Ensure run commands are not vulnerable to shell injection

Protect your code from potentially risky references to third-party variables. If you use these as input to an API call, you should avoid it.

github.event.issue.title
github.event.issue.body
github.event.pull_request.title
github.event.pull_request.body
github.event.comment.body
github.event.review.body
github.event.review_comment.body
github.event.pages.*.page_name
github.event.commits.*.message
github.event.head_commit.message
github.event.head_commit.author.email
github.event.head_commit.author.name
github.event.commits.*.author.email
github.event.commits.*.author.name
github.event.pull_request.head.ref
github.event.pull_request.head.label
github.event.pull_request.head.repo.default_branch
github.head_ref

Risk Level: medium
Platform: Github
Spectral Rule ID: GHAC013

REMEDIATION

Remove the suspicious command

Read more:

https://securitylab.github.com/research/github-actions-untrusted-input/

Updated over 1 year ago