ACTIONS_ALLOW_UNSECURE_COMMANDS enabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
The workflow sets ACTIONS_ALLOW_UNSECURE_COMMANDS to true, re-enabling the deprecated set-env and add-path workflow commands. Those let any string printed to stdout inject environment variables or PATH entries, which is a direct code-execution vector.
Why it matters
Setting ACTIONS_ALLOW_UNSECURE_COMMANDS to true re-enables the set-env and add-path stdout commands that GitHub disabled for security. Once on, any string a step prints to stdout can inject environment variables or prepend to PATH, so any command whose output includes attacker-influenced text becomes a code-execution vector for later steps.
How to fix it
Remove the ACTIONS_ALLOW_UNSECURE_COMMANDS variable and migrate whatever needed it to the safe files: write to $GITHUB_ENV for environment variables and $GITHUB_PATH for PATH additions. Those files are the supported replacement and are not injectable from arbitrary stdout.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo