Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS not set to true on environment variables
GHA workflows can run deprecated commands set-env and add-path using GitHub Actions' ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable. It is not recommended to use these commands due to their vulnerability to credential theft and code injection.
Risk Level: medium
Platform: Github
Spectral Rule ID: GHAC002
REMEDIATION
In job change env.ACTIONS_ALLOW_UNSECURE_COMMANDS
to 'false'
Read more:
Updated over 1 year ago