fix(ci): avoid template injection in org TruffleHog workflow (zizmor)

Pass workflow_dispatch inputs via step env only; validate org slug and
single_repo URL before invoking trufflehog.

Made-with: Cursor

Author: isaiah-grafana

.github/workflows/org-trufflehog-fullscan.yml

@@ -3,6 +3,9 @@
 #
 # Test now: Actions → this workflow → Run workflow.
 # Smoke test: set `single_repo` to one HTTPS URL and leave org as default.
+#
+# Inputs are passed only via step `env` (not ${{ }} inside `run:`) to satisfy
+# zizmor template-injection rules; values are validated before use.
 
 name: TruffleHog org scan (GitHub)
 
@@ -54,17 +57,46 @@ jobs:
       - name: Run scan (advisory — never blocks merges)
         env:
           TOKEN: ${{ secrets.ORG_TRUFFLEHOG_PAT }}
+          # Do not interpolate workflow inputs inside `run:` (zizmor: template-injection).
+          ORG_INPUT: ${{ github.event.inputs.org || '' }}
+          SINGLE_REPO_INPUT: ${{ github.event.inputs.single_repo || '' }}
+          EVENT_NAME: ${{ github.event_name }}
         run: |
           if [[ -z "${TOKEN}" ]]; then
             echo "::error::Create repository secret ORG_TRUFFLEHOG_PAT (PAT with read access to the org repos you scan)."
             exit 1
           fi
 
+          # GitHub org slug: alphanumeric + hyphen, reasonable length (GitHub max 39).
+          validate_org() {
+            local o="$1"
+            [[ "${o}" =~ ^[a-zA-Z0-9][a-zA-Z0-9-]{0,38}$ ]]
+          }
+
+          # Single-repo smoke test: strict https://github.com/org/repo only.
+          validate_repo_url() {
+            local u="$1"
+            [[ -z "${u}" ]] && return 0
+            [[ "${u}" =~ ^https://github\.com/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+/?$ ]]
+          }
+
           ORG="${DEFAULT_ORG}"
           SINGLE_REPO=""
-          if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
-            ORG="${{ github.event.inputs.org }}"
-            SINGLE_REPO="${{ github.event.inputs.single_repo }}"
+          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
+            if [[ -n "${ORG_INPUT}" ]]; then
+              if ! validate_org "${ORG_INPUT}"; then
+                echo "::error::Invalid org slug (allowed: letters, digits, hyphen; 1–39 chars)."
+                exit 1
+              fi
+              ORG="${ORG_INPUT}"
+            fi
+            if [[ -n "${SINGLE_REPO_INPUT}" ]]; then
+              if ! validate_repo_url "${SINGLE_REPO_INPUT}"; then
+                echo "::error::Invalid single_repo URL (use https://github.com/ORG/REPO with no query or fragment)."
+                exit 1
+              fi
+              SINGLE_REPO="${SINGLE_REPO_INPUT}"
+            fi
           fi
 
           set +e

docs/trufflehog-org-fullscan.md

@@ -23,3 +23,10 @@ With token: add `--token="$GITHUB_TOKEN"`.
 
 - Workflow is advisory (no `--fail`); do not add as a required ruleset check if you want it off the merge path.
 - Weekly schedule is optional; remove `schedule:` in the YAML for manual-only.
+
+## Input validation (workflow_dispatch)
+
+To avoid unsafe values being interpreted by the shell, inputs are restricted:
+
+- **org:** GitHub org slug only — letters, digits, hyphen; 1–39 characters (first character must be alphanumeric).
+- **single_repo:** Must look like `https://github.com/ORG/REPO` (no query string, fragment, or `.git` suffix in the URL you pass).