chore(deps): update oxsecurity/megalinter action to v9

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
oxsecurity/megalinter	action	major	v8 → v9

---

Release Notes

oxsecurity/megalinter (oxsecurity/megalinter)

v9.6.0

Compare Source

• Breaking changes

  • Linters can no longer be run via a sibling Docker image at runtime. The cli_docker_image, cli_docker_image_version and cli_docker_args descriptor properties (and the matching <LINTER>_DOCKER_IMAGE_VERSION variable) have been removed, and MegaLinter no longer mounts /var/run/docker.sock (in mega-linter-runner, the GitHub Action action.yml files, and the Docker daemon previously bundled in flavor images). This closes the host-privilege escalation surface that the mounted Docker socket exposed. The only linter that used this mechanism was SWIFT_SWIFTLINT, now installed natively (see below). (#​8216)
  • SWIFT_SWIFTLINT is now installed from the static swiftlint-static binary instead of running the ghcr.io/realm/swiftlint container. It runs natively on the Alpine image with no Docker socket required. SourceKit-dependent rules are disabled in this build and reported to the console when encountered; pure-syntax style rules are unaffected. (#​8216)
  • @eslint/eslintrc shim removed from JavaScript/TypeScript/JSX/TSX Docker images (was only needed for legacy FlatCompat); MegaLinter's bundled test fixtures use native flat config. (#​7869)
  • ESLint linters now force migration off .eslintrc.*: JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT activate when they find any eslint.config.* or any deprecated .eslintrc.* / package.json#eslintConfig. In the legacy case the linter does not call ESLint at all — it emits a single hard failure with a migration message so the build stays red until the config is migrated to flat config. See the ESLint flat-config migration guide. To opt out, set DISABLE_LINTERS or DISABLE to exclude the affected linter/descriptor. (#​7869)
  • JSON_ESLINT_PLUGIN_JSONC removed: upstream bug ota-meshi/eslint-plugin-jsonc#328 blocks ESLint v10 compatibility and will not be fixed. Use JSON_JSONLINT, JSON_PRETTIER, or JSON_V8R for JSON validation instead. (#​7869)

• Core

  • New linter descriptor property common_linter_errors: declare known non-lint failure patterns (config issue, remote service down, missing credentials…) and the guidance message shown to users, directly in YAML — no custom Python class needed. (#​7907)
  • Skipped-linters summary now explains why a linter was skipped by an activation rule, including the variable to set to activate it (e.g. MARKDOWN_RUMDL: MARKDOWN_DEFAULT_STYLE=markdownlint (set MARKDOWN_DEFAULT_STYLE=rumdl to activate)), fixing #​8017.

• New linters

  • Add betterleaks linter for repository secrets scanning — successor to gitleaks with higher recall (98.6% vs 70.4%), lower false-positive rates, and 4–5× faster scanning via BPE-based detection and CEL filter expressions (#​8186)

• Disabled linters

  • SALESFORCE_SFDX_SCANNER_APEX, SALESFORCE_SFDX_SCANNER_AURA and SALESFORCE_SFDX_SCANNER_LWC — disabled because sfdx-scanner 4.12.0 crashes on Node.js 22+ (TypeError: Cannot read properties of undefined (reading 'prototype'), caused by the removal of SlowBuffer.prototype), which is shipped with Alpine 3.24. These linters were already deprecated; use the SALESFORCE_CODE_ANALYZER_APEX / SALESFORCE_CODE_ANALYZER_AURA / SALESFORCE_CODE_ANALYZER_LWC variants instead (#​8080).

• Deprecated linters

  • REPOSITORY_GITLEAKS — deprecated in favour of REPOSITORY_BETTERLEAKS (same author, fully compatible config, significantly better detection). Will be removed in the next major release. Disable it by adding REPOSITORY_GITLEAKS to DISABLE_LINTERS in your .mega-linter.yml. (#​8186)

• Removed linters

  • JSON_ESLINT_PLUGIN_JSONC — permanently broken by upstream bug (see Breaking changes) (#​7869)

• Linters enhancements

  • REPOSITORY_CHECKOV: in pull-request mode, scan only the files modified in the PR instead of the whole repository (#​7119)

