Question

How you can help to reduce the risk of script injection?

Answer 1

There are several approaches ready to support you to reduce the risk of script injection:

1. Using an action rather than an inline script (recommended)

   The suggested solution is to create an action which processes the context value as an argument.

2. Using an intermediate environment variable

   The best approach for handling untrusted input in inline scripts is to set the value of the expression to an intermediate environment variable. Bash is used in the following example to process the github.event.pull_request.title value as an environment variable:

   - name: Check PR title
     env:
      TITLE: ${{ github.event.pull_request.title }}
        run: |
         if [[ "$TITLE" =~ ^techgeeknext ]]; then
         echo "PR title starts with 'techgeeknext'"
         exit 0
         else
         echo "PR title did not start with 'techgeeknext'"
         exit 1
         fi

3. Using CodeQL to analyze your code

   The GitHub Security Lab has created CodeQL queries that repository owners can integrate into their CI/CD pipelines to help you manage the risk of dangerous patterns as early in the development lifecycle as possible.