Actions

Swift
rust
2026-06-10 23:41:09 +02:00 · 2026-06-10 22:59:00 +02:00 · 2026-06-10 22:58:52 +02:00 · 2026-06-10 22:58:41 +02:00 · 2026-06-10 22:57:52 +02:00 · 2026-06-10 22:57:42 +02:00
2750 changed files with 34168 additions and 22685 deletions
--- a/.github/workflows/go-version-update.yml
+++ b/.github/workflows/go-version-update.yml
@@ -0,0 +1,208 @@
 name: Update Go version
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 3 * * 1"  # Run weekly on Mondays at 3 AM UTC (1 = Monday)
 permissions:
  contents: write
  pull-requests: write
 jobs:
  update-go-version:
    name: Check and update Go version
    if: github.repository == 'github/codeql'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - name: Set up Git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
      - name: Fetch latest Go version
        id: fetch-version
        run: |
          LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
          if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
            echo "Error: Failed to fetch latest Go version from go.dev"
            exit 1
          fi
          echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
          echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
          # Extract version numbers (e.g., go1.26.0 -> 1.26.0)
          LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
          echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
          # Extract major.minor version (e.g., 1.26.0 -> 1.26)
          LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
          echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
      - name: Check current Go version
        id: current-version
        run: |
          CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
          if [ -z "$CURRENT_VERSION" ]; then
            echo "Error: Could not extract Go version from MODULE.bazel"
            exit 1
          fi
          echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
          # Extract major.minor version
          CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
          echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
      - name: Compare versions
        id: compare
        run: |
          LATEST="${{ steps.fetch-version.outputs.version_num }}"
          CURRENT="${{ steps.current-version.outputs.version }}"
          echo "Latest: $LATEST"
          echo "Current: $CURRENT"
          if [ "$LATEST" = "$CURRENT" ]; then
            echo "Go version is up to date"
            echo "needs_update=false" >> $GITHUB_OUTPUT
          else
            echo "Go version needs update from $CURRENT to $LATEST"
            echo "needs_update=true" >> $GITHUB_OUTPUT
          fi
      - name: Update Go version in files
        if: steps.compare.outputs.needs_update == 'true'
        run: |
          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
          CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
          echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
          # Escape dots in current version strings for use in sed patterns
          CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
          CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
          # Update MODULE.bazel
          sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
          if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
            echo "Error: Failed to update MODULE.bazel"
            exit 1
          fi
          # Update go/extractor/go.mod
          if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
            echo "Warning: Failed to update go directive in go.mod"
          fi
          if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
            echo "Warning: Failed to update toolchain in go.mod"
          fi
          # Update go/extractor/autobuilder/build-environment.go
          if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
            echo "Warning: Failed to update build-environment.go"
          fi
          # Update go/actions/test/action.yml
          if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
            echo "Warning: Failed to update action.yml"
          fi
          # Show what changed
          git diff
      - name: Check for changes
        id: check-changes
        if: steps.compare.outputs.needs_update == 'true'
        run: |
          if git diff --quiet; then
            echo "No changes detected"
            echo "has_changes=false" >> $GITHUB_OUTPUT
          else
            echo "Changes detected"
            echo "has_changes=true" >> $GITHUB_OUTPUT
          fi
      - name: Check for existing PR
        if: steps.check-changes.outputs.has_changes == 'true'
        id: check-pr
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          BRANCH_NAME="workflow/go-version-update"
          PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
          if [ -n "$PR_NUMBER" ]; then
            echo "Existing PR found: #$PR_NUMBER"
            echo "pr_exists=true" >> $GITHUB_OUTPUT
            echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
          else
            echo "No existing PR found"
            echo "pr_exists=false" >> $GITHUB_OUTPUT
          fi
      - name: Commit and push changes
        if: steps.check-changes.outputs.has_changes == 'true'
        run: |
          BRANCH_NAME="workflow/go-version-update"
          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
          # Create or switch to branch
          git checkout -B "$BRANCH_NAME"
          # Stage and commit changes
          git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
          git commit -m "Go: Update to $LATEST_VERSION_NUM"
          # Push changes
          git push --force-with-lease origin "$BRANCH_NAME"
      - name: Create or update PR
        if: steps.check-changes.outputs.has_changes == 'true'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          BRANCH_NAME="workflow/go-version-update"
          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
          PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
          PR_BODY=$(cat <<EOF
          This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
          Updated files:
          - \`MODULE.bazel\` - go_sdk.download version
          - \`go/extractor/go.mod\` - go directive and toolchain
          - \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
          - \`go/actions/test/action.yml\` - default go-test-version
          This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
          EOF
          )
          if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
            echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
            gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
          else
            echo "Creating new PR"
            gh pr create \
              --title "$PR_TITLE" \
              --body "$PR_BODY" \
              --base main \
              --head "$BRANCH_NAME" \
              --label "Go"
          fi
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -273,7 +273,7 @@ use_repo(
 )
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.26.0")
+go_sdk.download(version = "1.26.4")
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
--- a/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml
+++ b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml
@@ -3,14 +3,14 @@ name: Reusable workflow example
 on:
  workflow_call:
    inputs:
-      config-path:
+      config-path: # $ Source[actions/reusable-workflow-sinks] Source[actions/reusable-workflow-summaries]
        required: true
        type: string
    outputs:
      workflow-output1:
-        value: ${{ jobs.job1.outputs.job-output1 }}
+        value: ${{ jobs.job1.outputs.job-output1 }} # $ Alert[actions/reusable-workflow-summaries]
      workflow-output2:
-        value: ${{ jobs.job1.outputs.job-output2 }}
+        value: ${{ jobs.job1.outputs.job-output2 }} # $ Alert[actions/reusable-workflow-sources]
    secrets:
      token:
        required: true
@@ -26,9 +26,9 @@ jobs:
        env:
          CONFIG_PATH: ${{ inputs.config-path }}
        run: |
-          echo ${{ inputs.config-path }}
+          echo ${{ inputs.config-path }} # $ Alert[actions/reusable-workflow-sinks]
          echo "::set-output name=step-output::$CONFIG_PATH"
      - name: Get changed files
        id: step2
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@v40 # $ Source[actions/reusable-workflow-sources]
--- a/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected
@@ -1,3 +1,6 @@
 #select
 | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
 | action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |
 edges
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance |  |
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance |  |
@@ -10,6 +13,3 @@ nodes
 | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value |
 | action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
 subpaths
 #select
 | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
 | action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |
--- a/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref
@@ -1 +1,2 @@
-Models/CompositeActionsSinks.ql
+query: Models/CompositeActionsSinks.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Models/CompositeActionsSources.expected
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected
@@ -1,3 +1,9 @@
 #select
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 edges
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance |  |
 | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance |  |
@@ -13,9 +19,3 @@ nodes
 | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] |
 | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
 subpaths
 #select
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
--- a/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref
@@ -1,2 +1,2 @@
-Models/CompositeActionsSources.ql
+query: Models/CompositeActionsSources.ql
-
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected
@@ -1,3 +1,5 @@
 #select
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |
 edges
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance |  |
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance |  |
@@ -8,5 +10,3 @@ nodes
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] |
 | action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
 subpaths
 #select
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |
--- a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref
@@ -1,2 +1,2 @@
-Models/CompositeActionsSummaries.ql
+query: Models/CompositeActionsSummaries.ql
-
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected
@@ -1,3 +1,5 @@
 #select
 | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |
 edges
 | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance |  |
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance |  |
@@ -20,5 +22,3 @@ nodes
 | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
 | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path |
 subpaths
 #select
 | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref
@@ -1,2 +1,2 @@
-Models/ReusableWorkflowsSinks.ql
+query: Models/ReusableWorkflowsSinks.ql
-
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected
@@ -1,3 +1,5 @@
 #select
 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |
 edges
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance |  |
 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance |  |
@@ -8,5 +10,3 @@ nodes
 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files |
 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 |
 subpaths
 #select
 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref
@@ -1,2 +1,2 @@
-Models/ReusableWorkflowsSources.ql
+query: Models/ReusableWorkflowsSources.ql
-
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected
@@ -1,3 +1,5 @@
 #select
 | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |
 edges
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance |  |
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance |  |
@@ -12,5 +14,3 @@ nodes
 | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
 | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
 subpaths
 #select
 | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref
@@ -1,2 +1,2 @@
-Models/ReusableWorkflowsSummaries.ql
+query: Models/ReusableWorkflowsSummaries.ql
-
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Models/action1/action.yml
+++ b/actions/ql/test/query-tests/Models/action1/action.yml
@@ -1,17 +1,17 @@
 name: 'Hello World'
 description: 'Greet someone'
 inputs:
-  who-to-greet:  # id of input
+  who-to-greet:  # id of input # $ Source[actions/composite-action-sinks] Source[actions/composite-action-summaries]
    description: 'Who to greet'
    required: true
    default: 'World'
 outputs:
  reflected:
    description: "Reflected input"
-    value: ${{ steps.reflector.outputs.reflected }}
+    value: ${{ steps.reflector.outputs.reflected }} # $ Alert[actions/composite-action-sources] Alert[actions/composite-action-summaries]
  tainted:
    description: "Reflected input"
-    value: ${{ steps.source.outputs.tainted}}
+    value: ${{ steps.source.outputs.tainted}} # $ Alert[actions/composite-action-sources]
 runs:
  using: "composite"
@@ -29,23 +29,23 @@ runs:
        find: 'foo'
        replace: ''
    - id: sink 
-      run: echo ${{ steps.replace.outputs.value }}
+      run: echo ${{ steps.replace.outputs.value }} # $ Alert[actions/composite-action-sinks]
      shell: bash
    - name: Vulnerable Set Greeting
-      run: echo "Hello ${{ inputs.who-to-greet }}."