• Fixes

  • REPOSITORY_BETTERLEAKS: default scan now runs in filesystem (dir) mode instead of auto-switching to git-history (git) mode when a git repository is detected. betterleaks does not read the global git safe.directory config, so git mode failed with fatal: detected dubious ownership in repository in CI environments (e.g. GitHub Actions /github/workspace). Git-history mode is still used for the opt-in REPOSITORY_BETTERLEAKS_PR_COMMITS_SCAN feature. (#​8186)
  • REPOSITORY_BETTERLEAKS: added --verbose so detected findings (file, line and rule) are reported instead of only the leaks found: N summary, matching gitleaks behavior. Secret values stay redacted via --redact. (#​8186)
  • REPOSITORY_OSV_SCANNER: exit code 128 ("No package sources found") is now treated as a clean pass instead of a failure — osv-scanner returns this code when the repo contains no lockfiles/manifests/SBOMs, which is not a vulnerability finding (#​7917).
  • Fix intermittent ansible-lint load-failure[not-found] error on github_conf/branch_protection_rules.json caused by a race condition with checkov running in parallel. Checkov's transient GitHub-conf directory is now written to a hidden path (.megalinter_github_conf) that project-mode linters skip, eliminating the conflict (#​8092).
  • Complete the Alpine 3.24 upgrade across the whole image and fix how alpine version is detected. Docker images now build on the python:3.14-alpine3.24 base image (#​8080).
  • Avoid DeprecationWarning / future breakage on Python 3.14 by no longer passing count and flags as positional arguments to re.sub (#​8211).
  • Exclude REPORT_OUTPUT_FOLDER from linting when configured as an absolute path inside the workspace (e.g. /tmp/lint/megalinter-reports), fixing #​7845.
  • Fix command injection in Roslynator linter (DOTNET_ROSLYNATOR) where a crafted .csproj filename could break out of dotnet restore arguments and execute arbitrary shell commands. The command is now invoked via argv list instead of a shell string. Reported by Francesco Sabiu. (#​7857)
  • Fix IndexError when building the single-linter Docker image for a linter whose activation depends on a file (e.g. SPELL_VALE requires .vale.ini): python -m megalinter.run --linterversion now bypasses activation filtering since the per-linter image is built for that linter unconditionally.
  • Fix make bootstrap appearing to hang because exported Make color variables re-evaluated tput during recursive make invocations. (#​8090)
  • Allow MegaLinter containers to run in an opt-in non-root mode matching the host UID:GID on POSIX systems, avoiding root-owned generated files on the host (#​1975).
  • Restore missing examples in the Dart descriptor that were dropped from the generated documentation (#​7913).

• Reporters

  • Update Bitbucket pipeline generator template to trigger builds on pull requests from any branch, by @​yermulnik in #​7421

• Doc

  • Add pnpm installation and usage documentation for JavaScript and TypeScript linters (#​8177)
  • Update Docker pull counters in README badges and flavors-stats.json with latest ghcr.io stats
  • Bump peter-evans/create-pull-request to v8 in the documented workflow examples (#​8089)

• mega-linter-runner

  • Add --user-map / --no-user-map to control whether the MegaLinter container runs in non-root mode. On POSIX systems --user-map uses the current host UID:GID; on other hosts it falls back to 1000:1000. (#​8120)
  • Add --no-prompt flag to mega-linter-runner --upgrade for non-interactive upgrades (#​8093)
  • Mark mega-linter-runner/index.js as executable in git (#​8091)

• Dev

  • Add specialized Claude Code sub-agents (pr-monitor, security-analyst, version-bumper) and assign cost-effective models to mechanical tasks, to speed up and reduce the token cost of contributor workflows (#​7906).
  • Add the /fix-issue Claude Code skill for end-to-end GitHub issue fixes (gather context, implement on a branch, open a PR, watch CI) (#​7848).
  • Stop generating per-linter Dockerfiles for linters marked disabled: true in their descriptor. The matching images were already excluded from the build matrix (linters_matrix.json) and never published, so the on-disk linters/<linter>/Dockerfile was dead code. Deleted the 8 corresponding stale Dockerfile directories.
  • Make the build's config-schema write atomic with a retry (write to a temp file then os.replace), so a transient file lock from an editor's JSON language server or antivirus no longer crashes the build with OSError: [Errno 22] on Windows.
  • Move the .devcontainer setup from the Dockerfile to a JSON configuration file (#​7865).
  • Update the Python version in the devcontainer image (#​7853).

• CI

  • Build the real { linter, platform, runner } job list directly in get-linters-matrix for the DEV and BETA linter workflows, instead of a linter×runner cross-product filtered at runtime by job_enabled. Removes the Prepare step and the no-op jobs while preserving selection logic (#​8133, #​8134).
  • Track image-runtime shell scripts (setup-runtime-user, megalinter_exec) in the image-build path filters by renaming them to .sh, so changes to them correctly trigger image rebuilds; generated images now use root-independent command wrappers instead of shell aliases (#​8213).
  • Suppress the new ref-version-mismatch audit introduced by zizmor 1.25.0 for the project's pinned uses: action references. The SHA pins are correct (the supply-chain property); only the inline # vX comments lag behind exact subversions, and renovate maintains the hashes.
  • Simplify the workflow trigger condition to prevent duplicate runs for pushes from forks.
  • Fix the deploy-dev workflow (#​8154).
  • Remove unused QEMU setup from workflows (#​8132).
  • Prevent FromAsCasing build warning in generated Dockerfiles (#​8094).
  • Fix the documentation release workflow (#​7837).

