🔒 Security Review: CodeQL Alerts Require Manual Fixes

[xaostech-security]

Security Alerts Requiring Manual Review

The following CodeQL alerts cannot be automatically fixed and require manual intervention:

Alert #50: actions/untrusted-checkout/high

• Severity: error
• File: .github/workflows/automerge.yml:272
• Message: Potential execution of untrusted code on a privileged workflow (workflow_run)

Alert #47: actions/untrusted-checkout/high

• Severity: error
• File: .github/workflows/automerge.yml:241
• Message: Potential execution of untrusted code on a privileged workflow (workflow_run)

Alert #28: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:145
• Message: Potential code injection in ${{ steps.vars.outputs.current_year }}, which may be controlled by an external user.

Alert #27: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:144
• Message: Potential code injection in ${{ steps.vars.outputs.stability_color }}, which may be controlled by an external user.

Alert #26: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:142
• Message: Potential code injection in ${{ inputs.license_type }}, which may be controlled by an external user.

Alert #25: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:141
• Message: Potential code injection in ${{ inputs.short_description }}, which may be controlled by an external user.

Alert #24: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:140
• Message: Potential code injection in ${{ inputs.short_description }}, which may be controlled by an external user.

Alert #23: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:139
• Message: Potential code injection in ${{ steps.vars.outputs.repo_url }}, which may be controlled by an external user.

Alert #22: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:138
• Message: Potential code injection in ${{ steps.vars.outputs.repo_owner }}, which may be controlled by an external user.

Alert #21: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:137
• Message: Potential code injection in ${{ steps.vars.outputs.repo_name }}, which may be controlled by an external user.

Alert #20: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:136
• Message: Potential code injection in ${{ steps.vars.outputs.project_name }}, which may be controlled by an external user.

Alert #19: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:127
• Message: Potential code injection in ${{ inputs.templates }}, which may be controlled by an external user.

Alert #18: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:143
• Message: Potential code injection in ${{ inputs.stability }}, which may be controlled by an external user.

Alert #17: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:113
• Message: Potential code injection in ${{ inputs.stability }}, which may be controlled by an external user.

Alert #16: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:106
• Message: Potential code injection in ${{ inputs.project_name }}, which may be controlled by an external user.

Alert #15: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:102
• Message: Potential code injection in ${{ github.repository_owner }}, which may be controlled by an external user.

Alert #14: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:108
• Message: Potential code injection in ${{ github.event.repository.name }}, which may be controlled by an external user.

Alert #13: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:101
• Message: Potential code injection in ${{ github.event.repository.name }}, which may be controlled by an external user.

Alert #12: actions/code-injection/medium

• Severity: warning
• File: .github/workflows/central-loader.yml:103
• Message: Potential code injection in ${{ github.repository }}, which may be controlled by an external user.

Alert #11: actions/unpinned-tag

• Severity: warning
• File: .github/workflows/central-loader.yml:234
• Message: Unpinned 3rd party Action 'Template Loader (Reusable)' step Uses Step: create-pr uses 'peter-evans/create-pull-request' with ref 'v5', not a pinned commit hash

Alert #10: actions/unpinned-tag

• Severity: warning
• File: .github/workflows/test.yml:47
• Message: Unpinned 3rd party Action 'Tests' step Uses Step uses 'ludeeus/action-shellcheck' with ref 'master', not a pinned commit hash

Alert #9: actions/unpinned-tag

• Severity: warning
• File: .github/workflows/bash-lint-advanced.yml:173
• Message: Unpinned 3rd party Action 'Bash Linting with Auto-Fix Suggestions' step Uses Step: identity uses 'XAOSTECH/dev-control/.github/actions/identity' with ref 'main', not a pinned commit hash

Alert #8: actions/untrusted-checkout/high

• Severity: error
• File: .github/workflows/automerge.yml:135
• Message: Potential execution of untrusted code on a privileged workflow (pull_request_target)
  Potential execution of untrusted code on a privileged workflow (workflow_run)

Recommended Actions

1. Review each alert in the Security tab
2. Apply fixes following GitHub Security Lab recommendations
3. Close alerts as fixed or false positive in dashboard

---

Auto-generated by security-autofix workflow