GitHub Actions - Unsecure Commands¶
Avoid using unsecure commands in GitHub Actions workflows to minimize the risk of injection attacks or accidental execution of malicious scripts. Use proper quoting, validation, and secure handling of inputs in workflow files.
Examples¶
Insecure Example
Using unquoted or improperly validated inputs can lead to injection attacks:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Run unsecure script
run: echo $INPUT_PARAMETER
If INPUT_PARAMETER
contains malicious code (e.g., $(rm -rf /)
), it could execute unintended commands.
Secure Example
Validate and securely quote all inputs to prevent injections:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Run secure script
run: echo "${{ github.event.inputs.parameter }}"
This ensures only expected values are passed and executed.