Skip to content

fix(ci): patch shell injection and unsafe pull_request_target#32

Open
stevefulme1 wants to merge 4 commits intoredhat-cop:mainfrom
stevefulme1:fix/ci-security-vulnerabilities
Open

fix(ci): patch shell injection and unsafe pull_request_target#32
stevefulme1 wants to merge 4 commits intoredhat-cop:mainfrom
stevefulme1:fix/ci-security-vulnerabilities

Conversation

@stevefulme1
Copy link
Copy Markdown
Contributor

@stevefulme1 stevefulme1 commented Apr 19, 2026

Summary

  • gitleaks.yml: Removed pull_request_target trigger that checked out untrusted PR code with repo write permissions. The pull_request trigger already covers same-repo PRs safely.
  • slack-pr-notifications.yml: Moved all user-controlled GitHub context values (PR title, user login, review state) from inline ${{ }} interpolation in run: steps to env: block variables, preventing shell injection via crafted PR titles.

Both vulnerabilities were identified by Semgrep static analysis:

  • pull-request-target-code-checkout (ERROR)
  • run-shell-injection (ERROR)

Test plan

  • Semgrep scan returns clean on both files after the fix
  • Gitleaks workflow still triggers on push and pull_request to main
  • Slack notifications still fire correctly on PR open/close/review events

🤖 Generated with Claude Code

stevefulme1 and others added 4 commits April 6, 2026 13:38
@stevefulme1 @claude
feat: add Gitleaks configuration and CI workflow
a0921de 
Adds .gitleaks.toml with custom rules for Ansible-specific credential
patterns (OpenShift API keys, Automation Hub tokens, container registry
passwords) and allowlists for placeholder values and Jinja2 templates.
Adds a GitHub Actions workflow to run Gitleaks on pushes and PRs.

Resolves: MFG-376

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@stevefulme1 @claude
fix: resolve 11 gitleaks false positives on README and YAML files
deaa285 
Add allowlists for docsible-generated README.md variable documentation
(HTML bold tags), multi-line YAML block scalars (>- / |) where values
are Jinja2 templates on the following line, and task files that reference
credential variable names without containing actual secrets.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@stevefulme1 @claude
ci: add Slack PR notification workflow
2d8c044 
Sends alerts to Slack channel on PR open, close, merge, reopen, and review events.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@stevefulme1 @claude
fix(ci): patch shell injection and unsafe pull_request_target checkout
9e49f2f 
Remove pull_request_target trigger from gitleaks workflow to prevent
untrusted PR code from running with write permissions. Move GitHub
context interpolation from run: blocks to env: variables in Slack
notifications to prevent shell injection via crafted PR titles.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@stevefulme1 stevefulme1 requested a review from sabre1041 as a code owner April 19, 2026 16:52
spyrexd
spyrexd reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown

@spyrexd spyrexd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this supersede #31 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spyrexd spyrexd spyrexd left review comments

@sabre1041 sabre1041 Awaiting requested review from sabre1041 sabre1041 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stevefulme1 @spyrexd