Misfeature

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Misfeature

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: a4b5c6d7-e8f9-40a1-b2c3-d4e5f6a7b8c9

Cloud Provider: GitHub

Platform: CICD

Severity: Low

Category: Best Practices

Learn More

Provider Reference

Description

Certain GitHub Actions features create brittle or hard-to-audit workflows that increase the risk of inconsistent builds, unexpected runtime behavior, and missed detection of unsafe commands.

The pip-install input to actions/setup-python installs packages into a global (user or system) Python environment rather than an isolated virtual environment. This can lead to inconsistent dependency resolution and unexpected side effects across different runners and Python versions. This rule flags workflow steps that use uses: actions/setup-python with a with mapping that contains pip-install. Avoid that input and instead create and use a virtual environment, such as python -m venv and activating it, before installing packages.

Using shell: cmd or cmd.exe for run steps hampers static analysis because Windows CMD has no formal grammar and multiple line-continuation behaviors, which can hide unsafe commands or make auditing unreliable. This rule flags steps with shell: cmd/cmd.exe and will also flag other non‑well‑known shells as auditor findings. Prefer well-known shells like pwsh or bash when possible.

Secure configuration examples:

- name: Setup Python and use a virtual environment
  uses: actions/setup-python@v4
  with:
    python-version: '3.11'

- name: Create and activate venv, then install
  run: |
    python -m venv .venv
    source .venv/bin/activate
    pip install -r requirements.txt

- name: Run script with PowerShell on Windows
  shell: pwsh
  run: |
    Write-Host "Performing build steps..."
    ./build.ps1

Compliant Code Examples

name: Proper Features Usage
on: push

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python properly
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install with venv
        shell: bash
        run: |
          python -m venv venv
          source venv/bin/activate
          pip install -r requirements.txt

      - name: PowerShell on Windows
        shell: pwsh
        run: Write-Host "Using PowerShell"

Non-Compliant Code Examples

name: Composite action with misfeatures
description: Composite action that uses pip-install and CMD shell
runs:
  using: composite
  steps:
    - name: Setup Python with pip-install
      uses: actions/setup-python@v5
      with:
        python-version: '3.11'
        pip-install: 'pytest requests'
    - name: CMD shell usage
      shell: cmd
      run: echo "Using deprecated CMD shell"

name: Misfeature Usage
on: push

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python with pip-install
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'
          pip-install: 'pytest requests'

      - name: CMD shell usage
        shell: cmd
        run: echo "Using deprecated CMD shell"