Hi
You added a new rule S8263 on 16 mar 2026
Azure Pipelines Task invocations should not be vulnerable to parameter injection attacks
I think it gives false positive.
Example we have
task: DotNetCoreCLI@2
displayName: ‘Build ${{ parameters.buildConfiguration }}’
inputs:
command: build
projects: ${{ parameters.projects }}
arguments: '–no-restore --configuration ${{ parameters.buildConfiguration }}’
The task does not seem to support env:
So should it valid that or only script task?
Hi @HenrikSommer-eng, I am terribly sorry that you had to wait so long for a response!
To your question, this is actually a true positive as arguments can be used to pass extra arguments to msbuild which can affect the execution (e.g., to set BeforeBuildEvent to execute arbitrary commands). I will find a way to improve the documentation to make this clearer, thanks a lot for the feedback!
As your example controls the build configuration, the safe solution is to limit the allowed parameters by using the values like this:
parameters:
- name: buildConfiguration
type: string
default: 'Debug'
values:
- Debug
- Release
Passing through an environment variable (which should work on all tasks) does not make it secure in this case, as it will protect only against direct, shell interpolation for inputs that are passed to a shell interpreter.
Hope that helps & best wishes,
Teemu R.
Thanks that help.
And yes the guide line should be updated because it was not clear that was problem.