diff --git a/.github/workflows/puppet.yaml b/.github/workflows/puppet.yaml
index fffa437..69967f9 100644
--- a/.github/workflows/puppet.yaml
+++ b/.github/workflows/puppet.yaml
@@ -30,12 +30,31 @@ jobs:
 
   puppet-lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
         with:
           submodules: false
-      - name: puppet-lint
-        uses: scottbrenner/puppet-lint-action@master
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
+        with:
+          ruby-version: 2.7
+          bundler-cache: true
+
+      - name: Install puppet-lint
+        run: gem install puppet-lint
+
+      - name: Run puppet-lint
+        run: puppet-lint . --sarif > puppet-lint-results.sarif
+        continue-on-error: true
+
+      - name: Upload analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          args: puppet/ --fail-on-warnings
+          sarif_file: puppet-lint-results.sarif
+          wait-for-processing: true