+      run: echo "Hello ${{ inputs.who-to-greet }}." # $ Alert[actions/composite-action-sinks]
      shell: bash
    - id: reflector 
      run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT
      shell: bash
      env:
-        INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }}
+        INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} # $ Source[actions/composite-action-sources]
    - id: changed-files
      uses: tj-actions/changed-files@v40
-    - id: source
+    - id: source # $ Source[actions/composite-action-sources]
      run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT
      shell: bash
      env:
-        TAINTED: ${{ steps.changed-files.outputs.all_changed_files }}
+        TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} # $ Source[actions/composite-action-sources]
--- a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml
+++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml
@@ -6,11 +6,11 @@ jobs:
    steps:
      - id: clob1
        env:
-          BODY: ${{ github.event.comment.body }}
+          BODY: ${{ github.event.comment.body }} # $ Source
        run: |
          # VULNERABLE
          echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
-          echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT
+          echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT # $ Alert
      - id: clob2
        run: |
          echo ${{ steps.clob1.outputs.OUTPUT_1 }}
@@ -32,8 +32,8 @@ jobs:
        with:
          run_id: ${{ github.event.workflow_run.id }}
          name: pr_number 
-      - id: clob1
+      - id: clob1 # $ Source
        run: |
          # VULNERABLE
          echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
-          echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT
+          echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT # $ Alert
--- a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml
+++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml
@@ -6,18 +6,18 @@ jobs:
    steps:
      - id: clob1
        env:
-          BODY: ${{ github.event.comment.body }}
+          BODY: ${{ github.event.comment.body }} # $ Source
        run: |
          # VULNERABLE
          echo $BODY
-          echo "::set-output name=OUTPUT::SAFE"
+          echo "::set-output name=OUTPUT::SAFE" # $ Alert
      - id: clob2
        env:
-          BODY: ${{ github.event.comment.body }}
+          BODY: ${{ github.event.comment.body }} # $ Source
        run: |
          # VULNERABLE
          echo "::set-output name=OUTPUT::SAFE"
-          echo $BODY
+          echo $BODY # $ Alert
      - id: clob3
        run: |
          echo ${{ steps.clob1.outputs.OUTPUT }}
@@ -38,25 +38,25 @@ jobs:
        with:
          run_id: ${{ github.event.workflow_run.id }}
          name: pr_number 
-      - id: clob1
+      - id: clob1 # $ Source
        run: |
          # VULNERABLE
          PR="$(<pr-number)"
          echo "$PR"
-          echo "::set-output name=OUTPUT::SAFE"
+          echo "::set-output name=OUTPUT::SAFE" # $ Alert
      - id: clob2
        run: |
          # VULNERABLE
          cat pr-number
-          echo "::set-output name=OUTPUT::SAFE"
+          echo "::set-output name=OUTPUT::SAFE" # $ Alert
      - id: clob3
        run: |
          # VULNERABLE
          echo "::set-output name=OUTPUT::SAFE"
-          ls *.txt
+          ls *.txt # $ Alert
      - id: clob4
        run: |
          # VULNERABLE
          CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }')
          echo "$CURRENT_VERSION"
-          echo "::set-output name=OUTPUT::SAFE"
+          echo "::set-output name=OUTPUT::SAFE" # $ Alert
--- a/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected
+++ b/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected
@@ -1,3 +1,12 @@
 #select
 | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
 | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
 | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
 | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
 | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
 edges
 | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config |
 | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | provenance | Config |
@@ -22,12 +31,3 @@ nodes
 | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
 | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
 subpaths
 #select
 | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
 | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
 | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
 | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
 | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
--- a/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref
@@ -1 +1,2 @@
-experimental/Security/CWE-074/OutputClobberingHigh.ql
+query: experimental/Security/CWE-074/OutputClobberingHigh.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml
@@ -12,9 +12,9 @@ jobs:
    steps:
      - run: |
          gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip
+      - name: Unzip # $ Source[actions/envvar-injection/critical]
        run: |
          unzip artifact_name.zip -d foo
      - name: Env Var Injection
        run: |
-          echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV
+          echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml
@@ -12,14 +12,14 @@ jobs:
    steps:
      - run: |
          gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip
+      - name: Unzip # $ Source[actions/envvar-injection/critical]
        run: |
          unzip artifact_name.zip -d foo
      - name: Env Var Injection
        run: |
          echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
          cat foo >> "$GITHUB_ENV"
-          echo "EOF" >> "${GITHUB_ENV}"
+          echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml
@@ -12,7 +12,7 @@ jobs:
    steps:
      - run: |
          gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip
+      - name: Unzip # $ Source[actions/envvar-injection/critical]
        run: |
          unzip artifact_name.zip -d foo
      - run: |
@@ -20,7 +20,7 @@ jobs:
            echo 'JSON_RESPONSE<<EOF'
            cat foo
            echo EOF
-          } >> "$GITHUB_ENV"
+          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml
@@ -10,23 +10,23 @@ jobs:
      - run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH
      - env: 
-          PATHINJ: ${{ github.event.pull_request.title }}
+          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo $(echo "$PATHINJ") >> $GITHUB_PATH
+        run: echo $(echo "$PATHINJ") >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
      - env: 
-          PATHINJ: ${{ github.event.pull_request.title }}
+          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo $PATHINJ >> $GITHUB_PATH
+        run: echo $PATHINJ >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
      - env: 
-          PATHINJ: ${{ github.event.pull_request.title }}
+          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo ${PATHINJ} >> $GITHUB_PATH
+        run: echo ${PATHINJ} >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
      - uses: dawidd6/action-download-artifact@v2
        with:
          name: artifact_name
          path: foo
-      - run: echo "$(cat foo/bar)" >> $GITHUB_PATH
+      - run: echo "$(cat foo/bar)" >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] Source[actions/envpath-injection/critical]
      - env:
          ACTIONS_ALLOW_UNSECURE_COMMANDS: true
-          PATHINJ: ${{ github.event.pull_request.title }}
+          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo "::add-path::$PATHINJ"
+        run: echo "::add-path::$PATHINJ" # $ Alert[actions/envpath-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml
@@ -23,6 +23,6 @@ jobs:
          ref: ${{steps.decide-ref.outputs.ref}}
          path: "foo"
-      - name: Read Java Config
+      - name: Read Java Config # $ Source[actions/envvar-injection/critical]
-        run: cat foo/.github/java-config.env >> $GITHUB_ENV
+        run: cat foo/.github/java-config.env >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml
@@ -18,11 +18,11 @@ jobs:
          run_id: ${{ github.event.workflow_run.id }}
          name: runtime-versions.md
-      - name: "Put runtime versions on the environment"
+      - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical]
        id: runtime_versions
        run: |
          {
            echo 'RUNTIME_VERSIONS<<EOF'
            cat runtime-versions.md
            echo EOF
-          } >> "$GITHUB_ENV"
+          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml
@@ -43,14 +43,14 @@ jobs:
          run_id: ${{ github.event.workflow_run.id }}
          name: runtime-versions.md
-      - name: "Put runtime versions on the environment"
+      - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical]
        id: runtime_versions
        run: |
          {
            echo 'RUNTIME_VERSIONS<<EOF'
            cat runtime-versions.md
            echo EOF
-          } >> "$GITHUB_ENV"
+          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
      - name: "Download pre-release report"
        uses: dawidd6/action-download-artifact@v2
@@ -58,14 +58,14 @@ jobs:
          run_id: ${{ github.event.workflow_run.id }}
          name: prerelease-report.md
-      - name: "Put pre-release report on the environment"
+      - name: "Put pre-release report on the environment" # $ Source[actions/envvar-injection/critical]
        id: prerelease_report
        run: |
          {
            echo 'PRERELEASE_REPORT<<EOF'
            cat prerelease-report.md
            echo EOF
-          } >> "$GITHUB_ENV"
+          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
      - name: "Comment on PR with Wrangler link"
        uses: marocchino/sticky-pull-request-comment@v2
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml
@@ -17,7 +17,7 @@ jobs:
      - name: Get commit message
        run: |
          COMMIT_MESSAGE=$(git log --format=%s)
-          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
+          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - name: Get commit message
        run: |
-          echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV
+          echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml
@@ -12,7 +12,7 @@ jobs:
          ref: ${{ github.event.pull_request.head.sha }}
      - id: changed-files
        run: |
-          echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"
+          echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
      - run: echo "${{ env.CHANGED-FILES }}"
  test2:
    runs-on: ubuntu-latest
@@ -23,7 +23,7 @@ jobs:
      - id: changed-files
        run: |
          FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)
-          echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"
+          echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
      - run: echo "${{ env.CHANGED-FILES }}"
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml
@@ -9,7 +9,7 @@ jobs:
    steps:
      - id: title 
        run: |
-          echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"
+          echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
      - run: echo "$TITLE"
  test2:
    runs-on: ubuntu-latest
@@ -17,7 +17,7 @@ jobs:
      - id: title 
        run: |
          PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})
-          echo "BODY=$PR_BODY" >> "$GITHUB_ENV"
+          echo "BODY=$PR_BODY" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
      - run: echo "$TITLE"
  test3:
    runs-on: ubuntu-latest
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml
@@ -12,12 +12,12 @@ jobs:
        with:
          workflow: ${{ github.event.workflow_run.workflow_id }}
          name: pr_metadata
      - run: | # $ Source[actions/envvar-injection/critical]
          # VULNERABLE
          echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - run: |
          # VULNERABLE
