diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 51e48076..2d8f047c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -16,9 +16,13 @@ jobs:
   smoke-tests:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write # required by Differential ShellCheck
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4.2.2
+        with:
+          fetch-depth: 0 # Differential ShellCheck requires full git history
 
       - name: Check scripts in repository are executable
         run: |
@@ -28,14 +32,17 @@ jobs:
           # If FAIL is 1 then we fail.
           [[ $FAIL == 1 ]] && exit 1 || echo "Scripts are executable!"
 
-      - name: Run shellcheck
-        uses: ludeeus/action-shellcheck@master
+      - name: Differential ShellCheck
+        uses: redhat-plumbers-in-action/differential-shellcheck@v5
         with:
-          check_together: 'yes'
-          format: tty
-          severity: warning
-        env:
-          SHELLCHECK_OPTS: -x # Enable shellcheck -x option (follow external sources)
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - if: ${{ runner.debug == '1' && !cancelled() }}
+        name: Upload artifact with ShellCheck defects in SARIF format
+        uses: actions/upload-artifact@v4
+        with:
+          name: Differential ShellCheck SARIF
+          path: ${{ steps.ShellCheck.outputs.sarif }}
 
       - name: Spell-Checking
         uses: codespell-project/actions-codespell@master