Update oxsecurity/megalinter action to v9

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
oxsecurity/megalinter	action	major	v8.3.0 → v9.4.0

---

Release Notes

oxsecurity/megalinter (oxsecurity/megalinter)

v9.4.0

Compare Source

• Core

  • Improve files browsing performances (2 PRs)
  • Optimize parallel linter processing and improve grouping logic
  • Improve performance of listing .gitignored files by sending excluded directories to git ls-files
  • If there are more than 500 .gitignored files, advise to add more excluded directories using variable ADDITIONAL_EXCLUDED_DIRECTORIES, to improve performances
  • Reduce redundant config lookups, environment copies, and dict rebuilds across config, linter, and utils modules
  • Cache subprocess environment per linter run and excluded directories per request
  • Optimize parallel linter result update from O(n²) to O(n)
  • Add support in the build of Docker images for linux/arm64 in compatible linters

• New linters

  • Add PYTHON_NBQA_MYPY for type-checking Jupyter notebooks using nbqa + mypy

• Disabled linters

  • LUA_SELENE: Kampfkarren/selene#662

• Linters enhancements

  • Use the official checkmake image by @​bdovaz
  • Spectral: Add sarif support to spectral by @​bdovaz
  • Spectral: Change cli_lint_mode to list_of_files to improve performances

• Fixes

  • Add support for SSH remote origins when building custom flavors (fixes: #​6511)
  • Fix issue with plugins ignored when FLAVOR_SUGGESTIONS=false
  • Fix wrong tagging apply_fixes=True when linter has no fix options configured
  • Python mypy: Remove .ipynb from file extensions (mypy doesn't support notebooks directly) - fixes #​6904
  • Fix operator precedence bug in pre_post_factory pre/post command logic
  • Fix file handle leak in GitleaksLinter
  • Fix variable name bug in utils.get_git_context_info
  • Minor fixes in logger, SqlFluffLinter, PowershellLinter, TrivyLinter

• Reporters

  • Add a link inviting to star MegaLinter
  • Display in the console reporter the working directory from which the commands are executed by @​bdovaz
  • Update WebHook reporter so it can send more events for a better integration with UI
  • When truncating long comments in markdown reports, keep the end of the text instead of the beginning (which usually contains less useful information)
  • In case GitHub Api returns 500, do not make the whole MegaLinter fail, display a warning instead
  • Azure Reporter: Use Azure DevOps Services REST API instead of unmaintained python wrapper lib

• Flavors

  • Custom flavor builder:
    • Add support for SSH remotes
    • Allow selection of platforms to build the custom flavor on (ex: linux/amd64, linux/arm64) and build compatible linters on these platforms
    • Build & release custom flavor builder image for linux/arm64

• Doc

  • JSON Schema: Add default values for file extensions and file names variables + improve descriptions
  • Update default secured env variables documentation
  • Fix banner img in json_prettier and yaml_prettier docs
  • Explain better how to run tests locally
  • Vale: Mention community style packages in linter description

• CI

  • Free more space on GitHub Actions runners to avoid build failures
  • Ignore .isorted files in secretlint to avoid scanning transient files created by other linters
  • Avoid duplicate jobs "Mirror docker image"
  • Allow to skip linters build using skip linters in latest commit text
  • Allow to disable build & push of standalone linters docker images using variable BETA_LINTERS_ENABLED=false
  • Improve performances of formatting markdown tables during build
  • Improve test classes performances and fix race conditions
  • Fix plugin test to work with forks and feature branches
  • Update .devcontainer image to trixie

• mega-linter-runner

  • If variables are defined in a local .env file, send their values to docker/podman run command (can be useful for secret variables)
  • Never send .env file to the docker run for security reasons, instead create an empty one if needed
  • Use npm trusted publishers (OIDC) to publish mega-linter-runner

• Linter versions upgrades (59)