-          echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
+          echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - run: |
          # VULNERABLE
          echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV
      - run: |
          # NOT VULNERABLE
          echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml
@@ -38,6 +38,6 @@ jobs:
            });
            var fs = require('fs');
            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));
-      - run: |
+      - run: | # $ Source[actions/envvar-injection/critical]
          unzip pr.zip
-          echo "pr_number=$(cat NR)" >> $GITHUB_ENV
+          echo "pr_number=$(cat NR)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml
@@ -17,7 +17,7 @@ jobs:
        workflow_conclusion: ''
        name: pr_metadata
        if_no_artifact_found: 'ignore'
-    - run: |
+    - run: | # $ Source[actions/envvar-injection/critical]
         echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV
         echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV
-         echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV
+         echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml
@@ -8,43 +8,43 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
        run: |
-          echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
+          echo "PR_TITLE=$TITLE" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
        run: |
-          echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV
+          echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
        run: |
-          echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV
+          echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
        run: |
          echo "PR_TITLE<<EOF" >> $GITHUB_ENV
          echo "$TITLE" >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
        run: |
          echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
          echo "$TITLE" >> "${GITHUB_ENV}"
-          echo "EOF" >> "${GITHUB_ENV}"
+          echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical]
      - env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
        run: |
          {
            echo 'JSON_RESPONSE<<EOF'
            echo "$TITLE"
            echo EOF
-          } >> "$GITHUB_ENV"
+          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
      - env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
        run: |
          cat <<-EOF >> "$GITHUB_ENV"
          FOO=$TITLE
-          EOF
+          EOF # $ Alert[actions/envvar-injection/critical]
      - env:
          TITLE: ${{ github.event.pull_request.head.ref }}
        run: |
@@ -52,12 +52,12 @@ jobs:
      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
        env:
          TARGET_BRANCH: ${{ github.head_ref }}
-      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
+      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
        env:
-          TARGET_BRANCH: ${{ github.event.pull_request.title }}
+          TARGET_BRANCH: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
-      - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV
+      - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
        env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
      - env:
          TITLE: |-
            ${{ github.event.pull_request.title }}
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml
@@ -27,10 +27,10 @@ jobs:
            });
            let fs = require('fs');
            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data));
-      - name: 'Unzip code coverage'
+      - name: 'Unzip code coverage' # $ Source[actions/envvar-injection/critical]
        run: unzip oc-code-coverage.zip -d coverage
      - name: set env vars 
        run: | 
          echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV
          echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV
-          echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV
+          echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml
@@ -8,20 +8,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
        run: |
          FOO=${TITLE##*/}
-          echo PR_TITLE=${FOO} >> $GITHUB_ENV
+          echo PR_TITLE=${FOO} >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
        run: |
          FOO=$TITLE+
-          echo PR_TITLE=$FOO >> $GITHUB_ENV
+          echo PR_TITLE=$FOO >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
        run: |
          venv="$(echo $TITLE)')"
-          echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV
+          echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml
@@ -13,7 +13,7 @@ jobs:
            run_id: ${{github.event.workflow_run.id}}
            name: artifact
-      - name: Load .env file
+      - name: Load .env file # $ Source[actions/envvar-injection/critical]
        uses: aarcangeli/load-dotenv@v1.0.0
        with:
          path: 'backend/new'
@@ -21,5 +21,5 @@ jobs:
            .env
            .env.test
          quiet: false
-          if-file-not-found: error
+          if-file-not-found: error # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml
@@ -27,13 +27,13 @@ jobs:
          run_id: ${{ github.event.workflow_run.id }}
          path: ./artifacts
-      - name: assignment
+      - name: assignment # $ Source[actions/envvar-injection/critical]
        run: |
          foo=$(cat ./artifacts/parent-artifacts/event.txt)
-          echo "foo=$foo" >> $GITHUB_ENV
+          echo "foo=$foo" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - name: direct 1 
        run: |
-          echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV
+          echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - name: direct 2
        run: |
-          echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV
+          echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml
@@ -24,7 +24,7 @@ jobs:
          name: event_file
          path: artifacts/event_file
-      - name: Try to read PR number
+      - name: Try to read PR number # $ Source[actions/envvar-injection/critical]
        id: set-ref
        run: |
          pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)
@@ -38,4 +38,4 @@ jobs:
          fi
          echo "pr_num=$pr_num" >> $GITHUB_ENV
-          echo "ref=$ref" >> $GITHUB_ENV
+          echo "ref=$ref" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected
@@ -1,3 +1,9 @@
 #select
 | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 edges
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
 | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
@@ -16,9 +22,3 @@ nodes
 | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
 subpaths
 #select
 | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref
@@ -1 +1,2 @@
-Security/CWE-077/EnvPathInjectionCritical.ql
+query: Security/CWE-077/EnvPathInjectionCritical.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected
@@ -1,3 +1,4 @@
 #select
 edges
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
 | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
@@ -16,4 +17,3 @@ nodes
 | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
 subpaths
 #select
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref
@@ -1 +1,2 @@
-Security/CWE-077/EnvPathInjectionMedium.ql
+query: Security/CWE-077/EnvPathInjectionMedium.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected
@@ -1,3 +1,40 @@
 #select
 | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
 | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
 | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
 edges
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
 | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
@@ -92,40 +129,3 @@ nodes
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
 subpaths
 #select
 | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
 | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
 | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref
@@ -1 +1,2 @@
-Security/CWE-077/EnvVarInjectionCritical.ql
+query: Security/CWE-077/EnvVarInjectionCritical.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected
@@ -1,3 +1,4 @@
 #select
 edges
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
 | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
@@ -92,4 +93,3 @@ nodes
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
 subpaths
 #select
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref
@@ -1 +1,2 @@
-Security/CWE-077/EnvVarInjectionMedium.ql
+query: Security/CWE-077/EnvVarInjectionMedium.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml
+++ b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml
@@ -6,4 +6,4 @@ jobs:
    steps:
      - uses: ruby/setup-ruby@v2
        with:
-          ruby-version: ${{ github.event.comment.body }}
+          ruby-version: ${{ github.event.comment.body }} # $ Alert[actions/command-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected
@@ -1,6 +1,6 @@
 #select
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
 #select
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |
--- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref
@@ -1 +1,2 @@
-experimental/Security/CWE-078/CommandInjectionCritical.ql
+query: experimental/Security/CWE-078/CommandInjectionCritical.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected
@@ -1,5 +1,5 @@
 #select
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
 #select
--- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref
@@ -1 +1,2 @@
-experimental/Security/CWE-078/CommandInjectionMedium.ql
+query: experimental/Security/CWE-078/CommandInjectionMedium.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml
+++ b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml
@@ -7,7 +7,7 @@ jobs:
  test1:
    runs-on: ubuntu-latest
    env:
-      TITLE: ${{github.event.pull_request.title}}
+      TITLE: ${{github.event.pull_request.title}} # $ Source[actions/argument-injection/critical]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -18,50 +18,50 @@ jobs:
          echo "s/FOO/$TITLE/g"
      - run: |
          # VULNERABLE
-          sed "s/FOO/$TITLE/g"
+          sed "s/FOO/$TITLE/g" # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
-          echo "foo" | sed "s/FOO/$TITLE/g" > bar
+          echo "foo" | sed "s/FOO/$TITLE/g" > bar # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
-          echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar)
+          echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
-          awk "BEGIN {$TITLE}"
+          awk "BEGIN {$TITLE}" # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
-          sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json
+          sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
-          sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json
+          sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
          sed -e 's#<branch_to_sync>#${TITLE}#' \
              -e 's#<sot_repo>#${{ env.sot_repo }}#' \
              -e 's#<destination_repo>#TITLE#' \
-              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
+              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
          sed -e 's#<branch_to_sync>#TITLE#' \
              -e 's#<sot_repo>#${{ env.sot_repo }}#' \
              -e 's#<destination_repo>#${TITLE}#' \
-              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
+              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
          BODY=$(git log --format=%s)
-          sed "s/FOO/$BODY/g" > /tmp/foo
+          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
          BODY=$(git diff --name-only HEAD)
-          sed "s/FOO/$BODY/g" > /tmp/foo
+          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
          BODY=$(git diff --name-only HEAD )
-          sed "s/FOO/$BODY/g" > /tmp/foo
+          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
      - run: |
          # VULNERABLE
          BODY=$(git diff --name-only HEAD^ | xargs)