• Linter versions upgrades (58)

  • bash-exec from 5.3.3 to 5.3.9
  • betterleaks from 1.5.0 to 1.6.0
  • bicep_linter from 0.43.8 to 0.44.1
  • black from 26.3.1 to 26.5.1
  • cfn-lint from 3.14 to 1.52.0
  • checkov from 3.2.529 to 3.3.2
  • clang-format from 21.1.2 to 22.1.3
  • clippy from 0.1.95 to 0.1.96
  • code-analyzer-apex from 5.12.0 to 5.13.0
  • code-analyzer-aura from 5.12.0 to 5.13.0
  • code-analyzer-lwc from 5.12.0 to 5.13.0
  • cppcheck from 2.18.3 to 2.21.0
  • cspell from 10.0.0 to 10.0.1
  • dartanalyzer from 3.11.6 to 3.12.2
  • djlint from 1.36.4 to 1.39.4
  • dotnet-format from 10.0.108 to 10.0.301
  • editorconfig-checker from 3.6.1 to 3.7.0
  • eslint from 10.3.0 to 10.5.0
  • git_diff from 2.52.0 to 2.54.0
  • grype from 0.112.0 to 0.115.0
  • jscpd from 4.1.1 to 5.0.11
  • kingfisher from 1.99.0 to 1.104.0
  • kubeconform from 0.7.0 to 0.8.0
  • kubescape from 4.0.8 to 4.0.9
  • markdownlint from 0.48.0 to 0.49.0
  • npm-package-json-lint from 10.4.0 to 10.4.1
  • php-cs-fixer from 3.95.2 to 3.95.11
  • phplint from 9.7.1 to 9.7.2
  • phpstan from 2.1.54 to 2.2.2
  • pmd from 7.24.0 to 7.25.0
  • powershell from 7.6.1 to 7.6.3
  • powershell_formatter from 7.6.1 to 7.6.3
  • prettier from 3.8.3 to 3.8.4
  • pylint from 4.0.5 to 4.0.6
  • pyright from 1.1.409 to 1.1.410
  • robocop from 8.2.8 to 8.3.2
  • rubocop from 1.86.2 to 1.88.0
  • ruff from 0.15.13 to 0.15.20
  • ruff-format from 0.15.13 to 0.15.20
  • rumdl from 0.1.93 to 0.2.24
  • scalafix from 0.14.6 to 0.14.7
  • semgrep from 1.163.0 to 1.168.0
  • snakefmt from 1.1.0 to 2.0.3
  • snakemake from 9.21.0 to 9.23.1
  • sqlfluff from 4.2.1 to 4.2.2
  • stylelint from 17.11.0 to 17.13.0
  • stylua from 2.4.1 to 2.5.2
  • swiftlint from 0.63.2 to 0.65.0
  • syft from 1.44.0 to 1.46.0
  • tekton-lint from 1.1.0 to 1.2.0
  • terraform-fmt from 1.15.2 to 1.15.6
  • terragrunt from 1.0.4 to 1.0.8
  • tflint from 0.62.1 to 0.63.1
  • trivy from 0.70.0 to 0.71.2
  • trivy-sbom from 0.70.0 to 0.71.2
  • trufflehog from 3.95.3 to 3.95.6
  • v8r from 6.0.0 to 6.1.0
  • vale from 3.14.2 to 3.15.1

v9.5.0

Compare Source

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

  • Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved
  • YAML_V8R_CONFIG_FILE / JSON_V8R_CONFIG_FILE are now correctly applied (the v8r --catalogs option is wired through)
  • lychee: fix the configured headers / Accept settings being ignored
  • Custom flavor builder: works correctly for repositories whose name contains uppercase characters
  • Docs: corrected the documented default value for the pre-commands cwd option

• Reporters

  • Comment reporters (GitHub, GitLab, Azure DevOps, Bitbucket) now work when running MegaLinter from Jenkins CI
  • GitlabCommentReporter activates as soon as GITLAB_ACCESS_TOKEN_MEGALINTER is set (no longer requires CI_JOB_TOKEN)
  • BitbucketCommentReporter: per-linter sections rendered as ### headings (Bitbucket Cloud markdown was displaying the previous <details> HTML tags as literal text)
  • Display a default user notification on PR/console reports inviting users to read the MegaLinter 9.5.0 release announcement. Can be disabled by setting SECURITY_SUGGESTIONS: false.