  • actionlint from 1.7.10 to 1.7.11
  • ansible-lint from 25.12.2 to 26.2.0
  • bandit from 1.9.2 to 1.9.4
  • bicep_linter from 0.39.26 to 0.41.2
  • black from 25.12.0 to 26.1.0
  • cfn-lint from 1.43.1 to 1.45.0
  • checkov from 3.2.497 to 3.2.506
  • clippy from 0.1.92 to 0.1.93
  • clj-kondo from 2025.12.23 to 2026.01.19
  • code-analyzer-apex from 5.7.1 to 5.10.0
  • code-analyzer-aura from 5.7.1 to 5.10.0
  • code-analyzer-lwc from 5.7.1 to 5.10.0
  • csharpier from 1.2.5 to 1.2.6
  • cspell from 9.4.0 to 9.7.0
  • dartanalyzer from 3.10.7 to 3.11.1
  • devskim from 1.0.67 to 1.0.70
  • dotnet-format from 9.0.112 to 9.0.114
  • editorconfig-checker from 3.6.0 to 3.6.1
  • golangci-lint from 2.7.2 to 2.10.1
  • grype from 0.104.3 to 0.109.0
  • htmlhint from 1.8.0 to 1.9.1
  • isort from 7.0.0 to 8.0.0
  • jscpd from 4.0.5 to 4.0.8
  • jsonlint from 16.0.0 to 17.0.1
  • kics from 2.1.18 to 2.1.19
  • kingfisher from 1.73.0 to 1.84.0
  • kubescape from 3.0.47 to 4.0.2
  • npm-groovy-lint from 16.1.1 to 16.2.0
  • php-cs-fixer from 3.92.4 to 3.94.2
  • phpstan from 2.1.33 to 2.1.40
  • pmd from 7.20.0 to 7.22.0
  • prettier from 3.7.4 to 3.8.1
  • psalm from Psalm.6.14.3@​ to Psalm.6.15.1@​
  • pylint from 4.0.4 to 4.0.5
  • pyright from 1.1.407 to 1.1.408
  • revive from 1.13.0 to 1.14.0
  • robocop from 7.2.0 to 8.2.2
  • rubocop from 1.82.1 to 1.85.0
  • ruff-format from 0.14.10 to 0.15.4
  • ruff from 0.14.10 to 0.15.4
  • rumdl from 0.0.208 to 0.1.32
  • scalafix from 0.14.5 to 0.14.6
  • secretlint from 11.2.5 to 11.3.1
  • semgrep from 1.151.0 to 1.153.1
  • snakefmt from 0.11.2 to 0.11.4
  • snakemake from 9.14.5 to 9.16.3
  • sqlfluff from 3.5.0 to 4.0.4
  • swiftlint from 0.63.0 to 0.63.2
  • syft from 1.39.0 to 1.42.1
  • terraform-fmt from 1.14.1 to 1.14.5
  • terragrunt from 0.93.13 to 0.99.4
  • tflint from 0.60.0 to 0.61.0
  • trivy-sbom from 0.68.2 to 0.69.1
  • trivy from 0.68.2 to 0.69.1
  • trufflehog from 3.92.4 to 3.93.6
  • v8r from 5.1.0 to 6.0.0
  • vale from 3.13.0 to 3.13.1
  • yamllint from 1.37.1 to 1.38.0

v9.3.0

Compare Source

• Core

  • Add enum name support in MegaLinter config Json schema for better autocompletion in editors
  • Update base image to python:3.13-alpine3.23

• New linters

  • Add codespell
  • Add kingfisher by @​bdovaz
  • Add rumdl by @​bdovaz

• Linters enhancements

  • Change checkmake Docker image reference by @​bdovaz

• Reporters

  • Handle multiple MegaLinter runs on the same repo using custom value sent in variable MEGALINTER_MULTIRUN_KEY
  • Allow to override url to CI build in Git based reporters using REPORTERS_ACTION_RUN_URL variable
  • Fix sections display in Gitlab console logs

• Doc

  • Classify all JSON schema config variables by category and section

• CI

  • Free disk space on GitHub actions runner when releasing a new flavor
  • Add missing Dockerfile patterns to Renovate Dockerfile manager
  • Remove gitpod custom image, workflow, and makefile targets

• Linter versions upgrades (54)

  • actionlint from 1.7.9 to 1.7.10
  • ansible-lint from 25.11.1 to 25.12.2
  • bash-exec from 5.2.37 to 5.3.3
  • black from 25.11.0 to 25.12.0
  • cfn-lint from 1.41.0 to 1.43.1
  • checkov from 3.2.495 to 3.2.497
  • clang-format from 20.1.8 to 21.1.2
  • clippy from 0.1.91 to 0.1.92
  • clj-kondo from 2025.10.23 to 2025.12.23
  • code-analyzer-apex from 5.6.1 to 5.7.1
  • code-analyzer-aura from 5.6.1 to 5.7.1
  • code-analyzer-lwc from 5.6.1 to 5.7.1
  • cppcheck from 2.14.2 to 2.18.3
  • csharpier from 1.2.1 to 1.2.5
  • cspell from 9.3.2 to 9.4.0
  • dartanalyzer from 3.8.3 to 3.10.7
  • dotnet-format from 9.0.111 to 9.0.112
  • git_diff from 2.49.1 to 2.52.0
  • golangci-lint from 2.6.2 to 2.7.2
  • grype from 0.104.1 to 0.104.3
  • helm from 3.18.4 to 3.19.0
  • htmlhint from 1.7.1 to 1.8.0
  • kics from 2.1.16 to 2.1.18
  • kingfisher from 1.71.0 to 1.73.0
  • kubescape from 3.0.45 to 3.0.47
  • markdown-table-formatter from 1.6.1 to 1.7.0
  • markdownlint from 0.45.0 to 0.47.0
  • mypy from 1.18.2 to 1.19.1
  • npm-groovy-lint from 15.2.2 to 16.1.1
  • npm-package-json-lint from 9.0.0 to 9.1.0
  • php-cs-fixer from 3.90.0 to 3.92.4
  • phplint from 9.6.2 to 9.7.1
  • phpstan from 2.1.32 to 2.1.33
  • pmd from 7.18.0 to 7.20.0
  • prettier from 3.6.2 to 3.7.4
  • psalm from Psalm.6.13.1@​ to Psalm.6.14.3@​
  • pylint from 4.0.3 to 4.0.4
  • robocop from 6.11.0 to 7.2.0
  • roslynator from 0.11.0.0 to 0.12.0.0
  • rubocop from 1.81.7 to 1.82.0
  • rubocop from 1.82.0 to 1.82.1
  • ruff-format from 0.14.6 to 0.14.10
  • ruff from 0.14.6 to 0.14.10
  • rumdl from 0.0.199 to 0.0.208
  • scalafix from 0.14.4 to 0.14.5
  • snakemake from 9.13.7 to 9.14.5
  • stylelint from 16.26.0 to 16.26.1
  • swiftlint from 0.62.2 to 0.63.0
  • syft from 1.38.0 to 1.39.0
  • terraform-fmt from 1.14.0 to 1.14.1
  • terragrunt from 0.93.10 to 0.93.13
  • trivy-sbom from 0.67.2 to 0.68.2
  • trivy from 0.67.2 to 0.68.2
  • trufflehog from 3.91.1 to 3.92.4

v9.2.0

Compare Source

• New linters

  • Salesforce Code Analyzer, by @​abdeslamads
    • SALESFORCE_CODE_ANALYZER_APEX
    • SALESFORCE_CODE_ANALYZER_AURA
    • SALESFORCE_CODE_ANALYZER_LWC

• Disabled linters

  • Reactivate checkov

• Deprecated linters

  • Deprecate terrascan as the project is discontinued. Will be completely removed in a future version.
  • SALESFORCE_SFDX_SCANNER_* linters have been deprecated and will be removed in a future version. (they are replaced by SALESFORCE_CODE_ANALYZER_* linters)

• Media

  • Looking for the best CI/CD Pipeline Linting Tool? Try MegaLinter!, by Seasoned Developer
  • (Brazilian) Qualidade e Segurança em Código com MegaLinter: automatizando análises em MAUI com GitHub Actions, by Canal dotNET

• Linters enhancements

  • Install dotenv-linter deterministically, by @​bdovaz in #​6385

• Fixes

  • #​6544: Add GITHUB_TOKEN in docker build command for custom flavor
  • Hide warning when compiling a regex
  • Fix formatting in descriptor files to reduce changes in generated markdown, by @​echoix in #​6449

• Reporters

  • Add conversion from Jenkins variables to related Git based reporters variables

• Doc

  • Keep jsonschema html docs updated when using build.py --doc, by @​echoix in #​6447
  • Commit updated license info generated from build script by @​echoix in #​6448
  • Recreate docs/descriptors folder, delete old pages by @​echoix in #​6451

• Flavors

  • Add GITHUB_TOKEN in docker buildx build command for custom flavor, by @​davidfevre-gouv-nc in #​6545

• CI

  • Optimize performances of standalone linters releases
  • Renovate: Add langchain group for package updates, by @​echoix in #​6400
  • Refactor file handling in build.py to use pathlib for improved readability, by @​echoix in #​6450

• mega-linter-runner

  • Handle upgrade of stefanzweifel/git-auto-commit-action to v7

• Linter versions upgrades (53)

  • actionlint from 1.7.7 to 1.7.9
  • ansible-lint from 25.9.1 to 25.11.1
  • bandit from 1.8.6 to 1.9.2
  • bicep_linter from 0.38.33 to 0.39.26
  • black from 25.9.0 to 25.11.0
  • cfn-lint from 1.40.0 to 1.41.0
  • checkov from 3.2.413 to 3.2.495
  • checkstyle from 11.1.0 to 12.1.0
  • clippy from 0.1.90 to 0.1.91
  • clj-kondo from 2025.09.22 to 2025.10.23
  • csharpier from 1.1.2 to 1.2.1
  • cspell from 9.2.1 to 9.3.2
  • dotenv-linter from 3.3.0 to 4.0.0
  • dotnet-format from 9.0.110 to 9.0.111
  • editorconfig-checker from 3.4.0 to 3.6.0
  • git_diff from 2.47.0 to 2.49.1
  • gitleaks from 8.28.0 to 8.30.0
  • golangci-lint from 2.5.0 to 2.6.2
  • grype from 0.100.0 to 0.104.1
  • isort from 6.1.0 to 7.0.0
  • kics from 2.1.14 to 2.1.16
  • ktlint from 1.7.1 to 1.8.0
  • kubescape from 3.0.41 to 3.0.45
  • php-cs-fixer from 3.88.2 to 3.90.0
  • phpcs from 4.0.0 to 4.0.1
  • phpstan from 2.1.30 to 2.1.32
  • pmd from 7.17.0 to 7.18.0
  • powershell from 7.5.3 to 7.5.4
  • pylint from 3.3.9 to 4.0.3
  • pyright from 1.1.406 to 1.1.407
  • raku from 2024.12 to 2025.11
  • revive from 1.12.0 to 1.13.0
  • robocop from 6.7.2 to 6.11.0
  • roslynator from 0.10.2.0 to 0.11.0.0
  • rst-lint from 1.4.0 to 2.0.2
  • rubocop from 1.81.1 to 1.81.7
  • ruff-format from 0.13.3 to 0.14.6
  • ruff from 0.13.3 to 0.14.6
  • scalafix from 0.14.3 to 0.14.4
  • secretlint from 11.2.4 to 11.2.5
  • snakemake from 9.11.9 to 9.13.7
  • sqlfluff from 3.4.2 to 3.5.0
  • stylelint from 16.24.0 to 16.26.0
  • swiftlint from 0.61.0 to 0.62.2
  • syft from 1.33.0 to 1.38.0
  • terraform-fmt from 1.13.3 to 1.14.0
  • terragrunt from 0.88.1 to 0.93.10
  • tflint from 0.59.1 to 0.60.0
  • trivy-sbom from 0.67.0 to 0.67.2
  • trivy from 0.67.0 to 0.67.2
  • trufflehog from 3.90.11 to 3.91.1
  • vale from 3.12.0 to 3.13.0
  • xmllint from 21308 to 21309

v9.1.0

Compare Source

• New linters

  • Add Robocop linter, by @​bdovaz in #​6232

• Linters enhancements

  • Python Linting: Added more file type supports for various linters. Full description here

• Doc

  • Add OLLAMA_BASE_URL is MegaLinter config Json schema

• Flavors

  • Custom flavors: Add workflow to automate detection of new MegaLinter versions and generation of new Custom Flavor

• CI

  • Fix v9 release issue + mark hardcoded versions to upgrade at each new major release.

