Workflows should not use insecure commands

ID

cicd_deprecated_command

Severity

high

Family

CI/ CD Security

Tags

cicd-security, reachable, security, supply-chain

Description

GitHub Actions has a few commands like 'add-path' and 'set-env' that were deprecated due to security vulnerabilities in their usage. Since they are deprecated and not secure, workflows should not use them anymore.

Security

GitHub has deprecated both commands, and although they can still be used, switching to GitHub environment files is recommended.

  • The 'add-path' command has a path injection vulnerability.

  • The 'set-env' command has a potential environment variable injection vulnerability.

Mitigation / Fix

Ensure that workflows are not using deprecated commands.