Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

GitHub Actions static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your GITHUB ACTIONS code

GitHub Action invocations should not be vulnerable to parameter injection attacks

intentionality - complete

security

Vulnerability

Why is this an issue?

How can I fix it?

More Info

GitHub Actions workflows can access various sources of untrusted data through the GitHub context, such as:

Pull request titles, descriptions, and commit messages
Issue titles and comments
Branch names and tag names
User-provided inputs

If this untrusted data is given as a parameter to an invoked action and directly interpolated into shell commands using GitHub’s expression syntax (${{ … }}), it can lead to script injection vulnerabilities. An attacker who can control the content of these data sources (for example, by creating a pull request with a malicious title) can potentially execute arbitrary commands on the runner.

For instance, if a pull request title contains shell metacharacters like $(whoami) or ; rm -rf /, these will be executed as commands when the workflow runs, potentially compromising the build environment or exposing sensitive information.

The risk is particularly high when untrusted data is passed as inputs to actions that use run blocks to execute shell commands. Actions written in other languages, like Javascript, are not directly vulnerable if they do not evaluate the input like a shell interpreter does.

What is the potential impact?

The consequences of successful parameter injection attacks in GitHub Actions can be severe and far-reaching:

Information disclosure

Attackers can extract sensitive information from the runner environment, including:

Repository secrets and environment variables
Authentication tokens and API keys
Build artifacts and deployment credentials

System compromise

Successful command injection allows attackers to:

Execute arbitrary commands on the runner
Install malware or backdoors
Access other resources available to the runner

Supply chain attacks

Compromised workflows can be used to:

Inject malicious code into build artifacts
Modify dependencies or packages being published
Compromise downstream systems that consume the artifacts

Repository manipulation

Attackers may be able to:

Modify repository contents or history
Create unauthorized releases or tags
Access or modify other repositories the workflow has access to

The impact is particularly severe because GitHub Actions runners often have elevated privileges and access to sensitive resources, making them attractive targets for attackers.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted