> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-4 — Obfuscated expression or run script

> Index-notation context access and decode-and-execute chains hide untrusted-input flow from review.

| Field      | Value                                                                                                                                        |
| ---------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| Category   | `CICD-SEC-4`                                                                                                                                 |
| Severity   | **MEDIUM**                                                                                                                                   |
| Confidence | MEDIUM                                                                                                                                       |
| Persona    | pedantic                                                                                                                                     |
| OWASP      | [CICD-SEC-4: Poisoned Pipeline Execution](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution) |
| Auto-fix   | ✗                                                                                                                                            |

## What the check does

Flags two obfuscation patterns that hide what a workflow actually does from a
reviewer (and from pattern-based scanners):

* **Index-notation context access** — `github['event']['issue']['title']`
  instead of the dotted `github.event.issue.title`.
* **Decode-and-execute** — piping `base64 -d` / `certutil -decode` output
  straight into a shell.

## Why it matters

Obfuscation is a common way to smuggle an injection sink or untrusted code past
review. Index notation defeats a reviewer grepping for `github.event`, and
decode-and-execute hides the real payload entirely:

```yaml theme={null}
steps:
  - run: echo "${{ github['event']['issue']['title'] }}"   # ← hidden injection sink
  - run: echo aGVsbG8= | base64 -d | bash                  # ← hidden payload
```

## Safe alternative

Use dotted context access so sinks are visible, and run decoded content from a
committed, reviewable file rather than decoding-and-executing inline. Route
untrusted input through an `env:` var, never straight into the shell (see
[CICD-SEC-4 shell injection](/rules/cicd-sec-4)).
