Skip to content

Commit 6fd85b7

Browse files
isaiah-grafanaisaiah-grafana
committed
Fix template injection security issues
- Move template variables to env section to prevent code injection - Use GITHUB_REF_NAME environment variable instead of direct template - Properly isolate user inputs (fail-on-verified, fail-on-unverified) - Addresses high-severity template injection vulnerabilities
1 parent 693d1d9 commit 6fd85b7

File tree

1 file changed

+11
-7
lines changed

1 file changed

+11
-7
lines changed

.github/workflows/reusable-trufflehog-simple.yml

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -157,13 +157,15 @@ jobs:
157157
<!-- trufflehog-secret-scan-comment -->
158158
159159
- name: Create scan report
160+
env:
161+
GITHUB_REF_NAME: ${{ github.ref_name }}
160162
run: |
161163
{
162164
echo "TruffleHog Scan Report"
163165
echo "====================="
164166
echo "Date: $(date)"
165167
echo "Repository: ${{ github.repository }}"
166-
echo "Branch: ${{ github.ref_name }}"
168+
echo "Branch: ${GITHUB_REF_NAME}"
167169
echo "Commit: ${{ github.sha }}"
168170
echo ""
169171
echo "Summary:"
@@ -188,20 +190,22 @@ jobs:
188190
retention-days: 30
189191

190192
- name: Check failure policy
193+
env:
194+
FAIL_ON_VERIFIED: ${{ inputs.fail-on-verified }}
195+
FAIL_ON_UNVERIFIED: ${{ inputs.fail-on-unverified }}
196+
VERIFIED_COUNT: ${{ steps.scan.outputs.verified }}
197+
UNVERIFIED_COUNT: ${{ steps.scan.outputs.unverified }}
191198
run: |
192-
VERIFIED=${{ steps.scan.outputs.verified }}
193-
UNVERIFIED=${{ steps.scan.outputs.unverified }}
194-
195199
SHOULD_FAIL=false
196-
if [[ "${{ inputs.fail-on-verified }}" == "true" && "${VERIFIED}" != "0" ]]; then
200+
if [[ "${FAIL_ON_VERIFIED}" == "true" && "${VERIFIED_COUNT}" != "0" ]]; then
197201
SHOULD_FAIL=true
198202
fi
199-
if [[ "${{ inputs.fail-on-unverified }}" == "true" && "${UNVERIFIED}" != "0" ]]; then
203+
if [[ "${FAIL_ON_UNVERIFIED}" == "true" && "${UNVERIFIED_COUNT}" != "0" ]]; then
200204
SHOULD_FAIL=true
201205
fi
202206
203207
if [[ "${SHOULD_FAIL}" == "true" ]]; then
204-
echo "Workflow failed due to secrets found (verified: ${VERIFIED}, unverified: ${UNVERIFIED})"
208+
echo "Workflow failed due to secrets found (verified: ${VERIFIED_COUNT}, unverified: ${UNVERIFIED_COUNT})"
205209
exit 1
206210
else
207211
echo "No action needed - secrets within configured thresholds"

0 commit comments

Comments
 (0)