Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS not set to true on environment variables

GHA workflows can run deprecated commands set-env and add-path using GitHub Actions' ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable. It is not recommended to use these commands due to their vulnerability to credential theft and code injection.

Suggest Edits

Risk Level: medium
Platform: Github
Spectral Rule ID: GHAC002

REMEDIATION

In job change env.ACTIONS_ALLOW_UNSECURE_COMMANDS to 'false'

Read more:

Updated 7 months ago