• Flavors

  • Multi-arch images: In custom flavors, linters can now build for linux/arm64 in addition to linux/amd64 whenever possible (Apple Silicon, AWS Graviton, Ampere…)

• Doc

  • Add documentation for the megalinter-ado Azure DevOps extension and the megalinter-mcp-server MCP server
  • Explicitly discourage the use of Personal Access Tokens (PAT) in workflows for security reasons

• mega-linter-runner

  • New --list-vars [pattern] flag (with --json) lists every MegaLinter env variable that can be passed via -e, with type, default, allowed values and examples (handy for AI coding agents)
  • -e ENABLE_LINTERS=YAML_PRETTIER,YAML_YAMLLINT no longer silently drops values after the first comma (#​7500). The --env=KEY=VALUE long form is also accepted.

• Dev

  • Add CLAUDE.md and a set of /add-linter, /update-linter-version, /review-descriptor, /fix-linter-test, /add-reporter, /add-flavor, /build, /diagnose-config, /fix-security-issue skills to help work on MegaLinter with coding agents (Claude Code, GitHub Copilot, Codex, gemini-cli…)
  • Migrate copilot-instructions into Claude Code Agents & Skills
  • New descriptor capabilities for custom linter integrations: cli_lint_extra_args_after per lint mode (list_of_files / project / file), a {file} template variable usable in command-line args, and a customizable files separator

• CI

  • Run ARM linter jobs only when the commit message contains "ARM" (avoids 200 jobs per PR)
  • Do not push a fix commit if only markdown or JSON files were updated
  • Run osv-scanner on MegaLinter's own sources
  • Optimize the linter-job matrix for dependabot and renovate PRs
  • Exclude test dependencies from dependabot
  • Faster Docker image builds: optimized Dockerfile layer order, buildx layer cache (type=gha, zstd-compressed) on all deploy workflows, DEV pipeline split into parallel jobs sharing the image via cache, and cargo-based tools (sarif-fmt, zizmor, shellcheck-sarif, stylua) built in parallel multi-stage builders so the Rust toolchain no longer ships in the final image (except for clippy)
  • Hardened MegaLinter's own GitHub Actions workflows against script injection via untrusted PR contexts (zizmor findings)

• Linter versions upgrades (62)

  • actionlint from 1.7.11 to 1.7.12
  • ansible-lint from 26.2.0 to 26.4.0
  • bicep_linter from 0.41.2 to 0.43.8
  • black from 26.1.0 to 26.3.1
  • cfn-lint from 1.45.0 to 3.14
  • checkov from 3.2.506 to 3.2.529
  • clippy from 0.1.93 to 0.1.95
  • clj-kondo from 2026.01.19 to 2025.01.16
  • code-analyzer-apex from 5.10.0 to 5.12.0
  • code-analyzer-aura from 5.10.0 to 5.12.0
  • code-analyzer-lwc from 5.10.0 to 5.12.0
  • codespell from 2.4.1 to 2.4.2
  • cspell from 9.7.0 to 10.0.0
  • dartanalyzer from 3.11.1 to 3.11.6
  • dotnet-format from 9.0.114 to 10.0.108
  • eslint from 9.39.4 to 10.3.0
  • gitleaks from 8.30.0 to 8.30.1
  • golangci-lint from 2.10.1 to 2.11.4
  • grype from 0.109.0 to 0.112.0
  • htmlhint from 1.9.1 to 1.9.2
  • isort from 8.0.0 to 8.0.1
  • jscpd from 4.0.8 to 4.1.1
  • kics from 2.1.19 to 2.1.20
  • kingfisher from 1.84.0 to 1.99.0
  • kubescape from 4.0.2 to 4.0.8
  • lychee from 0.18.0 to 0.24.2
  • markdownlint from 0.47.0 to 0.48.0
  • npm-groovy-lint from 16.2.0 to 17.0.5
  • npm-package-json-lint from 9.1.0 to 10.4.0
  • osv-scanner from 2.3.5 to 2.3.8
  • php-cs-fixer from 3.94.2 to 3.95.2
  • phpstan from 2.1.40 to 2.1.54
  • pmd from 7.22.0 to 7.24.0
  • powershell from 7.5.4 to 7.6.1
  • powershell_formatter from 7.5.4 to 7.6.1
  • prettier from 3.8.1 to 3.8.3
  • psalm from Psalm.6.15.1@​ to Psalm.6.16.1@​
  • pyright from 1.1.408 to 1.1.409
  • raku from 2025.11 to 2026.03
  • revive from 1.14.0 to 1.15.0
  • robocop from 8.2.2 to 8.2.8
  • rubocop from 1.85.0 to 1.86.2
  • ruff from 0.15.4 to 0.15.13
  • ruff-format from 0.15.4 to 0.15.13
  • rumdl from 0.1.32 to 0.1.93
  • secretlint from 11.3.1 to 11.7.1
  • semgrep from 1.153.1 to 1.163.0
  • shfmt from 3.12.0 to 3.13.1
  • snakefmt from 0.11.4 to 1.1.0
  • snakemake from 9.16.3 to 9.21.0
  • sqlfluff from 4.0.4 to 4.2.1
  • stylelint from 16.26.1 to 17.11.0
  • stylua from 2.0.0 to 2.4.1
  • syft from 1.42.1 to 1.44.0
  • terraform-fmt from 1.14.5 to 1.15.2
  • terragrunt from 0.99.4 to 1.0.4
  • tflint from 0.61.0 to 0.62.1
  • trivy from 0.69.1 to 0.70.0
  • trivy-sbom from 0.69.1 to 0.70.0
  • trufflehog from 3.93.6 to 3.95.3
  • vale from 3.13.1 to 3.14.2
  • zizmor from 1.23.1 to 1.25.0