• Linter versions upgrades (22)

  • ansible-lint from 25.9.0 to 25.9.1
  • bicep_linter from 0.37.4 to 0.38.33
  • cfn-lint from 1.39.1 to 1.40.0
  • checkstyle from 11.0.1 to 11.1.0
  • clj-kondo from 2025.09.19 to 2025.09.22
  • golangci-lint from 2.4.0 to 2.5.0
  • hadolint from 2.13.1 to 2.14.0
  • isort from 6.0.1 to 6.1.0
  • kics from 2.1.13 to 2.1.14
  • npm-groovy-lint from 15.2.1 to 15.2.2
  • php-cs-fixer from 3.87.2 to 3.88.2
  • phpstan from 2.1.28 to 2.1.30
  • pylint from 3.3.8 to 3.3.9
  • pyright from 1.1.405 to 1.1.406
  • robocop from 6.7.0 to 6.7.2
  • rubocop from 1.80.2 to 1.81.1
  • ruff-format from 0.13.1 to 0.13.3
  • ruff from 0.13.1 to 0.13.3
  • snakemake from 9.11.4 to 9.11.9
  • terraform-fmt from 1.13.2 to 1.13.3
  • terragrunt from 0.87.2 to 0.88.1
  • trivy from 0.66.0 to 0.67.0

v9.0.1

Compare Source

• Fix v9 release issue

v9.0.0

Compare Source

• Core

  • Create your own Megalinter Custom Flavors to dramatically improve your performances
    • See documentation for usage
    • Use npx mega-linter-runner@beta --custom-flavor-setup to initialize repo
    • Suggest new flavors in reporters with a mega-linter-runner including the list of linters
  • New LLM Advisor: call external LLMs to get hints to solve linter errors, available in:
    • Console Reporter
    • Text Reporter
    • Git platforms PR/MR comments Reporter
  • Use ghcr.io docker images by default because of rate limits on docker.io
  • Use uv to create the venv folder for pip-installed linters
  • Add copilot instructions for GitHub Copilot
  • Update base image to python:3.13-alpine3.21 (also embeds go 1.24)

• Disabled linters

  • puppet-lint: Disabled Until fix is provided for puppetlabs/puppet-lint#251
  • checkov: Disabled until fix is provided for bridgecrewio/checkov#7263

• Removed linters

  • markdown-link-check has been removed because lychee can be used instead, and has much better performances

• Linters enhancements

  • PHP-CS-Fixer is able to run on PHP 8.4 without error (change default configuration) by @​llaville
  • cspell: Filter output lines that do not contain found issues
  • hadolint: Extend DOCKERFILE_HADOLINT_FILE_NAMES_REGEX to include the purpose.Dockerfile convention eg service.Dockerfile.
  • sqlfluff: Handle fixing of issues

• Fixes

  • When linter is docker based, force --platform=linux/amd64 so it works when running locally on Mac
  • Added checking of *.pyi and *.ipynb files to the ruff and ruff-format linters

• Reporters

  • New default display for Pull Request comments, with expandable sections containing the first 1000 lines of the output log. Former display remains available by defining REPORTERS_MARKDOWN_SUMMARY_TYPE=table
  • Markdown summary reporter:
    • Write a file for Github integration if GITHUB_STEP_SUMMARY is set
    • Truncate less linter output lines
  • Text reporter: Change the output file names to put the linter name first, then the status
  • Enhance display of markdown summary

• Doc

  • Update documentation in all megalinter descriptor files to improve accuracy and consistency
  • Fix incorrect information in linters documentation and descriptors
  • Remove dead links
  • Add linter description (linter_text) in all linter descriptor, to generate a more exhaustive documentation.
  • Update contributing guide to explain how to manage python dependencies in the codebase

• Flavors

  • Do not suggest flavors that have more linters than the current one

• CI

  • Update default MegaLinter CI/CD workflows to disable LLM_ADVISOR in case of bot pull requests

• mega-linter-runner

  • Add all CI/CD providers in the --install command
  • Use ghcr.io docker images by default
  • New parameter --container-engine allowing to use podman as runner
  • mega-linter-runner --upgrade: Handle upgrade of github actions to their latest version
  • mega-linter-runner --upgrade: Upgrades MegaLinter actions and images to v9

• Linter versions upgrades (68)

