To prevent command injection in GitHub Actions workflows, avoid directly interpolating untrusted data into shell commands. Instead, use environment variables to safely pass untrusted data without risk of code execution.
The recommended approach is to assign untrusted data to environment variables using the env key, then reference these variables using standard shell variable syntax ($VARIABLE_NAME or ${VARIABLE_NAME}) rather than GitHub’s expression syntax (${{ …}}).
Noncompliant code example
The following GitHub Action is vulnerable to command injections as it uses untrusted input directly in a run command:
name: Example
on:
pull_request:
branches: [ main ]
jobs:
main:
runs-on: ubuntu-latest
steps:
- name: Example Step
run: |
echo "PR title: ${{ github.event.pull_request.title }}" # NoncompliantCompliant solution
name: Example
on:
pull_request:
branches: [ main ]
jobs:
main:
runs-on: ubuntu-latest
steps:
- name: Example Step
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: |
echo "PR title: $PR_TITLE"
To prevent command injection in GitHub Actions workflows, avoid directly interpolating untrusted data into shell commands. Instead, use environment variables to safely pass untrusted data without risk of code execution.
The recommended approach is to assign untrusted data to environment variables using the env key, then reference these variables using standard shell variable syntax
($VARIABLE_NAMEor${VARIABLE_NAME})rather than GitHub’s expression syntax(${{ …}}).Noncompliant code example
The following GitHub Action is vulnerable to command injections as it uses untrusted input directly in a run command:
Compliant solution