅ No critical or high severity security issues found
• ✅ No supply chain vulnerabilities detected (poutine clean)
• ⚠️ 160 style/quality issues (shellcheck)
• ⚠️ 126 low-severity code clarity issues (zizmor)

Functional Impact: None

All identified issues are code quality or style improvements. The workflows function correctly as-is.

Security Impact: Minimal

The zizmor obfuscation warnings are flagged as potential security concerns, but in this context they are clearly unintentional artifacts of template generation, not malicious obfuscation.

---

Next Steps

• Review compiler code generation for shell scripts (SC2129)
• Review compiler template engine for expression handling (obfuscation)
• Fix SC2086 in ci-coach workflow
• Regenerate all .lock.yml files after compiler fixes
• Re-run static analysis to verify fixes
• Consider adding static analysis to CI/CD pipeline

---

Scan Metadata

• Scan Date: 2026-02-02
• Repository: githubnext/gh-aw
• Workflow Run: §21594169777
• Tools: actionlint v1.7.10, zizmor, poutine
• Total Files Scanned: 150 workflow files
• Cache Location: /tmp/gh-aw/cache-memory/security-scans/2026-02-02.json
• Fix Templates: /tmp/gh-aw/cache-memory/fix-templates/

AI generated by Static Analysis Report

• expires on Feb 9, 2026, 2:42 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-09T14:42:25.795Z.

Closed by Workflow