Ensure run commands are not vulnerable to shell injection

Error: Run commands are vulnerable to shell injection
Bridgecrew Policy ID: BC_REPO_GITHUB_ACTION_2
Checkov Check ID: CKV_GHA_2
Severity: MEDIUM

Run commands are vulnerable to shell injection

Block potentially risky references to variables that are controlled by third parties. You should avoid any API calls that include processing these as input. Source

Potentially risky variables include:

  • github.event.issue.title
  • github.event.issue.body
  • github.event.pull_request.title
  • github.event.pull_request.body
  • github.event.comment.body
  • github.event.review.body
  • github.event.review_comment.body
  • github.event.pages.*.page_name
  • github.event.commits.*.message
  • github.event.head_commit.message
  • github.event.head_commit.author.email
  • github.event.head_commit.author.name
  • github.event.commits.*.author.email
  • github.event.commits.*.author.name
  • github.event.pull_request.head.ref
  • github.event.pull_request.head.label
  • github.event.pull_request.head.repo.default_branch
  • github.head_ref

Example Fix

-          title="${{ github.event.issue.title }}"

Did this page help you?