GitHub Actions - Unsecure Commands¶

Avoid using unsecure commands in GitHub Actions workflows to minimize the risk of injection attacks or accidental execution of malicious scripts. Use proper quoting, validation, and secure handling of inputs in workflow files.

Examples¶

Insecure Example

Using unquoted or improperly validated inputs can lead to injection attacks:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Run unsecure script
        run: echo $INPUT_PARAMETER

If INPUT_PARAMETER contains malicious code (e.g., $(rm -rf /)), it could execute unintended commands.

Secure Example

Validate and securely quote all inputs to prevent injections:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Run secure script
        run: echo "${{ github.event.inputs.parameter }}"

This ensures only expected values are passed and executed.

More information¶

GitHub Actions Security Best Practices