name: Malcontent Analysis on: pull_request: branches: - main permissions: {} jobs: malcontent: runs-on: ubuntu-latest permissions: contents: read pull-requests: write steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 # Fetch all history for proper diff analysis - name: Run Malcontent Analysis id: malcontent uses: chainguard-dev/malcontent-action@053384afe0bb069ba7e2996bd8c0863731406002 # v0.4 with: github-token: ${{ secrets.GITHUB_TOKEN }} # NB: Could also set `fail-on-increase: false` and use `if: ${{steps.malcontent.outputs.risk-delta > 5}}` to allow some risk increase - name: Upload SARIF uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db #v3.29.0 - 11 Jun 2025 if: always() # Upload even if the malcontent check fails with: sarif_file: ${{ steps.malcontent.outputs.sarif-file }} category: malcontent