  • ansible-lint from 25.5.0 to 25.9.0
  • bandit from 1.8.3 to 1.8.6
  • bicep_linter from 0.36.1 to 0.37.4
  • black from 25.1.0 to 25.9.0
  • cfn-lint from 1.36.0 to 1.39.1
  • checkstyle from 10.25.0 to 11.0.1
  • clang-format from 19.1.4 to 20.1.8
  • clippy from 0.1.87 to 0.1.90
  • clj-kondo from 2025.06.05 to 2025.09.19
  • csharpier from 1.0.2 to 1.1.2
  • cspell from 9.1.1 to 9.2.1
  • dartanalyzer from 3.8.1 to 3.8.3
  • devskim from 1.0.59 to 1.0.67
  • dotnet-format from 9.0.106 to 9.0.110
  • editorconfig-checker from 3.3.0 to 3.4.0
  • flake8 from 7.2.0 to 7.3.0
  • git_diff from 2.47.2 to 2.49.1
  • gitleaks from 8.27.2 to 8.28.0
  • golangci-lint from 2.1.6 to 2.4.0
  • grype from 0.94.0 to 0.100.0
  • hadolint from 2.12.0 to 2.13.1
  • helm from 3.16.3 to 3.18.4
  • htmlhint from 1.5.1 to 1.7.1
  • kics from 2.1.10 to 2.1.13
  • ktlint from 1.6.0 to 1.7.1
  • kubescape from 3.0.34 to 3.0.41
  • lightning-flow-scanner from 3.23.0 to 3.29.0
  • mypy from 1.16.0 to 1.18.2
  • npm-groovy-lint from 15.2.0 to 15.2.1
  • npm-package-json-lint from 8.0.0 to 9.0.0
  • php-cs-fixer from 3.75.0 to 3.87.2
  • phpcs from 3.13.1 to 4.0.0
  • phpstan from 2.1.17 to 2.1.28
  • pmd from 7.14.0 to 7.17.0
  • powershell from 7.5.1 to 7.5.3
  • powershell_formatter from 7.5.1 to 7.5.3
  • prettier from 3.5.3 to 3.6.2
  • protolint from 0.55.6 to 0.56.4
  • psalm from Psalm.6.12.0@​ to Psalm.6.13.1@​
  • pylint from 3.3.7 to 3.3.8
  • pyright from 1.1.402 to 1.1.405
  • revive from 1.10.0 to 1.12.0
  • roslynator from 0.10.1.0 to 0.10.2.0
  • rubocop from 1.76.1 to 1.80.2
  • ruff-format from 0.11.13 to 0.13.1
  • ruff from 0.11.13 to 0.13.1
  • secretlint from 10.1.0 to 11.2.4
  • selene from 0.28.0 to 0.29.0
  • shellcheck from 0.10.0 to 0.11.0
  • shfmt from 3.11.0 to 3.12.0
  • snakefmt from 0.11.0 to 0.11.2
  • snakemake from 9.5.1 to 9.11.4
  • sqlfluff from 3.4.1 to 3.4.2
  • stylelint from 16.20.0 to 16.24.0
  • swiftlint from 0.59.1 to 0.61.0
  • syft from 1.27.1 to 1.33.0
  • terraform-fmt from 1.12.2 to 1.13.2
  • terragrunt from 0.81.6 to 0.87.2
  • tflint from 0.58.0 to 0.59.1
  • trivy-sbom from 0.63.0 to 0.66.0
  • trivy from 0.63.0 to 0.66.0
  • trufflehog from 3.89.1 to 3.90.8
  • v8r from 5.0.0 to 5.1.0
  • vale from 3.11.2 to 3.12.0
  • xmllint from 21304 to 21308

v8.8.0

Compare Source

• Core

  • Retrieve SARIF errors and warnings correctly, by @​bdovaz in #​4837

• Linters enhancements

  • More config file name checks for ansible-lint activation, by @​nvuillam in #​5590

• Fixes

  • Fix crash when the markdown table summary is empty, by @​nvuillam in #​5363
  • Downgrade click to make rstcheck work again, by @​nvuillam in #​5387

• Doc

  • Display hash as plain text in markdown, by @​johndutchover in #​5420

• Flavors

  • Add Gherkin descriptor in java flavor, by @​nvuillam in #​5592

• CI

  • Fix rust setup & disable codecov-cli, by @​nvuillam in #​5579

• Linter versions upgrades (50)

  • ansible-lint from 25.4.0 to 25.5.0
  • bicep_linter from 0.35.1 to 0.36.1
  • cfn-lint from 1.34.2 to 1.36.0
  • checkstyle from 10.23.1 to 10.25.0
  • clippy from 0.1.86 to 0.1.87
  • clj-kondo from 2025.04.07 to 2025.06.05
  • csharpier from 1.0.1 to 1.0.2
  • cspell from 8.19.4 to 9.1.1
  • dartanalyzer from 3.7.3 to 3.8.1
  • devskim from 1.0.56 to 1.0.59
  • dotnet-format from 9.0.105 to 9.0.106
  • editorconfig-checker from 3.2.1 to 3.3.0
  • gitleaks from 8.25.1 to 8.27.2
  • golangci-lint from 2.1.5 to 2.1.6
  • grype from 0.91.2 to 0.94.0
  • htmlhint from 1.1.4 to 1.5.1
  • kics from 2.1.7 to 2.1.10
  • ktlint from 1.5.0 to 1.6.0
  • kubeconform from 0.6.7 to 0.7.0
  • lightning-flow-scanner from 3.8.0 to 3.23.0
  • ls-lint from 2.3.0 to 2.3.1
  • markdownlint from 0.44.0 to 0.45.0
  • mypy from 1.15.0 to 1.16.0
  • npm-groovy-lint from 15.1.0 to 15.2.0
  • phpcs from 3.12.2 to 3.13.1
  • phpstan from 2.1.14 to 2.1.17
  • pmd from 7.13.0 to 7.14.0
  • protolint from 0.54.1 to 0.55.6
  • psalm from Psalm.6.10.2@​ to Psalm.6.12.0@​
  • pylint from 3.3.6 to 3.3.7
  • pyright from 1.1.400 to 1.1.402
  • revive from 1.9.0 to 1.10.0
  • rstcheck from 6.2.4 to 6.2.5
  • rubocop from 1.75.4 to 1.76.1
  • ruff from 0.11.8 to 0.11.13
  • ruff-format from 0.11.8 to 0.11.13
  • scalafix from 0.14.2 to 0.14.3
  • secretlint from 9.3.2 to 10.1.0
  • semgrep from 3.12 to 3.13
  • sfdx-scanner-apex from 4.11.0 to 4.12.0
  • sfdx-scanner-aura from 4.11.0 to 4.12.0
  • sfdx-scanner-lwc from 4.11.0 to 4.12.0
  • snakemake from 8.27.1 to 9.5.1
  • sqlfluff from 3.4.0 to 3.4.1
  • stylelint from 16.19.1 to 16.20.0
  • syft from 1.23.1 to 1.27.1
  • terraform-fmt from 1.11.4 to 1.12.2
  • terragrunt from 0.78.0 to 0.81.6
  • tflint from 0.57.0 to 0.58.0
  • trivy from 0.62.0 to 0.63.0
  • trivy-sbom from 0.62.0 to 0.63.0
  • trufflehog from 3.88.27 to 3.89.1
  • v8r from 4.4.0 to 5.0.0

v8.7.0

Compare Source

• Core

  • Replace pychalk (not maintained for 7 years) by termcolor, by @​nvuillam in #​5316
  • Update make scripts so they also work on Windows, by @​nvuillam in #​5316
  • Align number columns of markdown tables in reports, by @​nvuillam in #​4835

• Linters enhancements

  • Add new CSharpier supported file extensions, by @​bdovaz in #​5292

• Fixes

  • Exclude from sanitization the regular expressions that have awful performances, by @​nvuillam in #​5308
  • New variable SKIP_LINTER_OUTPUT_SANITIZATION to skip sanitization to improve performances if you are on a private repository with secured access, by @​nvuillam in #​5308

• Linter versions upgrades (27)

  • ansible-lint from 25.2.1 to 25.4.0
  • bicep_linter from 0.34.44 to 0.35.1
  • cfn-lint from 1.34.1 to 1.34.2
  • checkov from 3.2.404 to 3.2.413
  • checkstyle from 10.23.0 to 10.23.1
  • csharpier from 0.30.6 to 1.0.1
  • cspell from 8.19.2 to 8.19.4
  • gitleaks from 8.24.3 to 8.25.1
  • golangci-lint from 1.64.8 to 2.1.5
  • lightning-flow-scanner from 3.4.0 to 3.8.0
  • phpstan from 2.1.12 to 2.1.14
  • pmd from 7.12.0 to 7.13.0
  • powershell from 7.5.0 to 7.5.1
  • protolint from 0.53.0 to 0.54.1
  • psalm from 6.10.1 to 6.10.2
  • rubocop from 1.75.3 to 1.75.4
  • ruff from 0.11.6 to 0.11.8
  • ruff-format from 0.11.6 to 0.11.8
  • secretlint from 9.3.1 to 9.3.2
  • stylelint from 16.19.0 to 16.19.1
  • terragrunt from 0.77.22 to 0.78.0
  • tflint from 0.56.0 to 0.57.0
  • trivy from 0.61.1 to 0.62.0
  • trivy-sbom from 0.61.1 to 0.62.0
  • v8r from 4.3.0 to 4.4.0
  • yamllint from 1.37.0 to 1.37.1

v8.6.0

Compare Source

• Core

  • New config property ENABLE_ERRORS_LINTERS. If set, only the listed linters will be considered as blocking

• New linters

  • Add cppcheck linter, by @​bdovaz in #​5224

• Media

  • Integrating MegaLinter to Automate Linting Across Multiple Codebases. A Technical Description, by Thorsten Foltz

• Linters enhancements

  • editorconfig_checker Changes default EditorConfig-Checker config filename by @​llaville in #​5061
  • TruffleHog: Ignore .git by default if not already done using --exclude-paths option

• Fixes

  • Sanitize all linter outputs by default, by @​nvuillam in #​5266

• Doc

  • Add j2lint to plugins, by @​wesley-dean in #​5151
  • Add fmlint (frontmatter linter) to plugins list by @​wesley-dean in #​5257
  • Remove trailing spaces by @​parkerbxyz in #​5185

• CI

  • Initial Renovate automerge configuration, by @​echoix in #​5057
  • Set update schedule for checkov updates, by @​echoix in #​5064
  • Always upgrade packages from base image for updated security fixes, by @​echoix in #​5152
  • build-command: Unshallow pull or full pull before committing changes, by @​echoix in #​5201

• Linter versions upgrades (50)

  • ansible-lint from 25.1.3 to 25.2.1
  • bicep_linter from 0.34.1 to 0.34.44
  • cfn-lint from 1.32.0 to 1.34.1
  • checkov from 3.2.390 to 3.2.404
  • checkstyle from 10.21.4 to 10.23.0
  • clippy from 0.1.85 to 0.1.86
  • clj-kondo from 2025.02.20 to 2025.04.07
  • cpplint from 2.0.0 to 2.0.2
  • cspell from 8.17.5 to 8.19.2
  • dartanalyzer from 3.7.2 to 3.7.3
  • devskim from 1.0.52 to 1.0.56
  • dotnet-format from 9.0.104 to 9.0.105
  • flake8 from 7.1.2 to 7.2.0
  • gitleaks from 8.24.2 to 8.24.3
  • grype from 0.90.0 to 0.91.2
  • kics from 2.1.6 to 2.1.7
  • kubescape from 3.0.32 to 3.0.34
  • lightning-flow-scanner from 3.2.0 to 3.4.0
  • ls-lint from 2.2.3 to 2.3.0
  • phplint from 9.5.6 to 9.6.2
  • php-cs-fixer from 3.73.1 to 3.75.0
  • phpcs from 3.12.0 to 3.12.2
  • phpstan from 2.1.8 to 2.1.12
  • pmd from 7.11.0 to 7.12.0
  • psalm from Psalm.6.9.4@​ to Psalm.6.10.1@​
  • pyright from 1.1.397 to 1.1.400
  • revive from 1.7.0 to 1.9.0
  • rubocop from 1.74.0 to 1.75.3
  • ruff from 0.11.2 to 0.11.6
  • ruff-format from 0.11.2 to 0.11.6
  • secretlint from 9.2.0 to 9.3.1
  • sfdx-scanner-apex from 4.10.0 to 4.11.0
  • sfdx-scanner-aura from 4.10.0 to 4.11.0
  • sfdx-scanner-lwc from 4.10.0 to 4.11.0
  • spectral from 6.14.3 to 6.15.0
  • sqlfluff from 3.3.1 to 3.4.0
  • stylelint from 16.16.0 to 16.19.0
  • swiftlint from 0.58.2 to 0.59.1
  • syft from 1.21.0 to 1.23.1
  • terraform-fmt from 1.11.2 to 1.11.4
  • terragrunt from 0.76.6 to 0.77.22
  • tflint from 0.55.1 to 0.56.0
  • trivy from 0.60.0 to 0.61.1
  • trivy-sbom from 0.60.0 to 0.61.1
  • trufflehog from 3.88.18 to 3.88.25
  • v8r from 4.2.1 to 4.3.0
  • vale from 3.9.4 to 3.11.2
  • yamllint from 1.36.2 to 1.37.0

v8.5.0

Compare Source

• Core

  • Addition of warnings to reporters and logic changes to surface warnings even when there are no errors. Addition of cli_lint_warning_count / cli_lint_warning_regex variables to the JSON schema. #​4476, by @​bdovaz in #​4556

• Linters enhancements

  • kubescape Remove downgraded_version from kubescape, by @​bdovaz in #​4712
  • npm-groovy-lint: Undowngrade npm-groovy-lint as there is a new release with issue fixed by @​nvuillam in #​4834
  • syft: Add SBOM file by default in report folder + remove useless debug statement
  • trivy-sbom: Add SBOM file by default in report folder + remove useless debug statement

• Fixes

  • Use npm to install pyright
  • Undowngrade npm-groovy-lint as there is a new release with issue fix
  • jscpd: remove forced --exitCode 1 to fix #​4631
  • Use --with-all-dependencies to install phpcs-fixer, by @​nvuillam in #​4672
  • Remove Composer config PHP 8.3 compatibility platform for PSALM 6.0, by @​llaville in #​4930
  • Fix lychee upgrade issue (lycheeignore upgrade), by @​wesley-dean in #​4964

• Doc

  • Remove reference to R2DevOps jobs as it has been discontinued (see #​4678)
  • Improve contributing doc by adding reference to source .venv/Scripts/activate on Windows
  • Better apk package url, by @​bdovaz in #​4707
  • Better package version docs, by @​bdovaz in #​4721
  • Correct default SARIF_REPORTER_FILE_NAME, by @​yxtay in #​4783
  • Use github private email for megalinter-bot, by @​yxtay in #​4786
  • Update plugins.md to add raw link to JSON schema, by @​wesley-dean in #​4932

• Flavors

  • Add syft in all flavors

• CI

  • Update .devcontainer configuration, by @​bdovaz in #​4843
  • Configure Renovate for gem, cargo, pip and npm dependencies, by @​bdovaz in #​4673
  • Configure Renovate for composer dependencies, by [@​bd

