security: fix GitHub Actions command injection vulnerabilities and security hotspots

- Move all GitHub Actions inputs to environment variables to prevent command injection (S7630)
- Add non-root user to Docker test image (S6471)
- Pin peter-evans/create-pull-request to full commit SHA (S7637)

Fixed 27 BLOCKER vulnerabilities and 2 security hotspots identified by SonarCloud.

All inputs from GitHub Actions are now passed via env variables and properly quoted
in shell commands to prevent potential command injection attacks.

Author: RossBugginsNHS

.github/actions/create-lines-of-code-report/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Create CLOC report"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-lines-of-code-report.sh
     - name: "Compress CLOC report"
       shell: bash
@@ -51,7 +52,10 @@ runs:
     - name: "Send the CLOC report to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./lines-of-code-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-lines-of-code-report.json.zip"

.github/actions/perform-static-analysis/action.yaml

@@ -32,9 +32,10 @@ runs:
       shell: bash
       if: steps.check.outputs.secret_exist == 'true'
       continue-on-error: ${{ fromJSON(inputs.ignore_sonar_failure) }}
+      env:
+        SONAR_ORGANISATION_KEY: ${{ inputs.sonar_organisation_key }}
+        SONAR_PROJECT_KEY: ${{ inputs.sonar_project_key }}
+        SONAR_TOKEN: ${{ inputs.sonar_token }}
       run: |
         export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
-        export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }}
-        export SONAR_PROJECT_KEY=${{ inputs.sonar_project_key }}
-        export SONAR_TOKEN=${{ inputs.sonar_token }}
         ./scripts/reports/perform-static-analysis.sh

.github/actions/publish-docs/action.yml

@@ -33,41 +33,50 @@ runs:
       env:
         GH_TOKEN: ${{ github.token }}
         GH_REPO: ${{ github.repository }}
+        VERSION: ${{ inputs.version }}
+        IS_PRERELEASE: ${{ inputs.is_version_prerelease }}
       run: |
+        PRERELEASE_FLAG=""
+        if [ "$IS_PRERELEASE" = "true" ]; then
+          PRERELEASE_FLAG="--prerelease"
+        fi
         gh release create \
-        "${{ inputs.version }}" \
+        "$VERSION" \
         --draft \
         --latest \
-        --title "${{ inputs.version }}" \
-        --notes "Release of ${{ inputs.version }}" \
-        ${{ inputs.is_version_prerelease == 'true' && '--prerelease' || '' }}
+        --title "$VERSION" \
+        --notes "Release of $VERSION" \
+        $PRERELEASE_FLAG
 
     - name: "Upload jeykll docs release asset"
       shell: bash
       env:
         GH_TOKEN: ${{ github.token }}
         GH_REPO: ${{ github.repository }}
+        VERSION: ${{ inputs.version }}
       run: |
-        cp ./artifacts/jekyll-docs-${{ inputs.version }}/artifact.tar $RUNNER_TEMP/jekyll-docs-${{ inputs.version }}.tar
+        cp "./artifacts/jekyll-docs-$VERSION/artifact.tar" "$RUNNER_TEMP/jekyll-docs-$VERSION.tar"
         gh release upload \
-        "${{ inputs.version }}" \
-        $RUNNER_TEMP/jekyll-docs-${{ inputs.version }}.tar#jekyll-docs-${{ inputs.version }}
+        "$VERSION" \
+        "$RUNNER_TEMP/jekyll-docs-$VERSION.tar#jekyll-docs-$VERSION"
 
     - name: "Upload schema release asset"
       shell: bash
       env:
         GH_TOKEN: ${{ github.token }}
         GH_REPO: ${{ github.repository }}
+        VERSION: ${{ inputs.version }}
       run: |
-        cp ./artifacts/schemas-${{ inputs.version }}/artifact.tar $RUNNER_TEMP/schemas-${{ inputs.version }}.tar
+        cp "./artifacts/schemas-$VERSION/artifact.tar" "$RUNNER_TEMP/schemas-$VERSION.tar"
         gh release upload \
-        "${{ inputs.version }}" \
-        $RUNNER_TEMP/schemas-${{ inputs.version }}.tar#schemas-${{ inputs.version }}
+        "$VERSION" \
+        "$RUNNER_TEMP/schemas-$VERSION.tar#schemas-$VERSION"
 
 
     - name: Publish Release
       shell: bash
       env:
         GH_TOKEN: ${{ github.token }}
         GH_REPO: ${{ github.repository }}
-      run: gh release edit "${{ inputs.version }}" --draft=false
+        VERSION: ${{ inputs.version }}
+      run: gh release edit "$VERSION" --draft=false

.github/actions/scan-dependencies/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Generate SBOM"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-sbom-report.sh
     - name: "Compress SBOM report"
       shell: bash
@@ -39,8 +40,9 @@ runs:
         retention-days: 21
     - name: "Scan vulnerabilities"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/scan-vulnerabilities.sh
     - name: "Compress vulnerabilities report"
       shell: bash
@@ -65,10 +67,13 @@ runs:
     - name: "Send the SBOM and vulnerabilities reports to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./sbom-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-sbom-repository-report.json.zip"
         aws s3 cp \
           ./vulnerabilities-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-vulnerabilities-repository-report.json.zip"

.github/workflows/cicd-3-deploy.yaml

@@ -87,11 +87,10 @@ jobs:
         shell: bash
         env:
           GH_TOKEN: ${{ github.token }}
+          INPUTS_INCLUDE_PRERELEASES: ${{ inputs.include_prereleases }}
+          INPUTS_VERSION: ${{ inputs.version }}
         run: |
-          INPUTS_INCLUDE_PRERELEASES="${{ inputs.include_prereleases }}"
           INPUTS_INCLUDE_PRERELEASES=${INPUTS_INCLUDE_PRERELEASES:-"true"}
-
-          INPUTS_VERSION="${{ inputs.version }}"
           INPUTS_VERSION=${INPUTS_VERSION:-"latest"}
 
 

.github/workflows/scheduled-repository-template-sync.yaml

@@ -32,7 +32,7 @@ jobs:
 
     - name: Create Pull Request
       if: ${{ !env.ACT }}
-      uses: peter-evans/[email protected]
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: Drift from template

scripts/docker/tests/Dockerfile

@@ -1,3 +1,9 @@
 # `*:latest` will be replaced with a corresponding version stored in the '.tool-versions' file
 # hadolint ignore=DL3007
 FROM python:latest
+
+# Create a non-root user for running the application
+RUN groupadd -r appuser && useradd -r -g appuser appuser
+
+# Switch to non-root user
+USER appuser