Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

GitHub Actions static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your GITHUB ACTIONS code

ACTIONS_ALLOW_UNSECURE_COMMANDS should not be used

responsibility - trustworthy

security

Vulnerability

Why is this an issue?

How can I fix it?

More Info

GitHub Actions workflows support special workflow commands that allow workflows to interact with the runner. These commands can be invoked by printing specially crafted messages to the standard output. For example, ::set-mask can be used to mask sensitive values in the workflow logs and ::error to terminate execution with a useful error message.

Two of such commands, ::set-env and ::add-path, allow setting arbitrary environment variables and modifying the system PATH for the subsequent workflow steps. In 2020, these commands were deprecated and disabled by default due to security concerns. However, ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable can still be used to re-enable them.

If this environment variable is set, the runner will process ::set-env and ::add-path commands printed to the standard output. If an adversary can influence the content printed to the standard output (e.g., by injecting something into the build logs), they could use these commands to manipulate the runtime environment.

What is the potential impact?

When user-supplied values are used to manipulate environment variables, an attacker can supply carefully chosen values that cause the system to behave unexpectedly. This can be used to execute arbitrary commands as well as affect the behavior of other tools and scripts executed after the injection point. In most cases, this leads to arbitrary code execution on the system.

It is important to note, that these commands are triggered by printing to standard output. Therefore, this issue can be exploited if an attacker can influence the output of any command executed during the workflow.

The consequences of a successful attack can be severe and far-reaching:

Information disclosure

Attackers can extract sensitive information from the runner environment, including:

Repository secrets and environment variables
Authentication tokens and API keys
Build artifacts and deployment credentials

System compromise

Successful command injection allows attackers to:

Execute arbitrary commands on the runner
Install malware or backdoors
Access other resources available to the runner

Supply chain attacks

Compromised workflows can be used to:

Inject malicious code into build artifacts
Modify dependencies or packages being published
Compromise downstream systems that consume the artifacts

Repository manipulation

Attackers may be able to:

Modify repository contents or history
Create unauthorized releases or tags
Access or modify other repositories the workflow has access to

The impact is particularly severe because GitHub Actions runners often have elevated privileges and access to sensitive resources, making them attractive targets for attackers.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted