Skip to content
Security (PR)

Add security workflows #21

Sign in to view logs

Add security workflows

Add security workflows #21

Triggered via pull request November 28, 2025 14:27
@maxammannmaxammann
synchronize #6
security
Status Success
Total duration 26s
Artifacts

security-pr.yml Required

on: pull_request
semgrep-oss/scan
23s
semgrep-oss/scan
Fit to window
Zoom out
Zoom in

Annotations

4 errors
run-shell-injection: .github/actions/zizmor-action/action.yml#L34
Using variable interpolation ... with github context data in a run step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead use an intermediate environment variable with env to store the data and use the environment variable in the run script. Be sure to use doublequotes the environment variable like this ENVVAR.
run-shell-injection: .github/actions/zizmor-action/action.yml#L21
Using variable interpolation ... with github context data in a run step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead use an intermediate environment variable with env to store the data and use the environment variable in the run script. Be sure to use doublequotes the environment variable like this ENVVAR.
run-shell-injection: .github/actions/semgrep-action/action.yml#L49
Using variable interpolation ... with github context data in a run step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead use an intermediate environment variable with env to store the data and use the environment variable in the run script. Be sure to use doublequotes the environment variable like this ENVVAR.
run-shell-injection: .github/actions/semgrep-action/action.yml#L35
Using variable interpolation ... with github context data in a run step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead use an intermediate environment variable with env to store the data and use the environment variable in the run script. Be sure to use doublequotes the environment variable like this ENVVAR.