Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn’t true on environment variables
Description
This policy checks if the 'ACTIONS_ALLOW_UNSECURE_COMMANDS' environment variable is set to 'true' in GitHub Actions jobs. This variable allows the use of unsecure commands, which can pose a security risk. It is essential to ensure that this variable is not enabled to prevent potential security vulnerabilities. By setting this variable to 'false' or removing it, you can prevent the use of unsecure commands and reduce the risk of security breaches.
Code Example
yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
env:
# Remove or set ACTIONS_ALLOW_UNSECURE_COMMANDS to false
ACTIONS_ALLOW_UNSECURE_COMMANDS: 'false'Remediation
Remove or set 'ACTIONS_ALLOW_UNSECURE_COMMANDS' to 'false' in the job's environment variables.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1024 |
| Severity | MEDIUM |
| IaC Type | github_actions |
| Frameworks | jobs, jobs.*.steps[] |
| Checkov ID | CKV_GHA_1 |