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	3		0	0	0.02s
✅ COPYPASTE	jscpd	yes		no	no	1.52s
✅ JSON	jsonlint	1		0	0	0.07s
⚠️ JSON	prettier	1		1	0	0.33s
✅ JSON	v8r	1		0	0	2.43s
✅ MARKDOWN	markdownlint	1		0	0	0.47s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.28s
⚠️ REPOSITORY	checkov	yes		3	no	18.18s
✅ REPOSITORY	gitleaks	yes		no	no	0.14s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	35.29s
✅ REPOSITORY	kics	yes		no	no	1.95s
✅ REPOSITORY	secretlint	yes		no	no	1.03s
✅ REPOSITORY	syft	yes		no	no	2.04s
✅ REPOSITORY	trivy	yes		no	no	10.66s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.3s
✅ REPOSITORY	trufflehog	yes		no	no	3.61s
⚠️ SPELL	cspell	8		16	0	4.4s
✅ SPELL	lychee	5		0	0	0.16s
⚠️ YAML	prettier	3		1	4	0.33s
✅ YAML	v8r	3		0	0	2.84s
✅ YAML	yamllint	3		0	0	0.92s

Detailed Issues

⚠️ REPOSITORY / checkov - 3 errors

github_actions scan results:

Passed checks: 97, Failed checks: 3, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Pre-merge)
	File: /.github/workflows/pre-merge.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Pull Request)
	File: /.github/workflows/lint.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Post-merge)
	File: /.github/workflows/post-merge.yml:0-1

⚠️ SPELL / cspell - 16 errors

.github/workflows/post-merge.yml:84:46     - Unknown word (kyhule)     -- githubPackagesUsername: kyhule
	 Suggestions: [kyle, keyhole, Kyle, yule, Yule]
.github/workflows/post-merge.yml:114:13    - Unknown word (gradlew)    -- ./gradlew
	 Suggestions: [gradle, gradely, grade, grable, graded]
.github/workflows/post-merge.yml:117:12    - Unknown word (Preckon)    -- -Preckon.scope=${{ inputs.version
	 Suggestions: [Precox, Precook, Precool, preston, Preston]
.github/workflows/post-merge.yml:118:12    - Unknown word (Preckon)    -- -Preckon.stage=${{ inputs.version
	 Suggestions: [Precox, Precook, Precool, preston, Preston]
.github/workflows/post-merge.yml:121:15    - Unknown word (dorny)      -- uses: dorny/test-reporter@31a54ee
	 Suggestions: [dory, donny, dorky, dormy, dorty]
.github/workflows/post-merge.yml:147:13    - Unknown word (gradlew)    -- ./gradlew
	 Suggestions: [gradle, gradely, grade, grable, graded]
.github/workflows/post-merge.yml:150:12    - Unknown word (Preckon)    -- -Preckon.scope=${{ inputs.version
	 Suggestions: [Precox, Precook, Precool, preston, Preston]
.github/workflows/post-merge.yml:151:12    - Unknown word (Preckon)    -- -Preckon.stage=${{ inputs.version
	 Suggestions: [Precox, Precook, Precool, preston, Preston]
.github/workflows/post-merge.yml:158:13    - Unknown word (gradlew)    -- ./gradlew
	 Suggestions: [gradle, gradely, grade, grable, graded]
.github/workflows/post-merge.yml:161:12    - Unknown word (Preckon)    -- -Preckon.scope=${{ inputs.version
	 Suggestions: [Precox, Precook, Precool, preston, Preston]
.github/workflows/pre-merge.yml:49:46     - Unknown word (kyhule)     -- githubPackagesUsername: kyhule
	 Suggestions: [kyle, keyhole, Kyle, yule, Yule]
.github/workflows/pre-merge.yml:79:13     - Unknown word (gradlew)    -- ./gradlew
	 Suggestions: [gradle, gradely, grade, grable, graded]
.github/workflows/pre-merge.yml:84:15     - Unknown word (dorny)      -- uses: dorny/test-reporter@31a54ee
	 Suggestions: [dory, donny, dorky, dormy, dorty]
.gitignore:33:3      - Unknown word (hprof)      -- *.hprof
	 Suggestions: [prof, pprof, Prof, hero, hoof]
README.md:1:3       - Unknown word (polyworld)  -- # polyworld-workflows
	 Suggestions: [plywood, polypod, poleward, polypoid, polymorph]
README.md:2:50      - Unknown word (Polyworld)  -- workflows for building the Polyworld App
	 Suggestions: [Plywood, Polypod, Poleward, Polypoid, Polymorph]
CSpell: Files checked: 8, Issues found: 16 in 4 files.


You can skip this misspellings by defining the following .cspell.json file at the root of your repository
Of course, please correct real typos before :)

{
    "version": "0.2",
    "language": "en",
    "ignorePaths": [
        "**/node_modules/**",
        "**/vscode-extension/**",
        "**/.git/**",
        "**/.pnpm-lock.json",
        ".vscode",
        "package-lock.json",
        "megalinter-reports"
    ],
    "words": [
        "Polyworld",
        "Preckon",
        "dorny",
        "gradlew",
        "hprof",
        "kyhule",
        "polyworld"
    ]
}


You can also copy-paste megalinter-reports/.cspell.json at the root of your repository

⚠️ JSON / prettier - 1 error

Checking formatting...
[warn] renovate.json
[warn] Code style issues found in the above file. Run Prettier with --write to fix.

⚠️ YAML / prettier - 1 error

Checking formatting...
[warn] .github/workflows/lint.yml
[warn] .github/workflows/post-merge.yml
[warn] .github/workflows/pre-merge.yml
[warn] Code style issues found in 3 files. Run Prettier with --write to fix.

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/terraform@v9.4.0 (56 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,COPYPASTE_JSCPD,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository