diff --git a/checks/raw/dangerous_workflow.go b/checks/raw/dangerous_workflow.go
index a0970b59368..f1f8d786478 100644
--- a/checks/raw/dangerous_workflow.go
+++ b/checks/raw/dangerous_workflow.go
@@ -52,7 +52,9 @@ func containsUntrustedContextPattern(variable string) bool {
 	if strings.Contains(variable, "github.head_ref") {
 		return true
 	}
-	return strings.Contains(variable, "github.event.") && untrustedContextPattern.MatchString(variable)
+	return strings.Contains(variable, "github.event.") &&
+		(untrustedContextPattern.MatchString(variable) ||
+			untrustedContextPattern.MatchString(fmt.Sprintf("toJSON(%s)", variable)))
 }
 
 type triggerName string
diff --git a/checks/raw/dangerous_workflow_test.go b/checks/raw/dangerous_workflow_test.go
index 297b08dfff3..d91ab76cd75 100644
--- a/checks/raw/dangerous_workflow_test.go
+++ b/checks/raw/dangerous_workflow_test.go
@@ -17,6 +17,7 @@ package raw
 import (
 	"context"
 	"errors"
+	"fmt"
 	"io"
 	"os"
 	"testing"
@@ -83,6 +84,12 @@ func TestUntrustedContextVariables(t *testing.T) {
 			if r := containsUntrustedContextPattern(tt.variable); !r == tt.expected {
 				t.Fail()
 			}
+			if r := containsUntrustedContextPattern(fmt.Sprintf("toJSON(%s)", tt.variable)); !r == tt.expected {
+				t.Fail()
+			}
+			if r := containsUntrustedContextPattern(fmt.Sprintf("toJSON(  %s  )", tt.variable)); !r == tt.expected {
+				t.Fail()
+			}
 		})
 	}
 }