From 766c757f3b74975c758c33feb2387078f74da5db Mon Sep 17 00:00:00 2001
From: VincyZhang <wenxin.zhang@intel.com>
Date: Tue, 3 Dec 2024 22:33:26 +0800
Subject: [PATCH] add dangerous cmd check (#955)

* add dangerous cmd check

Signed-off-by: Wenxin Zhang <wenxin.zhang@intel.com>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* clean code

Signed-off-by: Wenxin Zhang <wenxin.zhang@intel.com>

---------

Signed-off-by: Wenxin Zhang <wenxin.zhang@intel.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
---
 .github/workflows/_get-test-matrix.yml | 6 ++++++
 .github/workflows/mix-code-scan.yml    | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/.github/workflows/_get-test-matrix.yml b/.github/workflows/_get-test-matrix.yml
index e2975a066..91acb8188 100644
--- a/.github/workflows/_get-test-matrix.yml
+++ b/.github/workflows/_get-test-matrix.yml
@@ -33,6 +33,12 @@ jobs:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
 
+      - name: Check Dangerous Command Injection
+        if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target'
+        uses: opea-project/validation/actions/check-cmd@main
+        with:
+          work_dir: ${{ github.workspace }}
+
       - name: Get test matrix
         id: get-test-matrix
         run: |
diff --git a/.github/workflows/mix-code-scan.yml b/.github/workflows/mix-code-scan.yml
index 6d37fe43b..c04c02a49 100644
--- a/.github/workflows/mix-code-scan.yml
+++ b/.github/workflows/mix-code-scan.yml
@@ -34,6 +34,11 @@ jobs:
       - name: Checkout out Repo
         uses: actions/checkout@v4
 
+      - name: Check Dangerous Command Injection
+        uses: opea-project/validation/actions/check-cmd@main
+        with:
+          work_dir: ${{ github.workspace }}
+
       - name: Docker Build
         run: |
           docker build -f ${{ github.workspace }}/.github/workflows/docker/${{ env.DOCKER_FILE_NAME }}.dockerfile -t ${{ env.REPO_NAME }}:${{ env.REPO_TAG }} .