| Field | Value |
|---|---|
| Category | CICD-SEC-1 |
| Severity | HIGH |
| Confidence | HIGH |
| OWASP | CICD-SEC-1: Insufficient Flow Control |
| Auto-fix | ✓ (when the literal text between blocks is pure boolean glue) |
What the check does
Flags anif: value — at the job or step level — that contains a ${{ … }}
expression block and literal text outside it. GitHub then evaluates the
whole value as a string, and any non-empty string is truthy, so the condition
is always true and gates nothing.
Why it matters
A condition that looks like a security gate but always passes is worse than no gate — it creates false confidence. The classic mistake is joining two expression blocks with a literal operator:"true", " && ", and "false" into one truthy string.
Safe alternative
Wrap the entire condition in a single expression block so it evaluates as one boolean:Auto-fix
pipefort --fix (and the web app’s fix button) merges the blocks into one
expression when the text between them is only boolean glue (&&, ||, !,
parentheses, whitespace). When the residue contains real words the intent is
ambiguous, so the finding is left for manual remediation.