v9.4.0

Compare Source

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

  • Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved
  • YAML_V8R_CONFIG_FILE / JSON_V8R_CONFIG_FILE are now correctly applied (the v8r --catalogs option is wired through)
  • lychee: fix the configured headers / Accept settings being ignored
  • Custom flavor builder: works correctly for repositories whose name contains uppercase characters
  • Docs: corrected the documented default value for the pre-commands cwd option

• Reporters

  • Comment reporters (GitHub, GitLab, Azure DevOps, Bitbucket) now work when running MegaLinter from Jenkins CI
  • GitlabCommentReporter activates as soon as GITLAB_ACCESS_TOKEN_MEGALINTER is set (no longer requires CI_JOB_TOKEN)
  • BitbucketCommentReporter: per-linter sections rendered as ### headings (Bitbucket Cloud markdown was displaying the previous <details> HTML tags as literal text)
  • Display a default user notification on PR/console reports inviting users to read the MegaLinter 9.5.0 release announcement. Can be disabled by setting SECURITY_SUGGESTIONS: false.

• Flavors

  • Multi-arch images: In custom flavors, linters can now build for linux/arm64 in addition to linux/amd64 whenever possible (Apple Silicon, AWS Graviton, Ampere…)

• Doc

  • Add documentation for the megalinter-ado Azure DevOps extension and the megalinter-mcp-server MCP server
  • Explicitly discourage the use of Personal Access Tokens (PAT) in workflows for security reasons

• mega-linter-runner

  • New --list-vars [pattern] flag (with --json) lists every MegaLinter env variable that can be passed via -e, with type, default, allowed values and examples (handy for AI coding agents)
  • -e ENABLE_LINTERS=YAML_PRETTIER,YAML_YAMLLINT no longer silently drops values after the first comma (#​7500). The --env=KEY=VALUE long form is also accepted.

• Dev

  • Add CLAUDE.md and a set of /add-linter, /update-linter-version, /review-descriptor, /fix-linter-test, /add-reporter, /add-flavor, /build, /diagnose-config, /fix-security-issue skills to help work on MegaLinter with coding agents (Claude Code, GitHub Copilot, Codex, gemini-cli…)
  • Migrate copilot-instructions into Claude Code Agents & Skills
  • New descriptor capabilities for custom linter integrations: cli_lint_extra_args_after per lint mode (list_of_files / project / file), a {file} template variable usable in command-line args, and a customizable files separator

• CI

  • Run ARM linter jobs only when the commit message contains "ARM" (avoids 200 jobs per PR)
  • Do not push a fix commit if only markdown or JSON files were updated
  • Run osv-scanner on MegaLinter's own sources
  • Optimize the linter-job matrix for dependabot and renovate PRs
  • Exclude test dependencies from dependabot
  • Faster Docker image builds: optimized Dockerfile layer order, buildx layer cache (type=gha, zstd-compressed) on all deploy workflows, DEV pipeline split into parallel jobs sharing the image via cache, and cargo-based tools (sarif-fmt, zizmor, shellcheck-sarif, stylua) built in parallel multi-stage builders so the Rust toolchain no longer ships in the final image (except for clippy)
  • Hardened MegaLinter's own GitHub Actions workflows against script injection via untrusted PR contexts (zizmor findings)

• Linter versions upgrades (62)

