Merge pull request #84 from aligent/fix/aikido-security-sast--3406033-r254

[Aikido AI] Fix for Template Injection in GitHub Workflows Action

Author: TheOrangePuff

.github/workflows/owasp.yml

@@ -62,23 +62,29 @@ jobs:
           OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
           OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          OUTPUT_DIR: ${{ inputs.output }}
+          REPO_NAME: ${{ github.event.repository.name }}
+          SCAN_PATH: ${{ inputs.scan_path }}
+          CVSS_FAIL_LEVEL: ${{ inputs.cvss_fail_level }}
+          SUPPRESSION_PATH: code/${{ inputs.suppression_path }}
+          DISABLE_OSS_INDEX: ${{ inputs.disable_oss_index }}
         run: |
-          mkdir ${{ inputs.output }}
+          mkdir $OUTPUT_DIR
           ./dependency-check/bin/dependency-check.sh \
           --format JUNIT \
           --format HTML \
           --prettyPrint \
-          --project ${{ github.event.repository.name }} \
+          --project "$REPO_NAME" \
           --enableExperimental \
-          --out ${{ inputs.output }} \
-          -s ${{ inputs.scan_path }} \
-          --junitFailOnCVSS ${{ inputs.cvss_fail_level }} \
-          --failOnCVSS ${{ inputs.cvss_fail_level }} \
-          --suppression code/${{ inputs.suppression_path }} \
-          --ossIndexUsername ${{ secrets.OSS_INDEX_USERNAME }} \
-          --ossIndexPassword ${{ secrets.OSS_INDEX_PASSWORD }} \
-          --nvdApiKey ${{ secrets.NVD_API_KEY }} \
-          --disableOssIndex ${{ inputs.disable_oss_index }}
+          --out "$OUTPUT_DIR" \
+          -s "$SCAN_PATH" \
+          --junitFailOnCVSS "$CVSS_FAIL_LEVEL" \
+          --failOnCVSS "$CVSS_FAIL_LEVEL" \
+          --suppression "$SUPPRESSION_PATH" \
+          --ossIndexUsername "$OSS_INDEX_USERNAME" \
+          --ossIndexPassword "$OSS_INDEX_PASSWORD" \
+          --nvdApiKey "$NVD_API_KEY" \
+          --disableOssIndex "$DISABLE_OSS_INDEX"
 
       - name: Upload database to cache
         uses: actions/cache@v4

.github/workflows/pull-request.yml

@@ -30,10 +30,11 @@ jobs:
         run: yarn install
 
       - name: Run Tests
+        env:
+          FORCE_COLOR: 'true'
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
-          FORCE_COLOR=true
-          DESTINATION_BRANCH=origin/${{ github.event.pull_request.base.ref }}  # Set branch
-          yarn nx affected:test --base=$DESTINATION_BRANCH --ci --code-coverage --parallel --max-parallel=3
+          yarn nx affected:test --base=origin/$BASE_REF --ci --code-coverage --parallel --max-parallel=3
 
   code-quality:
     name: 🕵️‍♀️ Code Quality
@@ -48,7 +49,9 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Fetch target
-        run: git fetch origin ${{ github.event.pull_request.base.ref }}
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: git fetch origin $BASE_REF
 
       - uses: actions/setup-node@v4
         with:
@@ -59,12 +62,13 @@ jobs:
         run: yarn install
 
       - name: Code Quality Check
+        env:
+          FORCE_COLOR: 'true'
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
-          FORCE_COLOR=true
-          DESTINATION_BRANCH=origin/${{ github.event.pull_request.base.ref }}  # Set branch
-          yarn nx affected:lint --base=$DESTINATION_BRANCH --parallel --max-parallel=3
-          yarn nx format:check --base=$DESTINATION_BRANCH --parallel --max-parallel=3
-          yarn nx affected -t check-types --base=$DESTINATION_BRANCH --parallel --max-parallel=3
+          yarn nx affected:lint --base=origin/$BASE_REF --parallel --max-parallel=3
+          yarn nx format:check --base=origin/$BASE_REF --parallel --max-parallel=3
+          yarn nx affected -t check-types --base=origin/$BASE_REF --parallel --max-parallel=3
 
   # TODO: fix the owasp pipeline
   # owasp: