Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables

Error: ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set to true
Bridgecrew Policy ID: BC_REPO_GITHUB_ACTION_1
Checkov Check ID: CKV_GHA_1
Severity: MEDIUM

ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set to true

Description

GitHub Actions has an environment variable flag called ACTIONS_ALLOW_UNSECURE_COMMANDS that allows GHA workflows to run deprecated commands set-env and add-path. These are vulnerable commands that should not be used as they expose accounts to potential credential theft or code injection.

Fix

Remove ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true'

...
         env:
-          ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true'
...

Did this page help you?