From 1f81dba3b70802ccb04547e600bc9c6f0d340a46 Mon Sep 17 00:00:00 2001
From: Semgrep Autofix <autofix@semgrep.com>
Date: Tue, 17 Mar 2026 09:56:58 +0000
Subject: [PATCH] Fix shell injection vulnerability in GitHub Actions workflow

Fix command injection vulnerability by moving GitHub context data to an environment variable.

## Changes
- Moved `${{ github.head_ref }}` from inline interpolation in the `run:` script to an environment variable `BRANCH_NAME` in the `env:` block
- Referenced the branch name using double-quoted environment variable `"$BRANCH_NAME"` to prevent shell expansion issues

## Why
Direct interpolation of `${{ github.head_ref }}` in a `run:` step is vulnerable to command injection. An attacker could create a pull request from a branch with a malicious name containing shell metacharacters, which would be executed by the runner. By passing the value through an environment variable instead, the data is properly escaped and cannot break out of the intended context.

## Semgrep Finding Details
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

@267212124 requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/studentsca023_personal_org/findings/722169002) from the detection rule [yaml.github-actions.security.run-shell-injection.run-shell-injection](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection).
---
 .github/workflows/shiftleft.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml
index 9a335a00..0ab0c444 100644
--- a/.github/workflows/shiftleft.yml
+++ b/.github/workflows/shiftleft.yml
@@ -23,9 +23,10 @@ jobs:
         ${GITHUB_WORKSPACE}/sl --version
         ${GITHUB_WORKSPACE}/sl analyze --strict --wait \
           --app shiftleft-python-demo \
-          --tag branch=${{ github.head_ref }} \
+          --tag branch="$BRANCH_NAME" \
           --pythonsrc --container 18fgsa/s3-resource $(pwd)
       env:
+        BRANCH_NAME: ${{ github.head_ref }}
         SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
         SHIFTLEFT_API_HOST: www.shiftleft.io
         SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443