Ensure GitHub ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables
Error: GitHub Actions ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set to true
Bridgecrew Policy ID: BC_REPO_GITHUB_ACTION_1
Checkov Check ID: CKV_GHA_1
Severity: MEDIUM
GitHub Actions ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set to true
Description
GitHub Actions has an environment variable flag called ACTIONS_ALLOW_UNSECURE_COMMANDS
that allows GHA workflows to run deprecated commands set-env
and add-path
. These are vulnerable commands that should not be used as they expose accounts to potential credential theft or code injection.
Fix - Buildtime
GitHub Actions
Remove ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true'
...
env:
- ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true'
...
Updated 9 months ago