scorecard
scorecard copied to clipboard
ossf
Should subprocess.check_call(list) be safe in the check of Dangerous-workflow?
I noticed that Scorecard reports a Dangerous-Workflow warning when untrusted inputs like ${github.head_ref} are used in Python scripts, even when they are safely passed to subprocess.check_call("cmd", variable]) using a list. Should we allow this?
This issue has been marked stale because it has been open for 60 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}