Ensure run commands are not vulnerable to shell injection

Description

This policy checks whether GitHub Actions run commands are vulnerable to shell injection attacks. Shell injection occurs when an attacker is able to inject malicious commands into a system, potentially allowing them to execute arbitrary code. This is particularly dangerous in CI/CD pipelines like GitHub Actions, where access to sensitive resources and credentials may be available. By ensuring run commands are not vulnerable to shell injection, the risk of a security breach can be significantly reduced.

Code Example

yaml

runs-on: ubuntu-latest
steps:
  - name: Checkout code
    uses: actions/checkout@v3
  - name: Run script
    run: |
      # Use parameterized commands or avoid user-controlled input
      echo 'Hello World'

Remediation

Ensure run commands do not include user-controlled input or use parameterized commands to prevent shell injection.

Rule Details

Field	Value
ID	IAC-1025
Severity	HIGH
IaC Type	github_actions
Frameworks	jobs, jobs.*.steps[]
Checkov ID	CKV_GHA_2

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Ensure run commands are not vulnerable to shell injection

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Ensure run commands are not vulnerable to shell injection ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Ensure run commands are not vulnerable to shell injection

Description

Code Example

Remediation

Rule Details

References