-          sed "s/FOO/$BODY/g" > /tmp/foo
+          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
      - run: |
          # NOT VULNERABLE
          echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT
--- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected
@@ -1,3 +1,16 @@
 #select
 | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 edges
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
@@ -20,16 +33,3 @@ nodes
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 subpaths
 #select
 | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
--- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref
@@ -1 +1,2 @@
-experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+query: experimental/Security/CWE-088/ArgumentInjectionCritical.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected
@@ -1,3 +1,4 @@
 #select
 edges
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
@@ -20,4 +21,3 @@ nodes
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 subpaths
 #select
--- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref
@@ -1 +1,2 @@
-experimental/Security/CWE-088/ArgumentInjectionMedium.ql
+query: experimental/Security/CWE-088/ArgumentInjectionMedium.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml
@@ -4,4 +4,4 @@ runs:
  using: 'composite'
  steps:
    - shell: bash
-      run: echo '${{ github.event.pull_request.body }}'
+      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml
@@ -6,4 +6,4 @@ runs:
    - shell: bash
      env:
        FOO: ${{ secrets.FOO}}
-      run: echo '${{ github.event.pull_request.body }}'
+      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml
@@ -4,4 +4,4 @@ runs:
  using: 'composite'
  steps:
    - shell: bash
-      run: echo '${{ github.event.pull_request.body }}'
+      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml
@@ -16,7 +16,7 @@ runs:
  using: 'composite'
  steps:
    - shell: bash
-      run: echo '${{ github.event.issue.body }}'
+      run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
    - name: Step
      id: step 
      env:
@@ -25,10 +25,10 @@ runs:
      run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
    - id: step2
      env:
-        FOO2: ${{ github.event.issue.body }}
+        FOO2: ${{ github.event.issue.body }} # $ Source[actions/code-injection/critical]
      shell: bash
      run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT
    - name: Sink
      id: sink
      shell: bash
-      run: echo "${{ inputs.taint }}"
+      run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml
@@ -213,7 +213,7 @@ runs:
      run: |
        git config --global user.name "${{ inputs.github_username }}"
        git config --global user.email "${{ inputs.github_email }}"
-        git pull origin ${{ github.head_ref || github.ref }}
+        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical]
        git add .
        git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
        if ! git diff --staged --quiet; then
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml
@@ -74,7 +74,7 @@ runs:
      #   pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
      run: |
        packages="ultralytics-actions"
-        if [ "${{ inputs.spelling }}" = "true" ]; then
+        if [ "${{ inputs.spelling }}" = "true" ]; then # $ Alert[actions/code-injection/medium]
          packages="$packages codespell tomli"
        fi
@@ -211,10 +211,10 @@ runs:
    - name: Commit and Push Changes
      if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
      run: |
-        git config --global user.name "${{ inputs.github_username }}"
+        git config --global user.name "${{ inputs.github_username }}" # $ Alert[actions/code-injection/medium]
-        git config --global user.email "${{ inputs.github_email }}"
+        git config --global user.email "${{ inputs.github_email }}" # $ Alert[actions/code-injection/medium]
        # this action is not called in the test
-        git pull origin ${{ github.head_ref || github.ref }}
+        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/medium]
        git add .
        git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
        if ! git diff --staged --quiet; then
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml
@@ -19,7 +19,7 @@ runs:
  using: composite
  steps:
    - shell: bash
-      run: echo "${{ inputs.title }}"
+      run: echo "${{ inputs.title }}" # $ Alert[actions/code-injection/critical]
    - uses: frabert/replace-string-action@v2.5
      id: out 
      with:
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml
@@ -93,7 +93,7 @@ runs:
      shell: bash
    - shell: bash
      run: |
-        echo "${{ inputs.body }}"
+        echo "${{ inputs.body }}" # $ Alert[actions/code-injection/critical]
    # Checkout Repository ----------------------------------------------------------------------------------------------
    - name: Checkout Repository
@@ -220,7 +220,7 @@ runs:
      run: |
        git config --global user.name "${{ inputs.github_username }}"
        git config --global user.email "${{ inputs.github_email }}"
-        git pull origin ${{ github.head_ref || github.ref }}
+        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical]
        git add .
        git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
        if ! git diff --staged --quiet; then
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml
@@ -14,7 +14,7 @@ jobs:
      - uses: actions/checkout@v2
      - name: Remove conflicting chars
        env:
-          ISSUE_TITLE: ${{github.event.issue.title}}
+          ISSUE_TITLE: ${{github.event.issue.title}} # $ Source[actions/code-injection/critical]
        uses: frabert/replace-string-action@1.2
        id: remove_quotations
        with:
@@ -24,6 +24,6 @@ jobs:
      - name: Check info
        id: check-info
        run: |
-          echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV
+          echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml
@@ -17,12 +17,12 @@ jobs:
          workflow: ${{ github.event.workflow_run.workflow_id }}
          name: pr
-      - name: save PR id
+      - name: save PR id # $ Source[actions/code-injection/critical]
        id: pr
        run: echo "::set-output name=id::$(<pr-id.txt)"
      - name: upload surge service
        id: deploy
        run: |
-          export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh
+          export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh # $ Alert[actions/code-injection/critical]
          npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }}
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml
@@ -16,8 +16,8 @@ jobs:
        with:
          name: README
-      - name: upload surge service
+      - name: upload surge service # $ Source[actions/code-injection/critical]
        id: deploy
        run: |
-          echo ${{ steps.pr.outputs.id }}
+          echo ${{ steps.pr.outputs.id }} # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml
@@ -38,7 +38,7 @@ jobs:
            });
            var fs = require('fs');
            fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data));
-      - name: Set needed env vars in outputs
+      - name: Set needed env vars in outputs # $ Source[actions/code-injection/critical]
        id: prepare
        run: |
          unzip input.zip
@@ -50,4 +50,4 @@ jobs:
          echo "PR: ${tmp}"
          echo "pr=${tmp}" >> $GITHUB_OUTPUT
-      - run: echo ${{ steps.prepare.outputs.pr }}
+      - run: echo ${{ steps.prepare.outputs.pr }} # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml
@@ -14,9 +14,9 @@ jobs:
            name: artifact
      # Save PR id to output
-      - name: Save artifact data
+      - name: Save artifact data # $ Source[actions/code-injection/critical]
        id: artifact
        run: echo "::set-output name=id::$(<artifact.txt)"
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.id }} 
+        run: echo ${{ steps.artifact.outputs.id }}  # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml
@@ -13,11 +13,11 @@ jobs:
            name: artifact
      # Save PR id to output
-      - name: Save artifact data
+      - name: Save artifact data # $ Source[actions/code-injection/critical]
        id: artifact
        uses: juliangruber/read-file-action@v1
        with:
          path: ./artifact.txt
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.content }} 
+        run: echo ${{ steps.artifact.outputs.content }}  # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml
@@ -12,13 +12,13 @@ jobs:
            run_id: ${{github.event.workflow_run.id}}
            name: artifact
-      - id: artifact
+      - id: artifact # $ Source[actions/code-injection/critical]
        run: |
          echo "::set-output name=pr_number::$(<artifact.txt)"
          mkdir firebase-android
          unzip firebase-android.zip -d firebase-android
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.pr_number }} 
+        run: echo ${{ steps.artifact.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
      - id: artifact2
        run: |
@@ -26,5 +26,5 @@ jobs:
          mkdir firebase-android
          unzip firebase-android.zip -d firebase-android
      - name: Use artifact
-        run: echo ${{ steps.artifact2.outputs.pr_number }} 
+        run: echo ${{ steps.artifact2.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml
@@ -12,7 +12,7 @@ jobs:
            run_id: ${{github.event.workflow_run.id}}
            name: artifact
-      - id: artifact
+      - id: artifact # $ Source[actions/code-injection/critical]
        run: |
          set -eou pipefail
          pr_number=$(cat -e artifact.txt)
@@ -27,5 +27,5 @@ jobs:
          mkdir firebase-android
          unzip firebase-android.zip -d firebase-android
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.pr_number }} 
+        run: echo ${{ steps.artifact.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml
@@ -14,9 +14,9 @@ jobs:
            name: artifact
      # Save PR id to output
-      - name: Save artifact data
+      - name: Save artifact data # $ Source[actions/code-injection/critical]
        id: artifact
        run: echo "::set-output name=id::$(<artifact.txt)"
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.id }} 
+        run: echo ${{ steps.artifact.outputs.id }}  # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml
@@ -15,9 +15,9 @@ jobs:
      - name: Get changed files 1
        id: changed-files1
        uses: tj-actions/changed-files@v40
-      - name: List all changed files 1
+      - name: List all changed files 1 # $ Source[actions/code-injection/medium]
        run: |
-          for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do
+          for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
            echo "$file was changed"
          done
@@ -35,9 +35,9 @@ jobs:
        uses: tj-actions/changed-files@v41
        with:
          safe_output: false
-      - name: List all changed files 3
+      - name: List all changed files 3 # $ Source[actions/code-injection/medium]
        run: |
-          for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do
+          for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
            echo "$file was changed"
          done
@@ -53,8 +53,8 @@ jobs:
      - name: Get changed files 5
        id: changed-files5
        uses: tj-actions/changed-files@95690f9ece77c1740f4a55b7f1de9023ed6b1f87 # v39.2.3
-      - name: List all changed files 5
+      - name: List all changed files 5 # $ Source[actions/code-injection/medium]
        run: |
-          for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do
+          for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
            echo "$file was changed"
          done
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml
@@ -6,25 +6,25 @@ jobs:
    steps:
    - run: |
        Foo
-        echo '${{ github.event.comment.body }}'
+        echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
        Bar
  echo-chamber2:
