Ensure Github run commands are not vulnerable to shell injection
Error: GitHub Actions Run commands are vulnerable to shell injection
Bridgecrew Policy ID: BC_REPO_GITHUB_ACTION_2
Checkov Check ID: CKV_GHA_2
Severity: MEDIUM
GitHub Actions Run commands are vulnerable to shell injection
Block potentially risky references to variables that are controlled by third parties. You should avoid any API calls that include processing these as input. Source
Potentially risky variables include:
- github.event.issue.title
- github.event.issue.body
- github.event.pull_request.title
- github.event.pull_request.body
- github.event.comment.body
- github.event.review.body
- github.event.review_comment.body
- github.event.pages.*.page_name
- github.event.commits.*.message
- github.event.head_commit.message
- github.event.head_commit.author.email
- github.event.head_commit.author.name
- github.event.commits.*.author.email
- github.event.commits.*.author.name
- github.event.pull_request.head.ref
- github.event.pull_request.head.label
- github.event.pull_request.head.repo.default_branch
- github.head_ref
Fix - Buildtime
GitHub Actions yaml
- title="${{ github.event.issue.title }}"
Updated 9 months ago