## SonarCloud Flags Critical Script Injection Risk in ben-ranford_cellin GitHub Release Workflow
A critical security vulnerability has been flagged in the automated release pipeline of the public GitHub repository `ben-ranford_cellin`. SonarCloud analysis identified three high-severity `githubactions:S7630` vulnerabilities, warning that the workflow's release process is exposed to potential script injection attacks. The flaw stems from the direct interpolation of a user-controlled input variable, `${{ inputs.version }}`, into shell command blocks within the `.github/workflows/rolling-release.yml` file.

The specific vulnerabilities, tagged as `BLOCKER` severity, are located at lines 48, 49, and 51 of the rolling-release workflow. This workflow handles sensitive operations involving release tags and publishing credentials. Because the `inputs.version` parameter originates from a user-triggered workflow dispatch, an attacker could potentially craft malicious input to execute arbitrary commands within the GitHub Actions runner's shell context, compromising the entire release process.

This exposure creates a direct path for an attacker to hijack the repository's release mechanism. The risk is not theoretical; it is a documented vulnerability pattern (S7630) where user-supplied data flows unsanitized into execution contexts. For any project using this workflow, the integrity of its build, test, and publication stages is now under scrutiny. The finding underscores a persistent security blind spot in CI/CD automation, where convenience in parameter passing can inadvertently open a backdoor to the core release infrastructure.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: GitHub Actions, CI/CD Security, Script Injection, SonarCloud, DevSecOps
- **Credibility**: unverified
- **Published**: 2026-04-05 06:26:54
- **ID**: 50391
- **URL**: https://whisperx.ai/en/intel/50391