[plan] Address security findings from static analysis scan #5866
Description
Overview
This tracking issue coordinates the resolution of security and code quality findings from the comprehensive static analysis scan completed on December 8, 2025.
Source: Discussion #5845
Scan Summary
- Workflows Scanned: 103
- Workflows with Findings: 11 (10.7%)
- Total Findings: 35
- Tools Used: zizmor (security), poutine (supply chain), actionlint (linting)
Key Findings by Priority
| Severity | Count | Primary Issues |
|---|---|---|
| High | 2 | cache-poisoning, excessive-permissions |
| Medium | 1 | artipacked (credential persistence) |
| Error | 16 | shellcheck issues, expression errors |
| Warning | 4 | missing-permissions |
| Informational | 11 | template-injection warnings |
Planned Sub-Issues
This work is broken down into focused sub-issues addressing the most critical findings:
- #aw_5a9c3b8f2e14 - Fix cache poisoning vulnerability in release workflow (HIGH)
- #aw_7d2e1c4b9a6f - Fix excessive permissions in speckit-dispatcher workflow (HIGH)
- #aw_9b4f8e2d1c7a - Fix expression errors in issue-monster workflow (ERROR)
- #aw_3c8a6e1f4b2d - Fix shellcheck issues in test workflows (ERROR)
- #aw_1e7b3d9c5f8a - Add missing permissions to test workflows (WARNING)
Success Criteria
- All high-severity security issues resolved
- All workflow runtime errors fixed
- Missing permissions added to failing workflows
- Static analysis re-run shows improvements
- No new security issues introduced
Notes
- Informational template-injection warnings (11 occurrences) are tracked but deprioritized
- Poutine found no supply chain security issues (good baseline)
- Future work: Integrate static analysis into CI/CD pipeline
AI generated by Plan Command for discussion #5845