Templating 8.0

[Peter-Sh]

This includes all workflow changes from unstable, fixes and templating from #503 for release/8.0

[jit-ci]

🛡️ Jit Security Scan Results

🚨 Summary

• Multiple shell injection vulnerabilities detected in GitHub Actions workflows

• High severity issues found in build and release processes

• Immediate remediation required to prevent potential code execution attacks

🔍 Findings

HIGH - 4 findings

1. Shell Injection in GitHub Actions Workflow

ID	Type	Finding	File	Severity
53fe71bffb	yaml.github-actions.security.run-shell-injection.run-shell-injection	Shell Injection in GitHub Actions Workflow - Variable interpolation with github context data in a run step could allow code injection. This poses a risk of secret and code theft.	.github/actions/build-and-tag-locally/action.yml (lines 339-358)	HIGH

🔍 AI Analysis: This vulnerability is in a critical build process and could allow attackers to inject malicious code, potentially compromising the entire CI/CD pipeline.

Remediation:

- run: |
-   if [[ "${{ inputs.run_type }}" == "release" ]]; then
-     tag_prefix="${{ inputs.release_tag }}"
+ run: |
+   if [[ "$RUN_TYPE" == "release" ]]; then
+     tag_prefix="$RELEASE_TAG"
+ env:
+   RUN_TYPE: ${{ inputs.run_type }}
+   RELEASE_TAG: ${{ inputs.release_tag }}

2. Shell Injection in Release Publish Workflow

ID	Type	Finding	File	Severity
ea580111cb	yaml.github-actions.security.run-shell-injection.run-shell-injection	Shell Injection in Release Publish Workflow - GitHub context data used in a run step could allow code injection. This vulnerability could lead to unauthorized access to secrets and code.	.github/workflows/release_publish.yml (lines 209-231)	HIGH

🔍 AI Analysis: This finding is in the release publish workflow, which is a critical part of the deployment process. Exploitation could lead to compromised releases.

Remediation:

- run: |
-   # Create release_info.json with all fields, then filter out empty ones
+ run: |
+   # Create release_info.json with all fields, then filter out empty ones
+   # Use environment variables instead of direct github context interpolation
+ env:
+   GITHUB_REF_NAME: ${{ github.ref_name }}
+   GITHUB_SHA: ${{ github.sha }}

3. Shell Injection in Build Logs Capture

ID	Type	Finding	File	Severity
6b680ea40c	yaml.github-actions.security.run-shell-injection.run-shell-injection	Shell Injection in Build Logs Capture - GitHub context data used in error logging could allow code injection. This could lead to exfiltration of sensitive build information.	.github/actions/build-and-tag-locally/action.yml (lines 158-196)	HIGH

🔍 AI Analysis: This vulnerability is in the error logging process of the build system. Exploitation could lead to information disclosure and potential further attacks.

Remediation:

- echo "Build failed for ${{ inputs.distribution }} on ${{ inputs.platform }}"
+ echo "Build failed for $DISTRIBUTION on $PLATFORM"
+ env:
+   DISTRIBUTION: ${{ inputs.distribution }}
+   PLATFORM: ${{ inputs.platform }}

4. Shell Injection in Image Label Creation

ID	Type	Finding	File	Severity
9307e98b71	yaml.github-actions.security.run-shell-injection.run-shell-injection	Shell Injection in Image Label Creation - GitHub context data used in image label creation could allow code injection. This could lead to tampering with image metadata.	.github/actions/create-image-labels/action.yml (lines 39-57)	HIGH

🔍 AI Analysis: This vulnerability is in the image labeling process, which is crucial for proper image identification and versioning. Exploitation could lead to misidentification of images and potential supply chain attacks.

Remediation:

- run: |
-   get_module_version() {
-     local module="$1"
-     grep MODULE_VERSION
+ run: |
+   get_module_version() {
+     local module="$1"
+     grep MODULE_VERSION
+ env:
+   GITHUB_WORKSPACE: ${{ github.workspace }}

▶️ Advanced Options

Help section with supported ignore actions and syntax.

Need to ignore a finding? Use commands like:

@sera ignore <finding_id> reason:accepted (reason is optional)

@sera ignore all reason:other - this is a test PR (reason is optional)

@sera ignore type:run-shell-injection

---

^{Security scan by Jit}