DefectDojo · valentijnscholten · Oct 27, 2025 · Oct 23, 2025
@@ -2,124 +2,17 @@
 name: Shellcheck
 on:
   pull_request:
-env:
-  SHELLCHECK_REPO: 'koalaman/shellcheck'
-  SHELLCHECK_VERSION: 'v0.9.0' # renovate: datasource=github-releases depName=koalaman/shellcheck
-  SHELLCHECK_SHA: '038fd81de6b7e20cc651571362683853670cdc71' # Renovate config is not currently adjusted to update hash - it needs to be done manually for now
+
 jobs:
   shellcheck:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      - name: Grab shellcheck
-        run: |
-          set -e
-
-          SHELLCHECK_TARBALL_URL="https://github.com/${SHELLCHECK_REPO}/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz"
-          SHELLCHECK_TARBALL_LOC="shellcheck.tar.xz"
-          curl -L "${SHELLCHECK_TARBALL_URL}" -o "${SHELLCHECK_TARBALL_LOC}"
-          tarball_sha=$(shasum ${SHELLCHECK_TARBALL_LOC} | awk '{print $1}')
-          if [ "${tarball_sha}" != "${SHELLCHECK_SHA}" ]; then
-            echo "Got invalid SHA for shellcheck: ${tarball_sha}"
-            exit 1
-          fi
-          tar -xvf "${SHELLCHECK_TARBALL_LOC}"
-          cd "shellcheck-${SHELLCHECK_VERSION}" || exit 1
-          mv shellcheck "${GITHUB_WORKSPACE}/shellcheck"
-
-      - name: Run shellcheck
-        shell: bash
-        run: |
-          set -o pipefail
-
-          # Make sure we already put the proper shellcheck binary in place
-          if [ ! -f "./shellcheck" ]; then
-              echo "shellcheck not found"
-              exit 1
-          fi
-
-          # Make sure we know what to compare the PR's changes against
-          if [ -z "${GITHUB_BASE_REF}" ]; then
-              echo "No base reference supplied"
-              exit 1
-          fi
-
-          num_findings=0
-
-          # Execute shellcheck and add errors based on the output
-          run_shellcheck() {
-              local modified_shell_script="${1}"
-              local findings_file="findings.txt"
-
-              # Remove leftover findings file from previous iterations
-              if [ -f "${findings_file}" ]; then
-                  rm "${findings_file}"
-              fi
-
-              echo "Running shellcheck against ${modified_shell_script}..."
-
-              # If shellcheck reported no errors (exited with 0 status code), return
-              if ./shellcheck -f json -S warning "${modified_shell_script}" | jq -c '.[]' > "${findings_file}"; then
-                  return 0
-              fi
-
-              # Walk each of the individual findings
-              while IFS= read -r finding; do
-                  num_findings=$((num_findings+1))
-
-                  line=$(echo "${finding}" | jq '.line')
-                  end_line=$(echo "${finding}" | jq '.endLine')
-                  column=$(echo "${finding}" | jq '.column')
-                  end_column=$(echo "${finding}" | jq '.endColumn')
-                  code=$(echo "${finding}" | jq '.code')
-                  title="SC${code}"
-                  message="$(echo "${finding}" | jq -r '.message') See https://github.com/koalaman/shellcheck/wiki/${title}"
-
-                  echo "Line: ${line}"
-                  echo "End line: ${end_line}"
-                  echo "Column: ${column}"
-                  echo "End column: ${end_column}"
-                  echo "Title: ${title}"
-                  echo "Message: ${message}"
-
-                  # Raise an error with the file/line/etc
-                  echo "::error file=${modified_shell_script},line=${line},endLine=${end_line},column=${column},endColumn=${end_column},title=${title}::${message}"
-              done < ${findings_file}
-          }
-
-          # Find the shell scripts that were created or modified by this PR
-          find_modified_shell_scripts() {
-              shell_scripts="shell_scripts.txt"
-              modified_files="modified_files.txt"
-              modified_shell_scripts="modified_shell_scripts.txt"
-
-              find . -name "*.sh" -or -name "*.bash" | sed 's#^\./##' > "${shell_scripts}"
-              git diff --name-only "origin/${GITHUB_BASE_REF}" HEAD > "${modified_files}"
-
-              if [ ! -s "${shell_scripts}" ] || [ ! -s "${modified_files}" ]; then
-                  echo "No modified shell scripts detected"
-                  exit 0
-              fi
-
-              if ! grep -Fxf "${shell_scripts}" "${modified_files}" > "${modified_shell_scripts}"; then
-                echo "No modified shell scripts detected"
-                exit 0
-              fi
-          }
-
-          git fetch origin "${GITHUB_BASE_REF}" || exit 1
-
-          find_modified_shell_scripts
-
-          # Loop through the modified shell scripts
-          while IFS= read -r modified_shell_script; do
-              run_shellcheck "${modified_shell_script}"
-          done < ${modified_shell_scripts}
-
-          # If shellcheck reported any findings, fail the workflow
-          if [ ${num_findings} -gt 0 ]; then
-              echo "shellcheck reported ${num_findings} findings."
-              exit 1
-          fi
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
+        with:
+          version: 'v0.11.0' # renovate: datasource=github-releases depName=koalaman/shellcheck versioning=loose
+        env:
+          SHELLCHECK_OPTS: -e SC1091 -e SC2086  # TODO: fix following findings