name: 'Promptfoo Code Scan' description: 'Scan pull requests for LLM security vulnerabilities' author: 'Promptfoo, Inc.' branding: icon: 'shield' color: 'blue' inputs: api-host: description: 'Promptfoo API host url' required: false default: https://api.promptfoo.app min-severity: description: 'Minimum severity level to report (low|medium|high|critical). Defaults to medium when neither min-severity nor minimum-severity is set.' required: false minimum-severity: description: 'Alias for min-severity (low|medium|high|critical). Has no default; takes effect only when min-severity is not set.' required: false config-path: description: 'Path to YAML configuration file' required: false guidance: description: 'Custom guidance for the security scan' required: false guidance-file: description: 'Path to file containing custom guidance' required: false github-token: description: 'GitHub token for authentication (default: github.token)' required: false default: ${{ github.token }} enable-fork-prs: description: 'Enable scanning PRs from forked repositories' required: false default: 'false' promptfoo-version: description: 'Exact promptfoo CLI version to install for scanning (e.g. 0.121.0). Defaults to the version pinned when this action release was built.' required: false sarif-output-path: description: 'Optional path to write SARIF output for upload to GitHub Code Scanning' required: false outputs: sarif-path: description: 'Path to the SARIF file when a scan completes and sarif-output-path is configured' runs: using: 'node24' main: 'dist/index.js'