actsense - GitHub Actions Security Auditor

Unsafe Shell

Description

Bash scripts that run without the -e flag (exit on error) create security and reliability risks: scripts continue executing even if a command fails, errors may be silently ignored, and security checks or validations may be bypassed. This can lead to unexpected behavior, invalid states, and security vulnerabilities going undetected. ¹

Vulnerable Instance

Bash script runs without set -e, allowing execution to continue after failures.
Failed security checks may not be detected.
Script may continue with invalid state.

name: Build
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Run script
        run: |
          # No set -e - errors ignored
          npm install
          npm test  # May not run if install fails
          npm build

Mitigation Strategies

Add -e flag to bash commands
Use set -e at the start of scripts to exit immediately if any command fails.
Use stricter error handling
Use set -euo pipefail for stricter error handling: exit on error, undefined variables, and pipe failures.
Specify in shell
Use shell: bash -e {0} to enable exit-on-error for the entire step.
Review all bash scripts
Audit all workflows for bash scripts without error handling. Add set -e or set -euo pipefail to all scripts.
Test error handling
Test error handling to ensure failures are caught. Verify that scripts fail appropriately when commands fail.
Use proper error messages
When using set -e, ensure error messages are clear and actionable. Consider using trap for cleanup on errors.

Secure Version

 name: Build
 on: [push]
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Run script
         run: |
+          set -euo pipefail  # Exit on error, undefined vars, pipe failures
-          # No set -e - errors ignored
           npm install
           npm test
           npm build

Impact

Dimension	Severity	Notes
Likelihood		Bash scripts without error handling are common, especially in legacy workflows.
Risk		Failed security checks or validations may go undetected, potentially allowing vulnerabilities to persist.
Blast radius		Impact depends on what the script does, but can affect build processes, deployments, and security checks.

References

GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions ¹

GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions ↩︎ ↩︎

Last updated on January 1, 2026

Unsafe Checkout Ref Untrusted Action Source