diff --git a/scripts/apply-repo-settings.sh b/scripts/apply-repo-settings.sh
index fa49f71..e9767bd 100644
--- a/scripts/apply-repo-settings.sh
+++ b/scripts/apply-repo-settings.sh
@@ -129,7 +129,7 @@ apply_settings() {
 
   for key in "${!EXPECTED[@]}"; do
     local actual
-    actual=$(echo "$current" | jq -r ".$key // \"null\"")
+    actual=$(printf '%s' "$current" | jq -r --arg key "$key" '.[$key] | if . == null then "null" else tostring end')
     local expected="${EXPECTED[$key]}"
 
     if [ "$actual" != "$expected" ]; then
@@ -143,7 +143,7 @@ apply_settings() {
 
   # Check string settings separately (jq -f flag for strings)
   local squash_title
-  squash_title=$(echo "$current" | jq -r '.squash_merge_commit_title // "null"')
+  squash_title=$(printf '%s' "$current" | jq -r '.squash_merge_commit_title // "null"')
   if [ "$squash_title" != "PR_TITLE" ]; then
     info "  squash_merge_commit_title: $squash_title → PR_TITLE"
     needs_patch=true
@@ -153,7 +153,7 @@ apply_settings() {
   fi
 
   local squash_msg
-  squash_msg=$(echo "$current" | jq -r '.squash_merge_commit_message // "null"')
+  squash_msg=$(printf '%s' "$current" | jq -r '.squash_merge_commit_message // "null"')
   if [ "$squash_msg" != "COMMIT_MESSAGES" ]; then
     info "  squash_merge_commit_message: $squash_msg → COMMIT_MESSAGES"
     needs_patch=true
diff --git a/scripts/compliance-audit.sh b/scripts/compliance-audit.sh
index 845f9d0..331e5b5 100755
--- a/scripts/compliance-audit.sh
+++ b/scripts/compliance-audit.sh
@@ -340,7 +340,7 @@ check_repo_settings() {
   for entry in "${REQUIRED_SETTINGS_BOOL[@]}"; do
     IFS=':' read -r key expected severity detail <<< "$entry"
     local actual
-    actual=$(echo "$settings" | jq -r ".$key | if . == null then \"null\" else tostring end")
+    actual=$(printf '%s' "$settings" | jq -r --arg key "$key" '.[$key] | if . == null then "null" else tostring end')
     if [ "$actual" != "$expected" ]; then
       add_finding "$repo" "settings" "$key" "$severity" \
         "$detail (current: \`$actual\`, expected: \`$expected\`)" \
@@ -350,7 +350,7 @@ check_repo_settings() {
 
   # Default branch
   local default_branch
-  default_branch=$(echo "$settings" | jq -r '.default_branch')
+  default_branch=$(printf '%s' "$settings" | jq -r '.default_branch')
   if [ "$default_branch" != "main" ]; then
     add_finding "$repo" "settings" "default-branch" "error" \
       "Default branch is \`$default_branch\`, should be \`main\`" \