| Field | Value |
|---|---|
| Category | CICD-SEC-1 |
| Severity | MEDIUM |
| Confidence | MEDIUM |
| Persona | pedantic |
| OWASP | CICD-SEC-1: Insufficient Flow Control |
| Auto-fix | ✗ |
What the check does
Flagscontains('…literal…', <context>) where the first argument is a literal
string haystack and the second is an attacker-influenceable context — a branch
ref, PR label, title, and so on.
Why it matters
contains(haystack, needle) performs a substring test when the haystack is
a string. If the needle is attacker-controlled, a crafted value that happens to
be a substring of the haystack satisfies the check: