Skip to main content
FieldValue
CategoryCICD-SEC-4
SeverityMEDIUM
ConfidenceMEDIUM
Personapedantic
OWASPCICD-SEC-4: Poisoned Pipeline Execution
Auto-fix

What the check does

Flags two obfuscation patterns that hide what a workflow actually does from a reviewer (and from pattern-based scanners):
  • Index-notation context accessgithub['event']['issue']['title'] instead of the dotted github.event.issue.title.
  • Decode-and-execute — piping base64 -d / certutil -decode output straight into a shell.

Why it matters

Obfuscation is a common way to smuggle an injection sink or untrusted code past review. Index notation defeats a reviewer grepping for github.event, and decode-and-execute hides the real payload entirely:
steps:
  - run: echo "${{ github['event']['issue']['title'] }}"   # ← hidden injection sink
  - run: echo aGVsbG8= | base64 -d | bash                  # ← hidden payload

Safe alternative

Use dotted context access so sinks are visible, and run decoded content from a committed, reviewable file rather than decoding-and-executing inline. Route untrusted input through an env: var, never straight into the shell (see CICD-SEC-4 shell injection).