GitHub Action Unsecure Commands¶
Ensure that GitHub Actions do not enable deprecated unsecure commands. If enabled and untrusted output is logged, the deprecated commands set-env
and add-path
could be used to compromise the execution of the workflow.
Examples¶
Insecure Example
steps:
- env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
ISSUE_TITLE: ${{ github.event.issue.title }}
run: |
echo "$ISSUE_TITLE"
Secure Example
Remove all usage of ACTIONS_ALLOW_UNSECURE_COMMANDS
.
steps:
- env:
ISSUE_TITLE: ${{ github.event.issue.title }}
run: |
echo "$ISSUE_TITLE"