From 1b7aed439e0f4785b2a0b99bc4477c24a0255aa9 Mon Sep 17 00:00:00 2001
From: Semgrep Autofix <autofix@semgrep.com>
Date: Tue, 17 Mar 2026 09:58:08 +0000
Subject: [PATCH] Fix shell injection vulnerability in GitHub Actions workflow

Fix command injection vulnerability by using an environment variable instead of direct interpolation of `github.head_ref` in the workflow run step.

## Changes
- Added `BRANCH_NAME` environment variable to store `github.head_ref`
- Replaced direct `${{ github.head_ref }}` interpolation with double-quoted `"$BRANCH_NAME"` in the run script

## Why
Direct interpolation of GitHub context data (like `github.head_ref`) in a `run:` step is vulnerable to command injection. An attacker could create a branch with a malicious name containing shell metacharacters to execute arbitrary commands in the runner, potentially stealing secrets and code.

By using an intermediate environment variable and double-quoting it, the value is treated as a literal string rather than being parsed by the shell, preventing injection attacks.

## Semgrep Finding Details
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

@267212124 requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/studentsca023_personal_org/findings/722169002) from the detection rule [yaml.github-actions.security.run-shell-injection.run-shell-injection](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection).
---
 .github/workflows/shiftleft.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml
index 9a335a00..0ab0c444 100644
--- a/.github/workflows/shiftleft.yml
+++ b/.github/workflows/shiftleft.yml
@@ -23,9 +23,10 @@ jobs:
         ${GITHUB_WORKSPACE}/sl --version
         ${GITHUB_WORKSPACE}/sl analyze --strict --wait \
           --app shiftleft-python-demo \
-          --tag branch=${{ github.head_ref }} \
+          --tag branch="$BRANCH_NAME" \
           --pythonsrc --container 18fgsa/s3-resource $(pwd)
       env:
+        BRANCH_NAME: ${{ github.head_ref }}
         SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
         SHIFTLEFT_API_HOST: www.shiftleft.io
         SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443