← all rules
iac/actions/gha-script-injection
Shell step interpolates GitHub event data
highGitHub Actionsiac-actions
What it detects
`run:` steps that embed ${{ github.event.* }} values (issue titles, PR bodies, commit messages) expand before the shell parses them — anything an attacker can put in the field becomes shell code.
Remediation
Pass the value via env: then reference it as "$FIELD" inside the script, which runs through normal shell quoting.
How it runs
Run against `.github/workflows/*.yml` files. Targets the published patterns behind real-world breaches (GhostAction, s1ngularity, tj-actions/changed-files).
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.