Overview
This tracking issue coordinates the resolution of security and code quality findings from the comprehensive static analysis scan completed on December 8, 2025.
Source: Discussion #5845
Scan Summary
- Workflows Scanned: 103
- Workflows with Findings: 11 (10.7%)
- Total Findings: 35
- Tools Used: zizmor (security), poutine (supply chain), actionlint (linting)
Key Findings by Priority
| Severity |
Count |
Primary Issues |
| High |
2 |
cache-poisoning, excessive-permissions |
| Medium |
1 |
artipacked (credential persistence) |
| Error |
16 |
shellcheck issues, expression errors |
| Warning |
4 |
missing-permissions |
| Informational |
11 |
template-injection warnings |
Planned Sub-Issues
This work is broken down into focused sub-issues addressing the most critical findings:
- #aw_5a9c3b8f2e14 - Fix cache poisoning vulnerability in release workflow (HIGH)
- #aw_7d2e1c4b9a6f - Fix excessive permissions in speckit-dispatcher workflow (HIGH)
- #aw_9b4f8e2d1c7a - Fix expression errors in issue-monster workflow (ERROR)
- #aw_3c8a6e1f4b2d - Fix shellcheck issues in test workflows (ERROR)
- #aw_1e7b3d9c5f8a - Add missing permissions to test workflows (WARNING)
Success Criteria
Notes
- Informational template-injection warnings (11 occurrences) are tracked but deprioritized
- Poutine found no supply chain security issues (good baseline)
- Future work: Integrate static analysis into CI/CD pipeline
AI generated by Plan Command for discussion #5845
Overview
This tracking issue coordinates the resolution of security and code quality findings from the comprehensive static analysis scan completed on December 8, 2025.
Source: Discussion #5845
Scan Summary
Key Findings by Priority
Planned Sub-Issues
This work is broken down into focused sub-issues addressing the most critical findings:
Success Criteria
Notes