| Field | Value |
|---|---|
| Category | CICD-SEC-4 |
| Severity | MEDIUM |
| Confidence | MEDIUM |
| Persona | pedantic |
| OWASP | CICD-SEC-4: Poisoned Pipeline Execution |
| Auto-fix | ✗ |
What the check does
Flags two obfuscation patterns that hide what a workflow actually does from a reviewer (and from pattern-based scanners):- Index-notation context access —
github['event']['issue']['title']instead of the dottedgithub.event.issue.title. - Decode-and-execute — piping
base64 -d/certutil -decodeoutput straight into a shell.
Why it matters
Obfuscation is a common way to smuggle an injection sink or untrusted code past review. Index notation defeats a reviewer grepping forgithub.event, and
decode-and-execute hides the real payload entirely:
Safe alternative
Use dotted context access so sinks are visible, and run decoded content from a committed, reviewable file rather than decoding-and-executing inline. Route untrusted input through anenv: var, never straight into the shell (see
CICD-SEC-4 shell injection).