Will It Vibe logoWill It Vibe?
GHA-010Medium severity-8 points

Untrusted input interpolated into an if: condition

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

An if: condition substitutes attacker-controlled context inside a ${{ }} expression. Because the value is spliced into the expression text before evaluation, a crafted string can flip the condition or break out of it. This is a heuristic; verify the expression really concatenates untrusted input.

Why it matters

An if: condition that wraps untrusted context in ${{ }} splices the raw value into the expression text before it is evaluated. A crafted title or branch name can rewrite the boolean logic, letting a step run when it should not. This is a heuristic because many if: expressions compare context values safely; the risk is when untrusted input is concatenated into the expression.

How to fix it

Compare untrusted values without letting them alter the expression: reference the context as an operand (if: github.event.pull_request.user.login == 'trusted') rather than substituting it into surrounding text. Move untrusted strings into an env variable and test that, or use fromJSON and functions like contains that treat the value as data.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks