woodruffw · woodruffw · Dec 10, 2024 · Dec 10, 2024 · Dec 10, 2024 · woodruffw
diff --git a/docs/audits.md b/docs/audits.md
@@ -634,7 +634,7 @@ Workflow commands (like `::set-env` and `::add-path`)
 to inject environment variables and therefore obtain code execution).
 
 However, users can explicitly re-enable them by setting the
-`ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable at the workflow,
+`ACTIONS_ALLOW_INSECURE_COMMANDS` environment variable at the workflow,
 job, or step level.
 
 Other resources:
@@ -653,7 +653,7 @@ In general, users should use for [Github Actions environment files]
       run: |
         echo "::add-path::$HOME/.local/my-bin"
       env:
-        ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+        ACTIONS_ALLOW_INSECURE_COMMANDS: true
     ```
 
 === "After"

diff --git a/src/audit/insecure_commands.rs b/src/audit/insecure_commands.rs
@@ -31,7 +31,7 @@ impl InsecureCommands {
             .persona(Persona::Auditor)
             .add_location(
                 location.with_keys(&["env".into()]).annotated(
-                    "non-static environment may contain ACTIONS_ALLOW_UNSECURE_COMMANDS",
+                    "non-static environment may contain ACTIONS_ALLOW_INSECURE_COMMANDS",
                 ),
             )
             .build(workflow)
@@ -54,7 +54,7 @@ impl InsecureCommands {
     }
 
     fn has_insecure_commands_enabled(&self, env: &Env) -> bool {
-        if let Some(EnvValue::String(value)) = env.get("ACTIONS_ALLOW_UNSECURE_COMMANDS") {
+        if let Some(EnvValue::String(value)) = env.get("ACTIONS_ALLOW_INSECURE_COMMANDS") {
             !value.is_empty()
         } else {
             false

diff --git a/tests/acceptance.rs b/tests/acceptance.rs
@@ -210,7 +210,7 @@ fn audit_unpinned_uses() -> anyhow::Result<()> {
 }
 
 #[test]
-fn audit_unsecure_commands_allowed() -> anyhow::Result<()> {
+fn audit_insecure_commands_allowed() -> anyhow::Result<()> {
     let auditable = workflow_under_test("insecure-commands.yml");
 
     let cli_args = [&auditable];
@@ -225,7 +225,7 @@ fn audit_unsecure_commands_allowed() -> anyhow::Result<()> {
     assert_value_match(
         &findings,
         "$[0].locations[0].concrete.feature",
-        "ACTIONS_ALLOW_UNSECURE_COMMANDS",
+        "ACTIONS_ALLOW_INSECURE_COMMANDS",
     );
 
     Ok(())

diff --git a/tests/snapshots/snapshot__insecure_commands-2.snap b/tests/snapshots/snapshot__insecure_commands-2.snap
@@ -8,7 +8,7 @@ error[insecure-commands]: execution of insecure workflow commands is enabled
   |
 8 |       env:
   |  _____^
-9 | |       ACTIONS_ALLOW_UNSECURE_COMMANDS: yes
+9 | |       ACTIONS_ALLOW_INSECURE_COMMANDS: yes
   | |__________________________________________^ insecure commands enabled here
   |
   = note: audit confidence → High

diff --git a/tests/snapshots/snapshot__insecure_commands.snap b/tests/snapshots/snapshot__insecure_commands.snap
@@ -8,7 +8,7 @@ error[insecure-commands]: execution of insecure workflow commands is enabled
   |
 8 |       env:
   |  _____^
-9 | |       ACTIONS_ALLOW_UNSECURE_COMMANDS: yes
+9 | |       ACTIONS_ALLOW_INSECURE_COMMANDS: yes
   | |__________________________________________^ insecure commands enabled here
   |
   = note: audit confidence → High
@@ -17,7 +17,7 @@ error[insecure-commands]: execution of insecure workflow commands is enabled
   --> @@INPUT@@:22:9
    |
 22 |         env: ${{ matrix.env }}
-   |         ^^^^^^^^^^^^^^^^^^^^^^ non-static environment may contain ACTIONS_ALLOW_UNSECURE_COMMANDS
+   |         ^^^^^^^^^^^^^^^^^^^^^^ non-static environment may contain ACTIONS_ALLOW_INSECURE_COMMANDS
    |
    = note: audit confidence → Low
 

diff --git a/tests/test-data/inlined-ignores.yml b/tests/test-data/inlined-ignores.yml
@@ -13,7 +13,7 @@ jobs:
   insecure-commands-ignored:
     runs-on: ubuntu-latest
     env:
-      ACTIONS_ALLOW_UNSECURE_COMMANDS: yes # zizmor: ignore[insecure-commands]
+      ACTIONS_ALLOW_INSECURE_COMMANDS: yes # zizmor: ignore[insecure-commands]
     steps:
       - run: echo "I shall pass!"
 

diff --git a/tests/test-data/insecure-commands.yml b/tests/test-data/insecure-commands.yml
@@ -6,7 +6,7 @@ jobs:
   some-dangerous-job:
     runs-on: ubuntu-latest
     env:
-      ACTIONS_ALLOW_UNSECURE_COMMANDS: yes
+      ACTIONS_ALLOW_INSECURE_COMMANDS: yes
     steps:
       - run: echo "don't do this"
 
@@ -15,7 +15,7 @@ jobs:
     strategy:
       matrix:
         env:
-          - ACTIONS_ALLOW_UNSECURE_COMMANDS: yes
+          - ACTIONS_ALLOW_INSECURE_COMMANDS: yes
 
     steps:
       - run: echo "don't do this"