name: Malcontent Analysis on: pull_request: branches: - main permissions: {} jobs: malcontent: runs-on: ubuntu-latest permissions: contents: read pull-requests: write steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v5.0.1 with: fetch-depth: 0 # Fetch all history for proper diff analysis - name: Run Malcontent Analysis id: malcontent uses: chainguard-dev/malcontent-action@053384afe0bb069ba7e2996bd8c0863731406002 # v0.4 with: github-token: ${{ secrets.GITHUB_TOKEN }} # NB: Could also set `fail-on-increase: false` and use `if: ${{steps.malcontent.outputs.risk-delta > 5}}` to allow some risk increase - name: Upload SARIF uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 #v3.29.0 - 11 Jun 2025 if: always() # Upload even if the malcontent check fails with: sarif_file: ${{ steps.malcontent.outputs.sarif-file }} category: malcontent