    runs-on: ubuntu-latest
    steps:
-    - run: echo '${{ github.event.comment.body }}'
+    - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.issue.body }}'
+    - run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.issue.title }}'
+    - run: echo '${{ github.event.issue.title }}' # $ Alert[actions/code-injection/critical]
  echo-chamber3:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/github-script@v3
      with:
-        script: console.log('${{ github.event.comment.body }}')
+        script: console.log('${{ github.event.comment.body }}') # $ Alert[actions/code-injection/critical]
    - uses: actions/github-script@v3
      with:
-        script: console.log('${{ github.event.issue.body }}')
+        script: console.log('${{ github.event.issue.body }}') # $ Alert[actions/code-injection/critical]
    - uses: actions/github-script@v3
      with:
-        script: console.log('${{ github.event.issue.title }}')
+        script: console.log('${{ github.event.issue.title }}') # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml
@@ -7,6 +7,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - run: |
-          LINE 1 echo '${{ github.event.comment.body }}'
+          LINE 1 echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
-          LINE 2 echo '${{github.event.issue.body}}'
+          LINE 2 echo '${{github.event.issue.body}}' # $ Alert[actions/code-injection/critical]
-          LINE 3 echo '${{ github.event.comment.body }}'
+          LINE 3 echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml
@@ -9,7 +9,7 @@ jobs:
      - uses: .github/actions/action5
        id: foo
        with:
-          taint: ${{ github.event.comment.body }}
+          taint: ${{ github.event.comment.body }} # $ Source[actions/code-injection/critical]
-      - run: echo "${{ steps.foo.outputs.result }}"
+      - run: echo "${{ steps.foo.outputs.result }}" # $ Alert[actions/code-injection/critical]
-      - run: echo "${{ steps.foo.outputs.result2 }}"
+      - run: echo "${{ steps.foo.outputs.result2 }}" # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml
@@ -11,8 +11,8 @@ jobs:
        id: clone
        uses: TestOrg/TestRepo/.github/actions/clone-repo@main
        with:
-          title: ${{ github.event.pull_request.title }}
+          title: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical]
          forked-pr: true
          fetch-depth: 2
-      - run: echo "${{ steps.clone.outputs.result }}"
+      - run: echo "${{ steps.clone.outputs.result }}" # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/cross3.yml
@@ -29,7 +29,7 @@ jobs:
      id: remove_quotations
      with:
        pattern: "\""
-        string: ${{github.event.commits[0].message}}
+        string: ${{github.event.commits[0].message}} # $ Source[actions/code-injection/medium]
        replace-with: "-"  
        flags: g
@@ -39,7 +39,7 @@ jobs:
          ISSUE_BODY_PARSED: ${{steps.remove_quotations.outputs.replaced}}
      id: check-info
      run: |
-        echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV
+        echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV # $ Alert[actions/code-injection/medium]
      #If a target branch was found will run the action
    - if: env.destination_branch != 'invalid'
@@ -50,7 +50,7 @@ jobs:
        git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}}
        git cherry-pick -x ${{github.event.after}} --strategy-option theirs
        git push -u origin ${{env.auto_branch}}
-        hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}"
+        hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" # $ Alert[actions/code-injection/medium]
      env: 
        #Token used for the pull request. Corresponds to the DynamoBot account
        GITHUB_TOKEN: ${{secrets.DYNAMOBOTTOKEN}}
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml
@@ -4,5 +4,5 @@ jobs:
  echo-chamber:
    runs-on: ubuntu-latest
    steps:
-    - run: echo '${{ github.event.discussion.title }}'
+    - run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.discussion.body }}'
+    - run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml
@@ -4,6 +4,6 @@ jobs:
  echo-chamber:
    runs-on: ubuntu-latest
    steps:
-    - run: echo '${{ github.event.discussion.title }}'
+    - run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.discussion.body }}'
+    - run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.comment.body }}'
+    - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml
@@ -81,7 +81,7 @@ jobs:
          git push \
            "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \
-            'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'
+            'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical]
      env:
        BOT_PA_TOKEN: ${{ secrets.githubBotPAT }}
@@ -91,4 +91,4 @@ jobs:
      with:
        github-token: ${{ secrets.githubBotPAT }}
        script: |
-          const fileList = `${{ steps.git-commit.outputs.file-list }}`
+          const fileList = `${{ steps.git-commit.outputs.file-list }}` # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml
@@ -33,7 +33,7 @@ jobs:
      next_version: next
      link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})'
    steps:
-      - run: echo "${{ inputs.taint }}"
+      - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical]
      - uses: actions/checkout@v3
        with:
          ref: ${{ github.event.pull_request.head.ref }}
@@ -41,8 +41,8 @@ jobs:
        id: update
        uses: actions/github-script@v6
        env:
-          log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n'
+          log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical]
-          prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n'
+          prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical]
        with:
          result-encoding: string
          script: |
@@ -50,7 +50,7 @@ jobs:
            const file = './${{ env.file }}';
            let content = fs.readFileSync(file).toString();
            const title = '[${{ env.next_version }}]';
-            const log = '${{ env.log }}';
+            const log = '${{ env.log }}'; # $ Alert[actions/code-injection/critical]
            let exists = ${{ needs.changelog.result == 'success' }};
            if (!content.includes(title)) {
@@ -63,7 +63,7 @@ jobs:
            const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1;
            if (exists && ${{ github.event.action == 'edited' }}) {
-                const prevLog = '${{ env.prev_log }}';
+                const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/critical]
                const index = content.indexOf(prevLog, insertAt);
                if (index > -1) {
                    content = content.slice(0, index) + content.slice(index + prevLog.length);
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml
@@ -4,8 +4,8 @@ jobs:
  echo-chamber:
    runs-on: ubuntu-latest
    steps:
-    - run: echo '${{ github.event.pages[1].title }}'
+    - run: echo '${{ github.event.pages[1].title }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.pages[11].title }}'
+    - run: echo '${{ github.event.pages[11].title }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.pages[0].page_name }}'
+    - run: echo '${{ github.event.pages[0].page_name }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.pages[2222].page_name }}'
+    - run: echo '${{ github.event.pages[2222].page_name }}' # $ Alert[actions/code-injection/medium]
    - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml
@@ -15,7 +15,7 @@ jobs:
      - name: Extract and Clean Initial URL
        id: extract-url
        env:
-          BODY: ${{ github.event.comment.body }}
+          BODY: ${{ github.event.comment.body }} # $ Source[actions/code-injection/critical]
        run: |
          echo "::set-output name=initial_url::$BODY"
@@ -34,4 +34,4 @@ jobs:
      - name: Update Comment with New URL
        run: |
-          NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}"
+          NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml
@@ -23,7 +23,7 @@ jobs:
        id: source 
        uses: tj-actions/changed-files@v40
-      - name: Remove foo from changed files
+      - name: Remove foo from changed files # $ Source[actions/code-injection/medium]
        id: step
        uses: mad9000/actions-find-and-replace-string@3
        with:
@@ -40,4 +40,4 @@ jobs:
    steps:
      - id: sink
-        run: echo ${{needs.job1.outputs.job_output}}
+        run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml
@@ -23,7 +23,7 @@ jobs:
        id: source 
        uses: tj-actions/changed-files@v40
-      - name: Remove foo from changed files
+      - name: Remove foo from changed files # $ Source[actions/code-injection/medium]
        id: step
        uses: mad9000/actions-find-and-replace-string@3
        with:
@@ -40,4 +40,4 @@ jobs:
    steps:
      - id: sink
-        run: echo ${{needs.job1.outputs.job_output}}
+        run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml
@@ -23,7 +23,7 @@ jobs:
        id: source 
        uses: tj-actions/changed-files@v40
-      - name: Remove foo from changed files
+      - name: Remove foo from changed files # $ Source[actions/code-injection/medium]
        id: step
        uses: mad9000/actions-find-and-replace-string@3
        with:
@@ -42,4 +42,4 @@ jobs:
    steps:
      - id: sink
-        run: echo ${{needs.job1.outputs.job_output}}
+        run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml
@@ -23,7 +23,7 @@ jobs:
        id: source 
        uses: tj-actions/changed-files@v40
-      - name: Remove foo from changed files
+      - name: Remove foo from changed files # $ Source[actions/code-injection/medium]
        id: step
        uses: mad9000/actions-find-and-replace-string@3
        with:
@@ -41,4 +41,4 @@ jobs:
    steps:
      - id: sink
-        run: echo ${{needs.job1.outputs.job_output}}
+        run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml
@@ -42,4 +42,4 @@ jobs:
    steps:
      - id: sink
        # Should not be reported since job1 is not needed
-        run: echo ${{needs.job1.outputs.job_output}}
+        run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml
@@ -1,20 +1,20 @@
 on: issues
 env:
-  global_env: ${{ github.event.issue.title }}
+  global_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical]
  test: test
 jobs:
  echo-chamber:
    env:
-      job_env: ${{ github.event.issue.title }}
+      job_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical]
    runs-on: ubuntu-latest
    steps:
-    - run: echo '${{ github.event.issue.title }}'
+    - run: echo '${{ github.event.issue.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.issue.body }}'
+    - run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ env.global_env }}'
+    - run: echo '${{ env.global_env }}' # $ Alert[actions/code-injection/critical]
    - run: echo '${{ env.test }}'
-    - run: echo '${{ env.job_env }}'
+    - run: echo '${{ env.job_env }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ env.step_env }}'
+    - run: echo '${{ env.step_env }}' # $ Alert[actions/code-injection/critical]
      env:
-        step_env: ${{ github.event.issue.title }}
+        step_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.comment.body == '/jira ticket' }}
    steps:
-      - run: echo ${{ github.event.comment.body }}
+      - run: echo ${{ github.event.comment.body }} # $ Alert[actions/code-injection/critical]
      - name: Login
        uses: atlassian/gajira-login@v3
@@ -20,7 +20,7 @@ jobs:
          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
      - name: SearchParam
-        run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}'
+        run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' # $ Alert[actions/code-injection/critical]
      - name: Search
        id: search
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml
@@ -41,7 +41,7 @@ jobs:
        run: |
          echo "Checking issue body for profanities..."
