Ensure Github run commands are not vulnerable to shell injection

Error: GitHub Actions Run commands are vulnerable to shell injection
Bridgecrew Policy ID: BC_REPO_GITHUB_ACTION_2
Checkov Check ID: CKV_GHA_2
Severity: MEDIUM

GitHub Actions Run commands are vulnerable to shell injection

Block potentially risky references to variables that are controlled by third parties. You should avoid any API calls that include processing these as input. Source

Potentially risky variables include:

  • github.event.issue.title
  • github.event.issue.body
  • github.event.pull_request.title
  • github.event.pull_request.body
  • github.event.comment.body
  • github.event.review.body
  • github.event.review_comment.body
  • github.event.pages.*.page_name
  • github.event.commits.*.message
  • github.event.head_commit.message
  • github.event.head_commit.author.email
  • github.event.head_commit.author.name
  • github.event.commits.*.author.email
  • github.event.commits.*.author.name
  • github.event.pull_request.head.ref
  • github.event.pull_request.head.label
  • github.event.pull_request.head.repo.default_branch
  • github.head_ref

Fix - Buildtime

GitHub Actions yaml

-          title="${{ github.event.issue.title }}"