From dc32d2779401c296062e14dc94cdb6664ca47930 Mon Sep 17 00:00:00 2001
From: Semgrep Autofix <autofix@semgrep.com>
Date: Tue, 17 Mar 2026 09:49:23 +0000
Subject: [PATCH] Fix shell injection vulnerability in GitHub Actions workflow

Fix a command injection vulnerability in the ShiftLeft workflow by using an environment variable instead of direct interpolation of `github.head_ref`.

## Changes
- Added `BRANCH_NAME` environment variable to safely pass `github.head_ref`
- Replaced direct `${{ github.head_ref }}` interpolation with quoted `"$BRANCH_NAME"` in the run script

## Why
Using `${{ github.head_ref }}` directly in a `run:` step is vulnerable to command injection. An attacker could create a branch with a malicious name (e.g., containing shell metacharacters or commands) that would be executed by the runner. By passing the value through an `env:` block and using double-quoted environment variable expansion, the value is treated as data rather than code, preventing injection attacks.

## Semgrep Finding Details
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

@267212124 requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/studentsca023_personal_org/findings/722169002) from the detection rule [yaml.github-actions.security.run-shell-injection.run-shell-injection](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection).
---
 .github/workflows/shiftleft.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml
index 9a335a00..0ab0c444 100644
--- a/.github/workflows/shiftleft.yml
+++ b/.github/workflows/shiftleft.yml
@@ -23,9 +23,10 @@ jobs:
         ${GITHUB_WORKSPACE}/sl --version
         ${GITHUB_WORKSPACE}/sl analyze --strict --wait \
           --app shiftleft-python-demo \
-          --tag branch=${{ github.head_ref }} \
+          --tag branch="$BRANCH_NAME" \
           --pythonsrc --container 18fgsa/s3-resource $(pwd)
       env:
+        BRANCH_NAME: ${{ github.head_ref }}
         SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
         SHIFTLEFT_API_HOST: www.shiftleft.io
         SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443