          PROFANITIES_LIST="bad|disguting|horrible"
-          if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then
+          if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then # $ Alert[actions/code-injection/critical]
            echo "Profanity detected in issue body. Please clean up the language."
            exit 1
          else
@@ -66,7 +66,7 @@ jobs:
        uses: actions/github-script@v5
        with:
          script: |
-            const commentBody = "${{ github.event.comment.body }}";
+            const commentBody = "${{ github.event.comment.body }}"; # $ Alert[actions/code-injection/critical]
            let response;
            if (commentBody.includes("hello")) {
              response = "Hello! How can I help you today?";
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml
@@ -34,4 +34,4 @@ jobs:
          pr-message: 'Message that will be displayed on users first pr'
      - name: Log test executions
        run: |
-          echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information."
+          echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml
@@ -11,4 +11,4 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - run: echo "${{ github.event.pull_request.body }}"
+      - run: echo "${{ github.event.pull_request.body }}" # $ Alert[actions/code-injection/medium]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml
@@ -4,11 +4,11 @@ jobs:
  echo-chamber:
    runs-on: ubuntu-latest
    steps:
-    - run: echo '${{ github.event.pull_request.title }}'
+    - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.body }}'
+    - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.label }}'
+    - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
+    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.description }}'
+    - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
+    - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.ref }}'
+    - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.review.body }}'
+    - run: echo '${{ github.event.review.body }}' # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml
@@ -4,11 +4,11 @@ jobs:
  echo-chamber:
    runs-on: ubuntu-latest
    steps:
-    - run: echo '${{ github.event.pull_request.title }}'
+    - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.body }}'
+    - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.label }}'
+    - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
+    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.description }}'
+    - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
+    - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.ref }}'
+    - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.comment.body }}'
+    - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml
@@ -6,12 +6,12 @@ jobs:
    steps:
    - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, so we should not report it
    - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, so we should not report it
-    - run: echo '${{ github.event.pull_request.title }}'
+    - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.body }}'
+    - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.label }}'
+    - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
+    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.description }}'
+    - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
+    - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.pull_request.head.ref }}'
+    - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.head_ref }}'
+    - run: echo '${{ github.head_ref }}' # $ Alert[actions/code-injection/critical]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml
@@ -4,13 +4,13 @@ jobs:
  echo-chamber:
    runs-on: ubuntu-latest
    steps:
-    - run: echo '${{ github.event.commits[11].message }}'
+    - run: echo '${{ github.event.commits[11].message }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.commits[11].author.email }}'
+    - run: echo '${{ github.event.commits[11].author.email }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.commits[11].author.name }}'
+    - run: echo '${{ github.event.commits[11].author.name }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.head_commit.message }}'
+    - run: echo '${{ github.event.head_commit.message }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.head_commit.author.email }}'
+    - run: echo '${{ github.event.head_commit.author.email }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.head_commit.author.name }}'
+    - run: echo '${{ github.event.head_commit.author.name }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.head_commit.committer.email }}'
+    - run: echo '${{ github.event.head_commit.committer.email }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.head_commit.committer.name }}'
+    - run: echo '${{ github.event.head_commit.committer.name }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.commits[11].committer.email }}'
+    - run: echo '${{ github.event.commits[11].committer.email }}' # $ Alert[actions/code-injection/medium]
-    - run: echo '${{ github.event.commits[11].committer.name }}'
+    - run: echo '${{ github.event.commits[11].committer.name }}' # $ Alert[actions/code-injection/medium]
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Owen Mansel-Chan	4d2e16e97b	Actions	2026-06-10 22:59:00 +02:00
Owen Mansel-Chan	212e9d07fd	Swift	2026-06-10 22:58:52 +02:00
Owen Mansel-Chan	cf1e064131	rust	2026-06-10 22:58:41 +02:00
Owen Mansel-Chan	9ea3e9088c	Ruby	2026-06-10 22:57:52 +02:00
Owen Mansel-Chan	8e07690049	Python	2026-06-10 22:57:42 +02:00
Owen Mansel-Chan	d75113de93	JS	2026-06-10 22:57:33 +02:00
Owen Mansel-Chan	11e99a03d5	C#	2026-06-10 22:57:22 +02:00
Owen Mansel-Chan	f54debd65a	C++	2026-06-10 22:57:08 +02:00
copilot-swe-agent[bot]	c732bd6613	Initial plan	2026-06-10 12:31:19 +00:00
Tom Hvitved	f5919875b7	Merge pull request #21941 from hvitved/python/content-approx Python: Implement `ContentApprox`	2026-06-09 15:46:04 +02:00
Owen Mansel-Chan	8d456df26f	Merge pull request #21960 from github/dependabot/go_modules/go/extractor/extractor-dependencies-28a04969f3 Bump golang.org/x/mod from 0.36.0 to 0.37.0 in /go/extractor in the extractor-dependencies group	2026-06-09 05:30:45 +01:00
dependabot[bot]	72fcf27d1a	Bump golang.org/x/mod Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/mod](https://github.com/golang/mod). Updates `golang.org/x/mod` from 0.36.0 to 0.37.0 - [Commits](https://github.com/golang/mod/compare/v0.36.0...v0.37.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: extractor-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-09 03:03:37 +00:00
yoff	0cea01c22f	Merge pull request #21926 from github/yoff/python-simplify-decorator-predicates Python: simplify decorator-detection predicates to pure AST match	2026-06-08 22:04:33 +02:00
Anders Schack-Mulligen	a473565256	Merge pull request #21954 from aschackmull/cfg/consistency-child-idx Cfg: Add consistency check for relevant child indices.	2026-06-08 14:44:20 +02:00
Anders Schack-Mulligen	c47135a40b	Cfg: Add consistency check for relevant child indices.	2026-06-08 13:40:33 +02:00
Owen Mansel-Chan	3cbc8f0262	Merge pull request #21951 from github/workflow/go-version-update Go: Update to 1.26.4	2026-06-08 11:47:47 +01:00
Tom Hvitved	cc1ea25856	Python: Implement `ContentApprox`	2026-06-08 08:41:28 +02:00
github-actions[bot]	5a38cbd5d5	Go: Update to 1.26.4	2026-06-08 04:30:10 +00:00
Owen Mansel-Chan	cf6d94cf8a	Merge pull request #21324 from github/copilot/automate-go-version-updates-again Automate Go version updates via scheduled workflow	2026-06-06 03:03:03 +01:00
Owen Mansel-Chan	292fc8b777	Fix detection of failed text replacement I checked and the comment seems to be correct. Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-06-06 02:52:21 +01:00
Owen Mansel-Chan	a1759d9834	Use --force-with-lease for slightly improved safety Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-06-06 02:51:36 +01:00
Owen Mansel-Chan	6b74874372	Minor improvement to PR text	2026-06-06 02:32:43 +01:00
copilot-swe-agent[bot]	ef29d22c75	Update Go version workflow to include patch numbers in messages	2026-06-06 01:03:44 +00:00
Owen Mansel-Chan	1f91f915c7	Merge pull request #21888 from owen-mc/py/remove-imprecise-container-steps Python: Remove imprecise container steps #2	2026-06-04 22:16:24 +01:00
Jon Janego	ba8eebe2b5	Merge pull request #21948 from github/codeql-spark-run-26974832191 Update changelog documentation site for codeql-cli-2.25.6	2026-06-04 14:55:17 -05:00
github-actions[bot]	dc1409e5f4	update codeql documentation	2026-06-04 19:36:45 +00:00
Mario Campos	284f42bb9e	Merge pull request #21945 from github/codeql-spark-run-26947645690 Update changelog documentation site for codeql-cli-2.25.6	2026-06-04 13:09:04 -05:00
Henry Mercer	2f3524de74	Merge branch 'rc/3.22' into codeql-spark-run-26947645690	2026-06-04 16:01:11 +01:00
github-actions[bot]	b32573b060	update codeql documentation	2026-06-04 14:57:38 +00:00
Owen Mansel-Chan	cd2398aeea	Merge pull request #21936 from github/workflow/coverage/update Update CSV framework coverage reports	2026-06-04 12:45:21 +01:00
Sotiris Dragonas	d6892eaf0d	Merge pull request #21900 from github/bazookamusic/range-analysis-bound-move-to-shared Bound.qll - Replace utility for range analysis duplicate across java and cs with shared file	2026-06-04 12:45:11 +02:00
BazookaMusic	d2972cb53f	Add back alias for module	2026-06-04 11:08:49 +02:00
github-actions[bot]	5576d30780	Add changed framework coverage reports	2026-06-04 01:04:50 +00:00
Owen Mansel-Chan	da999ee440	Address review comments	2026-06-03 21:24:16 +01:00
Tom Hvitved	3da195f50f	Merge pull request #21918 from hvitved/rust/expose-resolution Rust: Add `Impl::getSelf()` and `Impl::getTrait()`	2026-06-03 20:18:05 +02:00
Henry Mercer	93a4b427e3	Merge pull request #21933 from github/post-release-prep/codeql-cli-2.25.6 Post-release preparation for codeql-cli-2.25.6	2026-06-03 16:57:48 +01:00
Tom Hvitved	0430c71318	Merge pull request #21922 from hvitved/rust/static-const-resolution Rust: Path resolution for `static` items	2026-06-03 17:48:21 +02:00
Owen Mansel-Chan	52f2a5825a	Merge pull request #21804 from github/copilot/add-tests-for-models Java: Update CWE-918 model coverage for Apache HttpClient `execute` sinks	2026-06-03 12:55:56 +01:00
Owen Mansel-Chan	d55ff83568	Merge pull request #21269 from owen-mc/go/improve-tests-for-varargs-flow Go: improve tests for varargs flow	2026-06-03 12:39:46 +01:00
BazookaMusic	f34275636c	No duplicate Ssa and remove release changenot	2026-06-03 11:54:24 +02:00
BazookaMusic	0a801440b9	review comments	2026-06-03 10:48:50 +02:00
Asger F	7edf0100cc	Merge pull request #21924 from asgerf/asgerf/yeast-changes Yeast: some fixes	2026-06-03 10:32:38 +02:00
Owen Mansel-Chan	167c837088	Merge pull request #21914 from owen-mc/shared/cfg/if-init Shared CFG: allow init stmts for IfStmt	2026-06-02 22:01:02 +01:00
Owen Mansel-Chan	6f2cc43f32	Remove imprecise model for `tuple()`	2026-06-02 21:59:48 +01:00
Owen Mansel-Chan	5042fdee84	Remove imprecise model for `list()`	2026-06-02 21:59:46 +01:00
Owen Mansel-Chan	04341c47bd	Tweak model for str.join	2026-06-02 21:59:44 +01:00
Tom Hvitved	af45e53e77	Rust: Rename parameter in DB upgrade script	2026-06-02 21:18:53 +02:00
Owen Mansel-Chan	b27d08ee32	Update edges in expected test output	2026-06-02 18:29:56 +01:00
Jeroen Ketema	d11fc3a00e	Merge pull request #21932 from jketema/jketema/vue JS: Add Vue to `file_coverage_languages` and `github_api_languages`	2026-06-02 17:53:25 +02:00
Owen Mansel-Chan	20ce679d61	Accept changed edges in test output No changes to alerts	2026-06-02 16:15:08 +01:00
Owen Mansel-Chan	f62ebef9e0	Adjust expected test output	2026-06-02 16:15:06 +01:00
Owen Mansel-Chan	c3ef1ddd64	Add MaD models for lxml and xml etree.fromstringlist	2026-06-02 16:15:01 +01:00
Owen Mansel-Chan	dede5bc49b	Track flow through `tuple()` with list with tainted elements	2026-06-02 16:14:59 +01:00
Owen Mansel-Chan	ad97b6dd64	Use access path for `str.join` model	2026-06-02 16:14:56 +01:00
Jeroen Ketema	9d5dfea5c5	JS: Add Vue to `file_coverage_languages` and `github_api_languages`	2026-06-02 16:57:51 +02:00
Tom Hvitved	dc0c7d7ec2	Fix `commment` typos	2026-06-02 14:41:27 +02:00
Sotiris Dragonas	61a5cece56	Merge branch 'main' into bazookamusic/range-analysis-bound-move-to-shared	2026-06-02 10:41:49 +02:00
BazookaMusic	566a92e555	formatting again	2026-06-02 10:41:10 +02:00
Owen Mansel-Chan	be9c785cb2	Fix incorrect QLDoc Co-authored-by: Tom Hvitved <hvitved@github.com>	2026-06-02 09:26:13 +01:00
Tom Hvitved	1fd31d0ddd	Rust: Data flow for `const`s and `static`s	2026-06-02 09:55:51 +02:00
Tom Hvitved	c4e3720d8a	Rust: Run codegen	2026-06-02 09:02:57 +02:00
Tom Hvitved	0547e9c98d	Rust: Path resolution for `static` items	2026-06-02 09:02:56 +02:00
BazookaMusic	2a3cff382c	more specific comment	2026-06-01 18:20:50 +02:00
BazookaMusic	c610af88d3	fix comment and add overlay[local?]	2026-06-01 18:18:37 +02:00
BazookaMusic	fa63dad1d1	change note	2026-06-01 18:16:51 +02:00
Sotiris Dragonas	019a5c01ad	Merge branch 'main' into bazookamusic/range-analysis-bound-move-to-shared	2026-06-01 18:10:02 +02:00
yoff	5fb75ac987	Python: simplify decorator-detection predicates to pure AST match The internal predicates that identify `@staticmethod`, `@classmethod` and `@property` decorators previously required the decorator's `NameNode` to satisfy `isGlobal()` (i.e. no SSA def reaches the decorator's name use). That filter was correct but unnecessarily indirect: these three names are builtins, and even when a class body redefines one, the class body has not started executing at the decorator position, so Python uses the builtin. Match the decorator's AST `Name` directly instead, dropping the CFG/SSA detour. The slight semantic change — `isGlobal()` would have rejected module-level shadowing of these builtins — is negligible in practice and explicitly documented in the change note. `hasContextmanagerDecorator` and `hasOverloadDecorator` keep the `NameNode.isGlobal()` check because their target names (`contextmanager`, `overload`) are imported, not builtin, and local shadowing is a real concern. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-01 14:04:43 +00:00
BazookaMusic	c1c9287535	restore file header	2026-06-01 15:48:26 +02:00
BazookaMusic	d1226b71de	formatting	2026-06-01 15:46:52 +02:00
BazookaMusic	71a363545a	formatting	2026-06-01 15:24:06 +02:00
Asger F	3f3bed62d3	yeast: type-check for missing required fields Add FieldCardinality to Schema to track required/multiple per field, populated from the ast_types.yml suffixes (bare = required single, ? = optional single, + = required multiple, * = optional multiple). dump_ast_with_type_errors now emits: <-- ERROR: missing required field 'name' for any node in the output AST whose declared schema requires a field that is absent from the actual node. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-01 14:18:37 +02:00
Asger F	21f216af8c	yeast-macros: omit empty fields produced by .. splice When a {..expr} splice in an output template is empty (e.g. from an optional capture that did not match), drop the field entirely rather than emitting an empty named field. This lets a single rule with optional captures replace what used to be two near-identical rules. Also re-renders the corpus to drop the now-suppressed empty fields. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-01 14:18:37 +02:00
Asger F	1751d70c62	Fix parsing of corpus tests when --- delimiter is missing	2026-06-01 14:18:37 +02:00
Asger F	ac8eb50c26	Yeast: Allow 'r#type' to escape the 'type' keyword in macro	2026-06-01 14:18:37 +02:00
Asger F	1ecdc3614f	Yeast: Fix matching against extras like comments	2026-06-01 14:18:37 +02:00
Asger F	e3b3888bee	Yeast: Fix handling of captures with multiple results	2026-06-01 14:18:36 +02:00
Asger F	ef9306d82c	Yeast: Allow rules that return an empty sequence	2026-06-01 14:18:36 +02:00
Asger F	56822f8ee1	Tree-sitter-extactor: More helpful panic message	2026-06-01 14:04:49 +02:00
Tom Hvitved	62207f152c	Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-06-01 13:55:22 +02:00
Tom Hvitved	d5f94475b5	Rust: DB upgrade/downgrade scripts	2026-06-01 10:38:10 +02:00
Tom Hvitved	00e95a0757	Rust: Add `Impl::getSelf()` and `Impl::getTrait()`	2026-06-01 10:38:09 +02:00
Tom Hvitved	c695c151ea	Rust: Rename `Impl::getTrait` to `Impl::getTraitTy`	2026-06-01 10:38:07 +02:00
Owen Mansel-Chan	b38440490a	Address review comment	2026-05-31 21:47:44 +01:00
Owen Mansel-Chan	5e5a0437e1	Shared CFG: allow init stmts for IfStmt	2026-05-30 07:35:29 +01:00
Owen Mansel-Chan	aee33a0cc9	Add missing code for `TAnyTupleOrDictionaryElement`	2026-05-29 10:26:24 +01:00
Owen Mansel-Chan	df15a719cb	Add a `ContentSet` for any tuple or dictionary element	2026-05-28 16:48:23 +01:00
Owen Mansel-Chan	812e8e6b34	Add change note	2026-05-28 11:37:54 +01:00
Owen Mansel-Chan	80c6f082d1	Fix TODO in `containerStep`	2026-05-28 11:34:02 +01:00
Owen Mansel-Chan	d95d99848c	Build `RequestBuilder` more realistically	2026-05-28 11:05:40 +01:00
Owen Mansel-Chan	8937e22735	Add summary models for `org.apache.http.client.methods.RequestBuilder` Generated by GPT 5.3-codex, verified by me.	2026-05-28 10:56:37 +01:00
Owen Mansel-Chan	37589dd8a0	Improve how `org.apache.http.client.HttpClient` is created in test	2026-05-28 10:30:43 +01:00
Owen Mansel-Chan	a159dc1c66	Change variable name in test	2026-05-28 10:28:14 +01:00
BazookaMusic	cc12740c0e	remove check for files in sync	2026-05-27 17:41:44 +02:00
BazookaMusic	acb5c0e70f	missed changes	2026-05-27 17:23:45 +02:00
BazookaMusic	6042adebae	move identical java and cs bound.qll to shared library	2026-05-27 17:23:28 +02:00
Owen Mansel-Chan	ec13e1bcd3	Add wildcard `ContentSet`s to avoid performance problems	2026-05-27 15:28:07 +01:00
Owen Mansel-Chan	e8779295ee	Update test results	2026-05-22 11:43:18 +01:00
Rasmus Lerchedahl Petersen	fa758d6bf5	python: fix test	2026-05-21 16:59:19 +01:00
Rasmus Lerchedahl Petersen	fa9426c749	Python: extra tests for comprehension	2026-05-21 16:59:18 +01:00
Rasmus Lerchedahl Petersen	0ecca91dea	Python: typo	2026-05-21 16:59:16 +01:00
Rasmus Lerchedahl Petersen	f669a4f3bf	Python: Make sure all imprecise taint bubbles up	2026-05-21 16:59:14 +01:00
Rasmus Lerchedahl Petersen	3275c814bd	Python: reset test expectations	2026-05-21 16:59:11 +01:00
Rasmus Lerchedahl Petersen	9a180036a5	Python: conversion step for `format_map` and adjust collection test	2026-05-21 16:59:08 +01:00
Rasmus Lerchedahl Petersen	93e7ab52b7	Python: adjust test expectations We now find an alert on this line as we hope to It is not an alert for _full_ SSRF, though, since that configuration cannot handle multiple substitutions.	2026-05-21 16:58:51 +01:00
Rasmus Lerchedahl Petersen	facb3b681d	Python: recover taint for % format strings	2026-05-21 16:57:50 +01:00
Rasmus Lerchedahl Petersen	b67694b2ab	Python: Remove imprecise container steps - remove `tupleStoreStep` and `dictStoreStep` from `containerStep` These are imprecise compared to the content being precise. - add implicit reads to recover taint at sinks - add implicit read steps for decoders to supplement the `AdditionalTaintStep` that now only covers when the full container is tainted.	2026-05-21 16:57:44 +01:00
Owen Mansel-Chan	dc864762c3	Add change note	2026-05-07 10:23:50 +01:00
Owen Mansel-Chan	dd35bc0722	Update test output	2026-05-07 10:17:47 +01:00
copilot-swe-agent[bot]	043ec857ab	Replace fluent SSRF changes with Apache HttpClient execute model tests Agent-Logs-Url: https://github.com/github/codeql/sessions/3db201db-a1b5-4353-a94a-14a8d156dd3b Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>	2026-05-06 20:31:34 +00:00
copilot-swe-agent[bot]	f5b17b0b48	Add SSRF tests and stubs for Apache Http fluent Request models Agent-Logs-Url: https://github.com/github/codeql/sessions/bd4fa112-dbc3-47e8-9cef-9b1b13c7e549 Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>	2026-05-06 16:08:02 +00:00
copilot-swe-agent[bot]	26dca558c7	Initial plan	2026-05-06 16:02:08 +00:00
Owen Mansel-Chan	a367294c23	Merge branch 'main' into copilot/automate-go-version-updates-again	2026-04-23 14:41:46 +01:00
copilot-swe-agent[bot]	b6004045bd	Clean up Go version workflow - remove unnecessary escaping and checks Co-authored-by: mbg <278086+mbg@users.noreply.github.com>	2026-02-13 11:23:44 +00:00
copilot-swe-agent[bot]	cc7e03b0f5	Add error handling and validation to Go version workflow Co-authored-by: mbg <278086+mbg@users.noreply.github.com>	2026-02-13 11:22:36 +00:00
copilot-swe-agent[bot]	1cbd423251	Improve portability and fix PR detection in Go version workflow Co-authored-by: mbg <278086+mbg@users.noreply.github.com>	2026-02-13 11:21:13 +00:00
copilot-swe-agent[bot]	437244fe90	Fix portability issues in Go version update workflow Co-authored-by: mbg <278086+mbg@users.noreply.github.com>	2026-02-13 11:19:56 +00:00
copilot-swe-agent[bot]	f7cf24d1f9	Add Go version update workflow Co-authored-by: mbg <278086+mbg@users.noreply.github.com>	2026-02-13 11:17:57 +00:00
copilot-swe-agent[bot]	c3bafacf81	Initial plan	2026-02-13 11:15:15 +00:00
Owen Mansel-Chan	57ce0b3d51	Accept data flow consistency result	2026-02-05 22:28:54 +00:00
Owen Mansel-Chan	408ba2e139	(Misc) Delete spuriously committed binary file	2026-02-04 13:41:14 +00:00
Owen Mansel-Chan	7632bdba88	(Misc) fix variable names	2026-02-04 13:40:52 +00:00
Owen Mansel-Chan	4b830c1864	Test varargs flow with models-as-data	2026-02-04 13:40:33 +00:00
Owen Mansel-Chan	d6c8767647	Test flow out of varargs parameter in function model	2026-02-04 13:40:01 +00:00
Owen Mansel-Chan	ec815397a2	Test flow out of varargs parameter in source function	2026-02-04 13:38:48 +00:00
`@@ -1 +1,2 @@`
	`Models/CompositeActionsSinks.ql`	`query: Models/CompositeActionsSinks.ql`
		`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1,2 @@`
	`Models/CompositeActionsSources.ql`	`query: Models/CompositeActionsSources.ql`
		`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1,2 @@`
	`Models/CompositeActionsSummaries.ql`	`query: Models/CompositeActionsSummaries.ql`
		`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1,2 @@`
	`Models/ReusableWorkflowsSinks.ql`	`query: Models/ReusableWorkflowsSinks.ql`
		`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1,2 @@`
	`Models/ReusableWorkflowsSources.ql`	`query: Models/ReusableWorkflowsSources.ql`
		`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1,2 @@`
	`Models/ReusableWorkflowsSummaries.ql`	`query: Models/ReusableWorkflowsSummaries.ql`
		`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1 +1,2 @@`
	`experimental/Security/CWE-074/OutputClobberingHigh.ql`	`query: experimental/Security/CWE-074/OutputClobberingHigh.ql`
		`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1 +1,2 @@`
	`Security/CWE-077/EnvPathInjectionCritical.ql`	`query: Security/CWE-077/EnvPathInjectionCritical.ql`
		`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1 +1,2 @@`
	`Security/CWE-077/EnvPathInjectionMedium.ql`	`query: Security/CWE-077/EnvPathInjectionMedium.ql`
		`postprocess: utils/test/InlineExpectationsTestQuery.ql`