Differential ShellCheck not detecting vulnerabilities with shell script

[firoshaq]

Dear Team,

We used the below actions with Differential ShellCheck, however it didn´t detect a vulnerable shell script that we had in the same repository.

name: ShellCheck

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  lint:
    name: Shell Scripts with ShellCheck
    runs-on: our-container
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Differential ShellCheck
        id: shellcheck
        uses: redhat-plumbers-in-action/differential-shellcheck@v5

      - name: Display ShellCheck results
        if: always()
        run: |
          if [ -n "${{ steps.shellcheck.outputs.shellcheck-output }}" ]; then
            echo "ShellCheck found issues:"
            echo "${{ steps.shellcheck.outputs.shellcheck-output }}"
          else
            echo "No ShellCheck issues found."
          fi
      - name: Upload SARIF to GitHub
        if: always() && steps.shellcheck.outputs.sarif
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.shellcheck.outputs.sarif }}

below is the sample vulnerable shell script.

#!/bin/bash

# Take user input
echo "Enter a filename:"
read filename

# List files that match the input
ls $filename

# Create a temporary file
tempfile="/tmp/mytempfile"
echo "Creating temporary file at $tempfile"
touch $tempfile


# Check if a directory exists, if not create it
if [ ! -d /mydir ]; then
  mkdir /mydir
fi

# Delete all files in a directory (dangerous!)
rm /some/directory/*

while checking the logs we see these shell scripts were not included in the List of shell scripts for scanning, please see the snippet below.

Please let us know if we are missing something here.

Regards,
Firos Haq

[jamacku]

Hello,
Thanks for reaching out. I have a few questions/suggestions about your setup.

• Why are you uploading the SARIF file (report) manually? When you set token: ${{ secrets.GITHUB_TOKEN }} the Action will upload SARIF for you.

• Step "Display ShellCheck results" from your workflow is unnecessary. Differential ShellCheck will display any defect when detected.

• From what run were the logs you have provided taken? Defects will be shown only on run taken from PR/commit that is introducing ShellCheck defects.

My suggestion would be to use workflow from README

Once you run it on the main branch, you will see all results in the GitHub UI Security Dashboard. Optionally, you can use strict-check-on-push input to make it fail on every commit until you fix all defects.

[firoshaq]

Hi,

Thanks for swift respone.

Initially we tried the exact flow from README, but that too was failing with same error and it was not picking up the scripts for scanning. Please see the snippets below.

[jamacku]

Thanks for the additional information. I expect that you are running on the custom runner. There are many warnings/errors that might be related to the environment in which Action is running. Could you provide more information about your runner and how it differs from the default GitHub runner?