Our OSSF scorecard workflow flagged this as a Critical security risk. Unsure of whether there is a real attack vector in our specific case. Using an environment variable to capture untrusted input in workflows is a documented security hardening best practice by GitHub as well.
This should also boost our OSSF scorecard score since we have a 0 on this check.
Description
Our OSSF scorecard workflow flagged this as a
Critical
security risk. Unsure of whether there is a real attack vector in our specific case. Using an environment variable to capture untrusted input in workflows is a documented security hardening best practice by GitHub as well.This should also boost our OSSF scorecard score since we have a
0
on this check.Dangerous-Workflow
check:Risk of script injections:
Example script injection attack:
Recommended fix that this PR implements: