False positive with S8263

HenrikSommer-eng · March 25, 2026, 12:51pm

Hi

You added a new rule S8263 on 16 mar 2026
Azure Pipelines Task invocations should not be vulnerable to parameter injection attacks

I think it gives false positive.
Example we have

task: DotNetCoreCLI@2
displayName: ‘Build ${{ parameters.buildConfiguration }}’
inputs:
command: build
projects: ${{ parameters.projects }}
arguments: '–no-restore --configuration ${{ parameters.buildConfiguration }}’

The task does not seem to support env:
So should it valid that or only script task?

Topic		Replies	Views
Secure your CI/CD, Secure your Azure Pipelines Sonar Updates security , pipeline , azure-devops	0	52	March 17, 2026
Dont generate warnings for exclusions in Azure Pipelines while analyzing C# code Suggest new features azure-devops , me-too	2	37	February 18, 2026
Azure Pipelines SonarCloudPrepare@3 sonar.exclusions not working SonarQube Cloud coverage , dotnet , userfriendly-pl , sonarqube-cloud	20	772	February 18, 2025
Code analysis on .bicep (Azure Resource Manager) SonarQube Cloud azuredevops , azureresourcemanager	5	165	February 24, 2025
ERROR: Caused by: Property: 'sonar.exclusions' doesn't contain a valid CSV value: SonarQube Cloud scanner	5	4015	September 1, 2020

False positive with S8263

Related topics