False positive: dangerous-write triggers when the write value is a literal

[johnbillion]

Example:

run: |
  if git diff --quiet; then
    echo "uncommitted_changes=false" >> "$GITHUB_OUTPUT"
  else
    echo "uncommitted_changes=true" >> "$GITHUB_OUTPUT"
  fi

Octoscan incorrectly flags the lines that write to $GITHUB_OUTPUT as having a dangerous write, but they don't because they are not writing a variable, they are writing a string literal.

[Hug0Vincent]

this vulnerability is catched via regex, I can't find a way to block this pattern without blocking too much things.

There are some edge cases:

echo "uncommitted_changes=true" >> "$GITHUB_OUTPUT" && echo "other=$value" >> "$GITHUB_OUTPUT"
echo `command` >> "$GITHUB_OUTPUT"
some_command >> "$GITHUB_OUTPUT"
printf "another_key=123" >> "$GITHUB_OUTPUT"

As a temporary fix I can prevent your false positive with the following pattern:

var GitHubSafeWriteBash = regexp.MustCompile(`(?m)^\s*echo\s+["'][a-zA-Z0-9_.=\-/: ]+["']\s*>>\s*"?\$GITHUB_OUTPUT"?\s*$`)

It will block line where there is only one write with echo.

Let me know if you have more complex patterns.