You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi Team, one comment, possible run-shell-injection severity high at .github/workflows/build.yml line 187. Using variable interpolation with GitHub context data in a run: step could allow an attacker to inject their own code into the runner. GitHub context data can have user input and should be treated as untrusted. Alternatively, you can use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Also, be sure to use double-quotes with the environment variable, like: "$ENVVAR".
Hi Team, one comment, possible run-shell-injection severity high at
.github/workflows/build.ymlline 187. Using variable interpolation with GitHub context data in a run: step could allow an attacker to inject their own code into the runner. GitHub context data can have user input and should be treated as untrusted. Alternatively, you can use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Also, be sure to use double-quotes with the environment variable, like:"$ENVVAR".Originally posted by @dv4harr10 in cisagov/client-cert-update#53 (comment)
The text was updated successfully, but these errors were encountered: