From 9715df9c8d83c22d1d92e6f946f9add676ece5b3 Mon Sep 17 00:00:00 2001
From: "aikido-autofix[bot]"
 <119856028+aikido-autofix[bot]@users.noreply.github.com>
Date: Mon, 24 Mar 2025 02:17:46 +0000
Subject: [PATCH 1/2] fix(security): autofix Template Injection in GitHub
 Workflows Action

---
 .github/workflows/owasp.yml        | 28 +++++++++++++++++-----------
 .github/workflows/pull-request.yml | 22 +++++++++++++---------
 2 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml
index f0b6d844..a328705a 100644
--- a/.github/workflows/owasp.yml
+++ b/.github/workflows/owasp.yml
@@ -62,23 +62,29 @@ jobs:
           OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
           OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          OUTPUT_DIR: ${{ inputs.output }}
+          REPO_NAME: ${{ github.event.repository.name }}
+          SCAN_PATH: ${{ inputs.scan_path }}
+          CVSS_FAIL_LEVEL: ${{ inputs.cvss_fail_level }}
+          SUPPRESSION_PATH: code/${{ inputs.suppression_path }}
+          DISABLE_OSS_INDEX: ${{ inputs.disable_oss_index }}
         run: |
-          mkdir ${{ inputs.output }}
+          mkdir $OUTPUT_DIR
           ./dependency-check/bin/dependency-check.sh \
           --format JUNIT \
           --format HTML \
           --prettyPrint \
-          --project ${{ github.event.repository.name }} \
+          --project "$REPO_NAME" \
           --enableExperimental \
-          --out ${{ inputs.output }} \
-          -s ${{ inputs.scan_path }} \
-          --junitFailOnCVSS ${{ inputs.cvss_fail_level }} \
-          --failOnCVSS ${{ inputs.cvss_fail_level }} \
-          --suppression code/${{ inputs.suppression_path }} \
-          --ossIndexUsername ${{ secrets.OSS_INDEX_USERNAME }} \
-          --ossIndexPassword ${{ secrets.OSS_INDEX_PASSWORD }} \
-          --nvdApiKey ${{ secrets.NVD_API_KEY }} \
-          --disableOssIndex ${{ inputs.disable_oss_index }}
+          --out "$OUTPUT_DIR" \
+          -s "$SCAN_PATH" \
+          --junitFailOnCVSS "$CVSS_FAIL_LEVEL" \
+          --failOnCVSS "$CVSS_FAIL_LEVEL" \
+          --suppression "$SUPPRESSION_PATH" \
+          --ossIndexUsername "$OSS_INDEX_USERNAME" \
+          --ossIndexPassword "$OSS_INDEX_PASSWORD" \
+          --nvdApiKey "$NVD_API_KEY" \
+          --disableOssIndex "$DISABLE_OSS_INDEX"
 
       - name: Upload database to cache
         uses: actions/cache@v4
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 7185feb7..9b1ddf04 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -30,10 +30,11 @@ jobs:
         run: yarn install
 
       - name: Run Tests
+        env:
+          FORCE_COLOR: "true"
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
-          FORCE_COLOR=true
-          DESTINATION_BRANCH=origin/${{ github.event.pull_request.base.ref }}  # Set branch
-          yarn nx affected:test --base=$DESTINATION_BRANCH --ci --code-coverage --parallel --max-parallel=3
+          yarn nx affected:test --base=origin/$BASE_REF --ci --code-coverage --parallel --max-parallel=3
 
   code-quality:
     name: 🕵️‍♀️ Code Quality
@@ -48,7 +49,9 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Fetch target
-        run: git fetch origin ${{ github.event.pull_request.base.ref }}
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: git fetch origin $BASE_REF
 
       - uses: actions/setup-node@v4
         with:
@@ -59,12 +62,13 @@ jobs:
         run: yarn install
 
       - name: Code Quality Check
+        env:
+          FORCE_COLOR: "true"
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
-          FORCE_COLOR=true
-          DESTINATION_BRANCH=origin/${{ github.event.pull_request.base.ref }}  # Set branch
-          yarn nx affected:lint --base=$DESTINATION_BRANCH --parallel --max-parallel=3
-          yarn nx format:check --base=$DESTINATION_BRANCH --parallel --max-parallel=3
-          yarn nx affected -t check-types --base=$DESTINATION_BRANCH --parallel --max-parallel=3
+          yarn nx affected:lint --base=origin/$BASE_REF --parallel --max-parallel=3
+          yarn nx format:check --base=origin/$BASE_REF --parallel --max-parallel=3
+          yarn nx affected -t check-types --base=origin/$BASE_REF --parallel --max-parallel=3
 
   # TODO: fix the owasp pipeline
   # owasp:

From 3a780b9af39111c7e5ac942e0d36ac4e6f6df1f6 Mon Sep 17 00:00:00 2001
From: Daniel van der Ploeg <daniel.vanderploeg@aligent.com.au>
Date: Mon, 24 Mar 2025 13:03:27 +1030
Subject: [PATCH 2/2] chore: run format

---
 .github/workflows/pull-request.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 9b1ddf04..2954a44f 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -31,7 +31,7 @@ jobs:
 
       - name: Run Tests
         env:
-          FORCE_COLOR: "true"
+          FORCE_COLOR: 'true'
           BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
           yarn nx affected:test --base=origin/$BASE_REF --ci --code-coverage --parallel --max-parallel=3
@@ -63,7 +63,7 @@ jobs:
 
       - name: Code Quality Check
         env:
-          FORCE_COLOR: "true"
+          FORCE_COLOR: 'true'
           BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
           yarn nx affected:lint --base=origin/$BASE_REF --parallel --max-parallel=3