category fix The query actions/code-injection/medium now produces alerts for injection vulnerabilities on pull_request events.