🔍 Static Analysis Report - February 12, 2026

[github-actions[bot]]

Analysis Summary

Daily static analysis scan completed for all agentic workflows using three security and code quality tools.

• Tools Used: zizmor (security), poutine (supply chain), actionlint (linting + shellcheck)
• Total Findings: 328 (↓6 from Feb 11)
• Workflows Scanned: 150
• Workflows Affected: 150
• Overall Trend: 📈 IMPROVING

Findings by Tool

Tool	Total	Critical	High	Medium	Low	Info/Style
zizmor (security)	1	0	0	1	0	0
poutine (supply chain)	7	0	0	0	1	6
actionlint (linting)	320	0	0	0	0	320
TOTAL	328	0	0	1	1	326

Key Improvements Since Last Scan

✅ template-injection issue RESOLVED - Previously flagged Low severity issue in mcp-inspector.lock.yml is now fixed
✅ Poutine findings reduced - Down from 10 to 7 findings (30% reduction)
✅ Shellcheck issues reduced - Down from 322 to 320 findings
✅ Overall findings down 1.8% - From 334 to 328 total findings

Security Findings

🟡 Medium Severity (1 finding)

artipacked - Credential Persistence Risk

• Tool: zizmor
• Severity: Medium
• Workflow: daily-copilot-token-report.lock.yml (line 115)
• Issue: Potential credential persistence through GitHub Actions artifacts
• Impact: Artifacts may contain sensitive data accessible to users with read permissions
• Reference: (docs.zizmor.sh/redacted)
• Status: ⚠️ UNCHANGED (persists from previous scans)

Recommendation: Review artifact uploads to ensure only necessary report files are included, excluding .git, .env, and credential files.

🟠 Poutine Supply Chain Findings (7 findings)

1. Default Permissions on Risky Events (Warning)

• Count: 1 occurrence
• Workflow: ai-moderator.lock.yml
• Issue: Uses default permissions on risky event triggers
• Impact: Broader permissions than necessary, increasing attack surface

2. Unverified Script Execution (Info)

• Count: 4 occurrences
• Pattern: curl | sh for installing dependencies
• Files:
  • copilot-setup-steps.yml (2 instances)
  • daily-copilot-token-report.lock.yml (2 instances)
• Commands:
  • curl -LsSf (astral.sh/redacted) | sh (UV installer)
  • curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash (gh-aw installer)
• Impact: Low - These are trusted sources but the pattern is flagged as risky

3. Unpinnable Actions (Info)

• Count: 2 occurrences
• Files:
  • .github/actions/daily-test-improver/coverage-steps/action.yml
  • .github/actions/daily-perf-improver/build-steps/action.yml
• Issue: Composite actions cannot be pinned to specific SHAs

Code Quality Findings

Actionlint + ShellCheck (320 findings)

All findings are style recommendations, not security issues:

SC2129: Inefficient File Redirects

• Count: 147 occurrences (46% of all findings)
• Severity: Style
• Issue: Multiple individual redirects instead of grouped commands
• Impact: Minor performance - each redirect opens/closes file separately
• Example:

  # Current (flagged)
  echo "line1" >> file
  echo "line2" >> file
  
  # Suggested
  {
    echo "line1"
    echo "line2"
  } >> file

Note: These warnings appear in compiled .lock.yml files (auto-generated). Fixing would require changes to the compiler, not individual workflows.

Recommendation: Consider suppressing SC2129 in compiler-generated code or updating the compiler to use grouped commands.

View All Affected Workflows (147 workflows)

Each of the following workflows has 1-21 SC2129 shellcheck style warnings:

• agent-performance-analyzer.lock.yml (1)
• agent-persona-explorer.lock.yml (1)
• ai-moderator.lock.yml (2)
• archie.lock.yml (2)
• artifacts-summary.lock.yml (1)
• audit-workflows.lock.yml (1)
• auto-triage-issues.lock.yml (1)
• blog-auditor.lock.yml (1)
• brave.lock.yml (2)
• breaking-change-checker.lock.yml (1)
• changeset.lock.yml (1)
• chroma-issue-indexer.lock.yml (1)
• ci-coach.lock.yml (1)
• ci-doctor.lock.yml (1)
• claude-code-user-docs-review.lock.yml (1)
• cli-consistency-checker.lock.yml (1)
• cli-version-checker.lock.yml (1)
• cloclo.lock.yml (2)
• code-scanning-fixer.lock.yml (1)
• code-simplifier.lock.yml (1)
• codex-github-remote-mcp-test.lock.yml (1)
• commit-changes-analyzer.lock.yml (1)
• copilot-agent-analysis.lock.yml (3)
• copilot-cli-deep-research.lock.yml (5)
• copilot-pr-merged-report.lock.yml (1)
• copilot-pr-nlp-analysis.lock.yml (1)
• copilot-pr-prompt-analysis.lock.yml (1)
• copilot-session-insights.lock.yml (1)
• craft.lock.yml (2)
• daily-assign-issue-to-user.lock.yml (1)
• daily-choice-test.lock.yml (1)
• daily-cli-performance.lock.yml (1)
• daily-cli-tools-tester.lock.yml (1)
• daily-code-metrics.lock.yml (1)
• daily-compiler-quality.lock.yml (9)
• daily-copilot-token-report.lock.yml (1)
• daily-doc-updater.lock.yml (9)
• daily-fact.lock.yml (1)
• daily-file-diet.lock.yml (9)
• daily-firewall-report.lock.yml (1)
• daily-issues-report.lock.yml (1)
• daily-malicious-code-scan.lock.yml (1)
• daily-mcp-concurrency-analysis.lock.yml (13)
• daily-multi-device-docs-tester.lock.yml (1)
• daily-news.lock.yml (1)
• daily-observability-report.lock.yml (1)
• daily-performance-summary.lock.yml (1)
• daily-regulatory.lock.yml (1)
• daily-repo-chronicle.lock.yml (1)
• daily-safe-output-optimizer.lock.yml (1)
• daily-secrets-analysis.lock.yml (1)
• daily-semgrep-scan.lock.yml (1)
• daily-syntax-error-quality.lock.yml (7)
• daily-team-evolution-insights.lock.yml (1)
• daily-team-status.lock.yml (1)
• daily-testify-uber-super-expert.lock.yml (7)
• daily-workflow-updater.lock.yml (1)
• deep-report.lock.yml (1)
• delight.lock.yml (9)
• dependabot-burner.lock.yml (1)
• dependabot-go-checker.lock.yml (1)
• dev-hawk.lock.yml (1)
• dev.lock.yml (1)
• developer-docs-consolidator.lock.yml (5)
• dictation-prompt.lock.yml (1)
• discussion-task-miner.lock.yml (3)
• docs-noob-tester.lock.yml (1)
• draft-pr-cleanup.lock.yml (1)
• duplicate-code-detector.lock.yml (1)
• example-custom-error-patterns.lock.yml (1)
• example-permissions-warning.lock.yml (1)
• example-workflow-analyzer.lock.yml (1)
• firewall-escape.lock.yml (1)
• firewall.lock.yml (1)
• functional-pragmatist.lock.yml (1)
• github-mcp-structural-analysis.lock.yml (1)
• github-mcp-tools-report.lock.yml (1)
• github-remote-mcp-auth-test.lock.yml (1)
• glossary-maintainer.lock.yml (9)
• go-fan.lock.yml (7)
• go-logger.lock.yml (11)
• go-pattern-detector.lock.yml (1)
• gpclean.lock.yml (1)
• grumpy-reviewer.lock.yml (2)
• hourly-ci-cleaner.lock.yml (1)
• instructions-janitor.lock.yml (5)
• issue-arborist.lock.yml (1)
• issue-classifier.lock.yml (1)
• issue-monster.lock.yml (1)
• issue-triage-agent.lock.yml (1)
• jsweep.lock.yml (1)
• layout-spec-maintainer.lock.yml (9)
• lockfile-stats.lock.yml (1)
• mcp-inspector.lock.yml (1)
• mergefest.lock.yml (2)
• metrics-collector.lock.yml (1)
• notion-issue-summary.lock.yml (1)
• org-health-report.lock.yml (1)
• pdf-summary.lock.yml (2)
• plan.lock.yml (2)
• poem-bot.lock.yml (2)
• portfolio-analyst.lock.yml (1)
• pr-nitpick-reviewer.lock.yml (2)
• pr-triage-agent.lock.yml (1)
• prompt-clustering-analysis.lock.yml (1)
• python-data-charts.lock.yml (1)
• q.lock.yml (2)
• release.lock.yml (1)
• repo-audit-analyzer.lock.yml (1)
• repo-tree-map.lock.yml (1)
• repository-quality-improver.lock.yml (1)
• research.lock.yml (1)
• safe-output-health.lock.yml (1)
• schema-consistency-checker.lock.yml (1)
• scout.lock.yml (2)
• security-compliance.lock.yml (1)
• security-review.lock.yml (2)
• semantic-function-refactor.lock.yml (13)
• sergo.lock.yml (7)
• slide-deck-maintainer.lock.yml (1)
• smoke-claude.lock.yml (1)
• smoke-codex.lock.yml (1)
• smoke-copilot.lock.yml (1)
• smoke-opencode.lock.yml (1)
• smoke-project.lock.yml (1)
• smoke-test-tools.lock.yml (1)
• stale-repo-identifier.lock.yml (1)
• static-analysis-report.lock.yml (1)
• step-name-alignment.lock.yml (9)
• sub-issue-closer.lock.yml (1)
• super-linter.lock.yml (1)
• technical-doc-writer.lock.yml (1)
• terminal-stylist.lock.yml (1)
• test-create-pr-error-handling.lock.yml (1)
• test-dispatcher.lock.yml (1)
• test-project-url-default.lock.yml (1)
• test-workflow.lock.yml (1)
• tidy.lock.yml (2)
• typist.lock.yml (21)
• ubuntu-image-analyzer.lock.yml (3)
• unbloat-docs.lock.yml (3)
• video-analyzer.lock.yml (1)
• weekly-issue-summary.lock.yml (1)
• workflow-generator.lock.yml (1)
• workflow-health-manager.lock.yml (1)
• workflow-normalizer.lock.yml (1)
• workflow-skill-extractor.lock.yml (5)

Historical Trend Analysis

7-Day Comparison

Date	Total	Zizmor	Poutine	Actionlint	Change
Feb 10	323	2	10	320	baseline
Feb 11	334	2	10	322	+11 (+3.4%)
Feb 12	328	1	7	320	-6 (-1.8%)

Key Trends

• Overall: Improving trend, 6 fewer findings than yesterday
• Security (zizmor): 50% reduction (2 → 1), template-injection resolved
• Supply Chain (poutine): 30% reduction (10 → 7), significant improvement
• Code Quality (actionlint): Slight improvement (322 → 320)

Week-over-Week Summary

• Resolved Issues: 1 (template-injection in mcp-inspector)
• New Issues: 0
• Persistent Issues: 1 (artipacked - Medium severity)
• Overall Direction: 📈 Improving

Recommendations

🔴 Immediate Priority (Security)

1. Fix artipacked issue in daily-copilot-token-report.md

   • Review artifact upload configuration
   • Ensure only report files are included in artifacts
   • Exclude sensitive paths (.git, .env, credentials)
   • Fix template: /tmp/gh-aw/cache-memory/fix-templates/zizmor-artipacked.md

2. Review default permissions in ai-moderator.md

   • Explicitly set minimal required permissions
   • Avoid using default permissions on risky event triggers

🟡 Medium Priority (Supply Chain)

3. Consider alternatives to curl | sh pattern

   • Currently used for UV and gh-aw installation
   • Options:
     • Use pre-installed versions if available
     • Download, verify checksum, then execute
     • Use official GitHub Actions where available
   • Note: Current usage is from trusted sources, risk is low

4. Document unpinnable actions

   • Composite actions in .github/actions/ cannot be SHA-pinned
   • This is expected behavior, not a vulnerability
   • Ensure these actions are maintained securely

🟢 Low Priority (Code Quality)

5. Address SC2129 shellcheck warnings
   • These are style issues in compiler-generated code
   • Options:
     • Update compiler to generate grouped commands
     • Add # shellcheck disable=SC2129 directive in compiler
     • Accept as minor technical debt (recommended for now)
   • Fix template: /tmp/gh-aw/cache-memory/fix-templates/actionlint-sc2129.md

🔵 Long-term (Process Improvement)

6. Maintain automated scanning

   • Current daily scans are working well
   • Consider adding pre-commit hooks for new workflows
   • Track trends over time to ensure continuous improvement

7. Celebrate improvements

   • Team resolved template-injection issue
   • Poutine findings reduced by 30%
   • Overall trend is positive

Fix Templates Available

Detailed fix instructions have been saved to cache memory:

1. /tmp/gh-aw/cache-memory/fix-templates/zizmor-artipacked.md

   • Comprehensive guide to fixing the artipacked security issue
   • Multiple solution options with examples
   • Verification steps and prevention tips

2. /tmp/gh-aw/cache-memory/fix-templates/actionlint-sc2129.md

   • Analysis of SC2129 shellcheck warnings
   • Decision framework for fixing vs. suppressing
   • Implementation guidance for compiler changes

Scan Metadata

• Scan Date: 2026-02-12
• Scan Duration: ~2 minutes
• Workflows Compiled: 150
• Compilation Successful: 150 (100%)
• Static Analysis Tools:
  • zizmor 1.7.0+ (security scanner)
  • poutine (supply chain security)
  • actionlint 1.7.10 (with shellcheck & pyflakes)
• Results Cached: /tmp/gh-aw/cache-memory/security-scans/2026-02-12.json
• Workflow Run: §21964916802

Security Posture Assessment

Overall Rating: 🟢 GOOD

• ✅ Zero Critical or High severity findings
• ✅ Only 1 Medium severity security issue (tracked)
• ✅ Strict mode compilation enforced across all workflows
• ✅ Improving trend over the past week
• ✅ 97.6% of findings are style/linting issues
• ⚠️ 1 persistent Medium severity issue requires attention

Conclusion: The repository maintains a strong security posture with comprehensive static analysis coverage. The single Medium severity finding should be addressed, but overall the workflows follow security best practices. The improving trend over the past week demonstrates effective issue resolution.

AI generated by Static Analysis Report

• expires on Feb 19, 2026, 9:35 PM UTC

[github-actions[bot]]

🤖 The smoke test agent stopped by for a quick visit! All systems operational and ready to automate. Keep building amazing workflows! 🚀✨

AI generated by Smoke Copilot

[github-actions[bot]]

💥 WHOOSH! The Smoke Test Agent just ZOOMED through here! 🦸♂️

KAPOW! Testing complete! BAM! All systems operational! 🚀

---

🤖 This message brought to you by the Claude Smoke Test Squad ⚡

AI generated by Smoke Claude

[github-actions[bot]]

🎭 Smoke Test Agent Detected! 🎭

Just passing through on my automated rounds, making sure all systems are functioning as expected. The bots are running, the tests are passing, and the virtual coffee machine is still brewing! ☕🤖

*tips digital hat and disappears into the cloud*

AI generated by Smoke Copilot

[github-actions[bot]]

🤖 Beep boop! The smoke test agent just rolled through here like a caffeinated robot on roller skates!

Everything's looking smooth - all systems nominal, all tests passing, and I even managed to build the project without setting anything on fire. 🔥✅

Stay awesome, humans! 🚀

- Your friendly neighborhood smoke test agent

AI generated by Smoke Copilot

[github-actions[bot]]

💥 WHOOSH! 💫 The smoke test agent just zipped through here! 🚀

KA-POW! All systems operational! The Claude engine is firing on all cylinders! 🔥

BIFF! BAM! BOOM! Testing complete! 🎯

Your friendly neighborhood smoke test agent, keeping the workflows running smooth! 🦸♂️

AI generated by Smoke Claude

[github-actions[bot]]

🎭 The smoke test agent was here! 🚀 Just finished a comprehensive validation run and everything looks great! ✨

Discussion #15241, you're looking fabulous today with all those security improvements! 📈 Keep up the great work on that static analysis! 💪

AI generated by Smoke Copilot