  • actionlint from 1.7.11 to 1.7.12
  • ansible-lint from 26.2.0 to 26.4.0
  • bicep_linter from 0.41.2 to 0.43.8
  • black from 26.1.0 to 26.3.1
  • cfn-lint from 1.45.0 to 3.14
  • checkov from 3.2.506 to 3.2.529
  • clippy from 0.1.93 to 0.1.95
  • clj-kondo from 2026.01.19 to 2025.01.16
  • code-analyzer-apex from 5.10.0 to 5.12.0
  • code-analyzer-aura from 5.10.0 to 5.12.0
  • code-analyzer-lwc from 5.10.0 to 5.12.0
  • codespell from 2.4.1 to 2.4.2
  • cspell from 9.7.0 to 10.0.0
  • dartanalyzer from 3.11.1 to 3.11.6
  • dotnet-format from 9.0.114 to 10.0.108
  • eslint from 9.39.4 to 10.3.0
  • gitleaks from 8.30.0 to 8.30.1
  • golangci-lint from 2.10.1 to 2.11.4
  • grype from 0.109.0 to 0.112.0
  • htmlhint from 1.9.1 to 1.9.2
  • isort from 8.0.0 to 8.0.1
  • jscpd from 4.0.8 to 4.1.1
  • kics from 2.1.19 to 2.1.20
  • kingfisher from 1.84.0 to 1.99.0
  • kubescape from 4.0.2 to 4.0.8
  • lychee from 0.18.0 to 0.24.2
  • markdownlint from 0.47.0 to 0.48.0
  • npm-groovy-lint from 16.2.0 to 17.0.5
  • npm-package-json-lint from 9.1.0 to 10.4.0
  • osv-scanner from 2.3.5 to 2.3.8
  • php-cs-fixer from 3.94.2 to 3.95.2
  • phpstan from 2.1.40 to 2.1.54
  • pmd from 7.22.0 to 7.24.0
  • powershell from 7.5.4 to 7.6.1
  • powershell_formatter from 7.5.4 to 7.6.1
  • prettier from 3.8.1 to 3.8.3
  • psalm from Psalm.6.15.1@​ to Psalm.6.16.1@​
  • pyright from 1.1.408 to 1.1.409
  • raku from 2025.11 to 2026.03
  • revive from 1.14.0 to 1.15.0
  • robocop from 8.2.2 to 8.2.8
  • rubocop from 1.85.0 to 1.86.2
  • ruff from 0.15.4 to 0.15.13
  • ruff-format from 0.15.4 to 0.15.13
  • rumdl from 0.1.32 to 0.1.93
  • secretlint from 11.3.1 to 11.7.1
  • semgrep from 1.153.1 to 1.163.0
  • shfmt from 3.12.0 to 3.13.1
  • snakefmt from 0.11.4 to 1.1.0
  • snakemake from 9.16.3 to 9.21.0
  • sqlfluff from 4.0.4 to 4.2.1
  • stylelint from 16.26.1 to 17.11.0
  • stylua from 2.0.0 to 2.4.1
  • syft from 1.42.1 to 1.44.0
  • terraform-fmt from 1.14.5 to 1.15.2
  • terragrunt from 0.99.4 to 1.0.4
  • tflint from 0.61.0 to 0.62.1
  • trivy from 0.69.1 to 0.70.0
  • trivy-sbom from 0.69.1 to 0.70.0
  • trufflehog from 3.93.6 to 3.95.3
  • vale from 3.13.1 to 3.14.2
  • zizmor from 1.23.1 to 1.25.0

v9.3.0

Compare Source

• Core

  • Add enum name support in MegaLinter config Json schema for better autocompletion in editors
  • Update base image to python:3.13-alpine3.23

• New linters

  • Add codespell
  • Add kingfisher by @​bdovaz
  • Add rumdl by @​bdovaz

• Linters enhancements

  • Change checkmake Docker image reference by @​bdovaz

• Reporters

  • Handle multiple MegaLinter runs on the same repo using custom value sent in variable MEGALINTER_MULTIRUN_KEY
  • Allow to override url to CI build in Git based reporters using REPORTERS_ACTION_RUN_URL variable
  • Fix sections display in Gitlab console logs

• Doc

  • Classify all JSON schema config variables by category and section

• CI

  • Free disk space on GitHub actions runner when releasing a new flavor
  • Add missing Dockerfile patterns to Renovate Dockerfile manager
  • Remove gitpod custom image, workflow, and makefile targets

• Linter versions upgrades (54)

  • actionlint from 1.7.9 to 1.7.10
  • ansible-lint from 25.11.1 to 25.12.2
  • bash-exec from 5.2.37 to 5.3.3
  • black from 25.11.0 to 25.12.0
  • cfn-lint from 1.41.0 to 1.43.1
  • checkov from 3.2.495 to 3.2.497
  • clang-format from 20.1.8 to 21.1.2
  • clippy from 0.1.91 to 0.1.92
  • clj-kondo from 2025.10.23 to 2025.12.23
  • code-analyzer-apex from 5.6.1 to 5.7.1
  • code-analyzer-aura from 5.6.1 to 5.7.1
  • code-analyzer-lwc from 5.6.1 to 5.7.1
  • cppcheck from 2.14.2 to 2.18.3
  • csharpier from 1.2.1 to 1.2.5
  • cspell from 9.3.2 to 9.4.0
  • dartanalyzer from 3.8.3 to 3.10.7
  • dotnet-format from 9.0.111 to 9.0.112
  • git_diff from 2.49.1 to 2.52.0
  • golangci-lint from 2.6.2 to 2.7.2
  • grype from 0.104.1 to 0.104.3
  • helm from 3.18.4 to 3.19.0
  • htmlhint from 1.7.1 to 1.8.0
  • kics from 2.1.16 to 2.1.18
  • kingfisher from 1.71.0 to 1.73.0
  • kubescape from 3.0.45 to 3.0.47
  • markdown-table-formatter from 1.6.1 to 1.7.0
  • markdownlint from 0.45.0 to 0.47.0
  • mypy from 1.18.2 to 1.19.1
  • npm-groovy-lint from 15.2.2 to 16.1.1
  • npm-package-json-lint from 9.0.0 to 9.1.0
  • php-cs-fixer from 3.90.0 to 3.92.4
  • phplint from 9.6.2 to 9.7.1
  • phpstan from 2.1.32 to 2.1.33
  • pmd from 7.18.0 to 7.20.0
  • prettier from 3.6.2 to 3.7.4
  • psalm from Psalm.6.13.1@​ to Psalm.6.14.3@​
  • pylint from 4.0.3 to 4.0.4
  • robocop from 6.11.0 to 7.2.0
  • roslynator from 0.11.0.0 to 0.12.0.0
  • rubocop from 1.81.7 to 1.82.0
  • rubocop from 1.82.0 to 1.82.1
  • ruff-format from 0.14.6 to 0.14.10
  • ruff from 0.14.6 to 0.14.10
  • rumdl from 0.0.199 to 0.0.208
  • scalafix from 0.14.4 to 0.14.5
  • snakemake from 9.13.7 to 9.14.5
  • stylelint from 16.26.0 to 16.26.1
  • swiftlint from 0.62.2 to 0.63.0
  • syft from 1.38.0 to 1.39.0
  • terraform-fmt from 1.14.0 to 1.14.1
  • terragrunt from 0.93.10 to 0.93.13
  • trivy-sbom from 0.67.2 to 0.68.2
  • trivy from 0.67.2 to 0.68.2
  • trufflehog from 3.91.1 to 3.92.4

v9.2.0

Compare Source

• New linters

  • Salesforce Code Analyzer, by @​abdeslamads
    • SALESFORCE_CODE_ANALYZER_APEX
    • SALESFORCE_CODE_ANALYZER_AURA
    • SALESFORCE_CODE_ANALYZER_LWC

• Disabled linters

  • Reactivate checkov

• Deprecated linters

  • Deprecate terrascan as the project is discontinued. Will be completely removed in a future version.
  • SALESFORCE_SFDX_SCANNER_* linters have been deprecated and will be removed in a future version. (they are replaced by SALESFORCE_CODE_ANALYZER_* linters)

• Media

  • Looking for the best CI/CD Pipeline Linting Tool? Try MegaLinter!, by Seasoned Developer
  • (Brazilian) Qualidade e Segurança em Código com MegaLinter: automatizando análises em MAUI com GitHub Actions, by Canal dotNET

• Linters enhancements

  • Install dotenv-linter deterministically, by @​bdovaz in #​6385

• Fixes

  • #​6544: Add GITHUB_TOKEN in docker build command for custom flavor
  • Hide warning when compiling a regex
  • Fix formatting in descriptor files to reduce changes in generated markdown, by @​echoix in #​6449

• Reporters

  • Add conversion from Jenkins variables to related Git based reporters variables

• Doc

  • Keep jsonschema html docs updated when using build.py --doc, by @​echoix in #​6447
  • Commit updated license info generated from build script by @​echoix in #​6448
  • Recreate docs/descriptors folder, delete old pages by @​echoix in #​6451

• Flavors

  • Add GITHUB_TOKEN in docker buildx build command for custom flavor, by @​davidfevre-gouv-nc in #​6545

• CI

  • Optimize performances of standalone linters releases
  • Renovate: Add langchain group for package updates, by @​echoix in #​6400
  • Refactor file handling in build.py to use pathlib for improved readability, by @​echoix in #​6450

• mega-linter-runner

  • Handle upgrade of stefanzweifel/git-auto-commit-action to v7

• Linter versions upgrades (53)

  • actionlint from 1.7.7 to 1.7.9
  • ansible-lint from 25.9.1 to 25.11.1
  • bandit from 1.8.6 to 1.9.2
  • bicep_linter from 0.38.33 to 0.39.26
  • black from 25.9.0 to 25.11.0
  • cfn-lint from 1.40.0 to 1.41.0
  • checkov from 3.2.413 to 3.2.495
  • checkstyle from 11.1.0 to 12.1.0
  • clippy from 0.1.90 to 0.1.91
  • clj-kondo from 2025.09.22 to 2025.10.23
  • csharpier from 1.1.2 to 1.2.1
  • cspell from 9.2.1 to 9.3.2
  • dotenv-linter from 3.3.0 to 4.0.0
  • dotnet-format from 9.0.110 to 9.0.111
  • editorconfig-checker from 3.4.0 to 3.6.0
  • git_diff from 2.47.0 to 2.49.1
  • gitleaks from 8.28.0 to 8.30.0
  • golangci-lint from 2.5.0 to 2.6.2
  • grype from 0.100.0 to 0.104.1
  • isort from 6.1.0 to 7.0.0
  • kics from 2.1.14 to 2.1.16
  • ktlint from 1.7.1 to 1.8.0
  • kubescape from 3.0.41 to 3.0.45
  • php-cs-fixer from 3.88.2 to 3.90.0
  • phpcs from 4.0.0 to 4.0.1
  • phpstan from 2.1.30 to 2.1.32
  • pmd from 7.17.0 to 7.18.0
  • powershell from 7.5.3 to 7.5.4
  • pylint from 3.3.9 to 4.0.3
  • pyright from 1.1.406 to 1.1.407
  • raku from 2024.12 to 2025.11
  • revive from 1.12.0 to 1.13.0
  • robocop from 6.7.2 to 6.11.0
  • roslynator from 0.10.2.0 to 0.11.0.0
  • rst-lint from 1.4.0 to 2.0.2
  • rubocop from 1.81.1 to 1.81.7
  • ruff-format from 0.13.3 to 0.14.6
  • ruff from 0.13.3 to 0.14.6
  • scalafix from 0.14.3 to 0.14.4
  • secretlint from 11.2.4 to 11.2.5
  • [snakemake](https://s

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	1		0	0	0.24s
❌ ACTION	zizmor	1	0	1	0	0.23s
✅ COPYPASTE	jscpd	yes		no	no	0.4s
✅ EDITORCONFIG	editorconfig-checker	1		0	0	0.01s
✅ REPOSITORY	betterleaks	yes		no	no	0.81s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	osv-scanner	yes		no	no	0.12s
✅ REPOSITORY	secretlint	yes		no	no	0.82s
✅ REPOSITORY	syft	yes		no	no	4.19s
✅ REPOSITORY	trivy	yes		no	no	15.08s
✅ REPOSITORY	trivy-sbom	yes		no	no	1.85s
✅ REPOSITORY	trufflehog	yes		no	no	31.88s
✅ YAML	prettier	1	0	0	0	0.41s
✅ YAML	yamllint	1		0	0	0.42s

Detailed Issues

❌ ACTION / zizmor - 1 error

INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'ref-confusion' audit failed on file://.github/workflows/pr-checks.yaml

Caused by:
    0: error in 'ref-confusion' audit
    1: couldn't list branches for actions/checkout
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/actions/checkout.git/git-upload-pack)


[ACTION_ZIZMOR_ERROR_GITHUB_API_UNREACHABLE] Zizmor could not access a repository referenced by a `uses:` clause via the GitHub API (missing token, insufficient scope, or cross-repo private access).
To allow zizmor to authenticate with GITHUB_TOKEN (or a PAT with `Contents: read-only`), whitelist the variable in your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN
If the referenced workflow is in a private repo outside the current one, provide a PAT with cross-repo access instead of the default GITHUB_TOKEN, or run zizmor in offline mode.

Notices

⛔ ESLint v10 flat-config migration required — the following linters fail until you migrate: JAVASCRIPT_ES, JSON_ESLINT_PLUGIN_JSONC, JSX_ESLINT, TSX_ESLINT, TYPESCRIPT_ES. Legacy .eslintrc.json was detected; ESLint v10 dropped support for the .eslintrc.* format. Please migrate to eslint.config.js. See the ESLint migration guide.

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository