chore(deps): update oxsecurity/megalinter action to v9

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
oxsecurity/megalinter	action	major	v8 → v9

---

Release Notes

oxsecurity/megalinter (oxsecurity/megalinter)

v9.5.0

Compare Source

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

  • Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved
  • YAML_V8R_CONFIG_FILE / JSON_V8R_CONFIG_FILE are now correctly applied (the v8r --catalogs option is wired through)
  • lychee: fix the configured headers / Accept settings being ignored
  • Custom flavor builder: works correctly for repositories whose name contains uppercase characters
  • Docs: corrected the documented default value for the pre-commands cwd option

• Reporters

  • Comment reporters (GitHub, GitLab, Azure DevOps, Bitbucket) now work when running MegaLinter from Jenkins CI
  • GitlabCommentReporter activates as soon as GITLAB_ACCESS_TOKEN_MEGALINTER is set (no longer requires CI_JOB_TOKEN)
  • BitbucketCommentReporter: per-linter sections rendered as ### headings (Bitbucket Cloud markdown was displaying the previous <details> HTML tags as literal text)
  • Display a default user notification on PR/console reports inviting users to read the MegaLinter 9.5.0 release announcement. Can be disabled by setting SECURITY_SUGGESTIONS: false.

• Flavors

  • Multi-arch images: In custom flavors, linters can now build for linux/arm64 in addition to linux/amd64 whenever possible (Apple Silicon, AWS Graviton, Ampere…)

• Doc

  • Add documentation for the megalinter-ado Azure DevOps extension and the megalinter-mcp-server MCP server
  • Explicitly discourage the use of Personal Access Tokens (PAT) in workflows for security reasons

• mega-linter-runner

  • New --list-vars [pattern] flag (with --json) lists every MegaLinter env variable that can be passed via -e, with type, default, allowed values and examples (handy for AI coding agents)
  • -e ENABLE_LINTERS=YAML_PRETTIER,YAML_YAMLLINT no longer silently drops values after the first comma (#​7500). The --env=KEY=VALUE long form is also accepted.

• Dev

  • Add CLAUDE.md and a set of /add-linter, /update-linter-version, /review-descriptor, /fix-linter-test, /add-reporter, /add-flavor, /build, /diagnose-config, /fix-security-issue skills to help work on MegaLinter with coding agents (Claude Code, GitHub Copilot, Codex, gemini-cli…)
  • Migrate copilot-instructions into Claude Code Agents & Skills
  • New descriptor capabilities for custom linter integrations: cli_lint_extra_args_after per lint mode (list_of_files / project / file), a {file} template variable usable in command-line args, and a customizable files separator

• CI

  • Run ARM linter jobs only when the commit message contains "ARM" (avoids 200 jobs per PR)
  • Do not push a fix commit if only markdown or JSON files were updated
  • Run osv-scanner on MegaLinter's own sources
  • Optimize the linter-job matrix for dependabot and renovate PRs
  • Exclude test dependencies from dependabot
  • Faster Docker image builds: optimized Dockerfile layer order, buildx layer cache (type=gha, zstd-compressed) on all deploy workflows, DEV pipeline split into parallel jobs sharing the image via cache, and cargo-based tools (sarif-fmt, zizmor, shellcheck-sarif, stylua) built in parallel multi-stage builders so the Rust toolchain no longer ships in the final image (except for clippy)
  • Hardened MegaLinter's own GitHub Actions workflows against script injection via untrusted PR contexts (zizmor findings)

• Linter versions upgrades (62)

  • actionlint from 1.7.11 to 1.7.12
  • ansible-lint from 26.2.0 to 26.4.0
  • bicep_linter from 0.41.2 to 0.43.8
  • black from 26.1.0 to 26.3.1
  • cfn-lint from 1.45.0 to 3.14
  • checkov from 3.2.506 to 3.2.529
  • clippy from 0.1.93 to 0.1.95
  • clj-kondo from 2026.01.19 to 2025.01.16
  • code-analyzer-apex from 5.10.0 to 5.12.0
  • code-analyzer-aura from 5.10.0 to 5.12.0
  • code-analyzer-lwc from 5.10.0 to 5.12.0
  • codespell from 2.4.1 to 2.4.2
  • cspell from 9.7.0 to 10.0.0
  • dartanalyzer from 3.11.1 to 3.11.6
  • dotnet-format from 9.0.114 to 10.0.108
  • eslint from 9.39.4 to 10.3.0
  • gitleaks from 8.30.0 to 8.30.1
  • golangci-lint from 2.10.1 to 2.11.4
  • grype from 0.109.0 to 0.112.0
  • htmlhint from 1.9.1 to 1.9.2
  • isort from 8.0.0 to 8.0.1
  • jscpd from 4.0.8 to 4.1.1
  • kics from 2.1.19 to 2.1.20
  • kingfisher from 1.84.0 to 1.99.0
  • kubescape from 4.0.2 to 4.0.8
  • lychee from 0.18.0 to 0.24.2
  • markdownlint from 0.47.0 to 0.48.0
  • npm-groovy-lint from 16.2.0 to 17.0.5
  • npm-package-json-lint from 9.1.0 to 10.4.0
  • osv-scanner from 2.3.5 to 2.3.8
  • php-cs-fixer from 3.94.2 to 3.95.2
  • phpstan from 2.1.40 to 2.1.54
  • pmd from 7.22.0 to 7.24.0
  • powershell from 7.5.4 to 7.6.1
  • powershell_formatter from 7.5.4 to 7.6.1
  • prettier from 3.8.1 to 3.8.3
  • psalm from Psalm.6.15.1@​ to Psalm.6.16.1@​
  • pyright from 1.1.408 to 1.1.409
  • raku from 2025.11 to 2026.03
  • revive from 1.14.0 to 1.15.0
  • robocop from 8.2.2 to 8.2.8
  • rubocop from 1.85.0 to 1.86.2
  • ruff from 0.15.4 to 0.15.13
  • ruff-format from 0.15.4 to 0.15.13
  • rumdl from 0.1.32 to 0.1.93
  • secretlint from 11.3.1 to 11.7.1
  • semgrep from 1.153.1 to 1.163.0
  • shfmt from 3.12.0 to 3.13.1
  • snakefmt from 0.11.4 to 1.1.0
  • snakemake from 9.16.3 to 9.21.0
  • sqlfluff from 4.0.4 to 4.2.1
  • stylelint from 16.26.1 to 17.11.0
  • stylua from 2.0.0 to 2.4.1
  • syft from 1.42.1 to 1.44.0
  • terraform-fmt from 1.14.5 to 1.15.2
  • terragrunt from 0.99.4 to 1.0.4
  • tflint from 0.61.0 to 0.62.1
  • trivy from 0.69.1 to 0.70.0
  • trivy-sbom from 0.69.1 to 0.70.0
  • trufflehog from 3.93.6 to 3.95.3
  • vale from 3.13.1 to 3.14.2
  • zizmor from 1.23.1 to 1.25.0

v9.4.0

Compare Source

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

  • Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved
  • YAML_V8R_CONFIG_FILE / JSON_V8R_CONFIG_FILE are now correctly applied (the v8r --catalogs option is wired through)
  • lychee: fix the configured headers / Accept settings being ignored
  • Custom flavor builder: works correctly for repositories whose name contains uppercase characters
  • Docs: corrected the documented default value for the pre-commands cwd option

• Reporters

  • Comment reporters (GitHub, GitLab, Azure DevOps, Bitbucket) now work when running MegaLinter from Jenkins CI
  • GitlabCommentReporter activates as soon as GITLAB_ACCESS_TOKEN_MEGALINTER is set (no longer requires CI_JOB_TOKEN)
  • BitbucketCommentReporter: per-linter sections rendered as ### headings (Bitbucket Cloud markdown was displaying the previous <details> HTML tags as literal text)
  • Display a default user notification on PR/console reports inviting users to read the MegaLinter 9.5.0 release announcement. Can be disabled by setting SECURITY_SUGGESTIONS: false.

• Flavors

  • Multi-arch images: In custom flavors, linters can now build for linux/arm64 in addition to linux/amd64 whenever possible (Apple Silicon, AWS Graviton, Ampere…)

• Doc

  • Add documentation for the megalinter-ado Azure DevOps extension and the megalinter-mcp-server MCP server
  • Explicitly discourage the use of Personal Access Tokens (PAT) in workflows for security reasons

• mega-linter-runner

  • New --list-vars [pattern] flag (with --json) lists every MegaLinter env variable that can be passed via -e, with type, default, allowed values and examples (handy for AI coding agents)
  • -e ENABLE_LINTERS=YAML_PRETTIER,YAML_YAMLLINT no longer silently drops values after the first comma (#​7500). The --env=KEY=VALUE long form is also accepted.

• Dev

  • Add CLAUDE.md and a set of /add-linter, /update-linter-version, /review-descriptor, /fix-linter-test, /add-reporter, /add-flavor, /build, /diagnose-config, /fix-security-issue skills to help work on MegaLinter with coding agents (Claude Code, GitHub Copilot, Codex, gemini-cli…)
  • Migrate copilot-instructions into Claude Code Agents & Skills
  • New descriptor capabilities for custom linter integrations: cli_lint_extra_args_after per lint mode (list_of_files / project / file), a {file} template variable usable in command-line args, and a customizable files separator

• CI

  • Run ARM linter jobs only when the commit message contains "ARM" (avoids 200 jobs per PR)
  • Do not push a fix commit if only markdown or JSON files were updated
  • Run osv-scanner on MegaLinter's own sources
  • Optimize the linter-job matrix for dependabot and renovate PRs
  • Exclude test dependencies from dependabot
  • Faster Docker image builds: optimized Dockerfile layer order, buildx layer cache (type=gha, zstd-compressed) on all deploy workflows, DEV pipeline split into parallel jobs sharing the image via cache, and cargo-based tools (sarif-fmt, zizmor, shellcheck-sarif, stylua) built in parallel multi-stage builders so the Rust toolchain no longer ships in the final image (except for clippy)
  • Hardened MegaLinter's own GitHub Actions workflows against script injection via untrusted PR contexts (zizmor findings)

• Linter versions upgrades (62)

  • actionlint from 1.7.11 to 1.7.12
  • ansible-lint from 26.2.0 to 26.4.0
  • bicep_linter from 0.41.2 to 0.43.8
  • black from 26.1.0 to 26.3.1
  • cfn-lint from 1.45.0 to 3.14
  • checkov from 3.2.506 to 3.2.529
  • clippy from 0.1.93 to 0.1.95
  • clj-kondo from 2026.01.19 to 2025.01.16
  • code-analyzer-apex from 5.10.0 to 5.12.0
  • code-analyzer-aura from 5.10.0 to 5.12.0
  • code-analyzer-lwc from 5.10.0 to 5.12.0
  • codespell from 2.4.1 to 2.4.2
  • cspell from 9.7.0 to 10.0.0
  • dartanalyzer from 3.11.1 to 3.11.6
  • dotnet-format from 9.0.114 to 10.0.108
  • eslint from 9.39.4 to 10.3.0
  • gitleaks from 8.30.0 to 8.30.1
  • golangci-lint from 2.10.1 to 2.11.4
  • grype from 0.109.0 to 0.112.0
  • htmlhint from 1.9.1 to 1.9.2
  • isort from 8.0.0 to 8.0.1
  • jscpd from 4.0.8 to 4.1.1
  • kics from 2.1.19 to 2.1.20
  • kingfisher from 1.84.0 to 1.99.0
  • kubescape from 4.0.2 to 4.0.8
  • lychee from 0.18.0 to 0.24.2
  • markdownlint from 0.47.0 to 0.48.0
  • npm-groovy-lint from 16.2.0 to 17.0.5
  • npm-package-json-lint from 9.1.0 to 10.4.0
  • osv-scanner from 2.3.5 to 2.3.8
  • php-cs-fixer from 3.94.2 to 3.95.2
  • phpstan from 2.1.40 to 2.1.54
  • pmd from 7.22.0 to 7.24.0
  • powershell from 7.5.4 to 7.6.1
  • powershell_formatter from 7.5.4 to 7.6.1
  • prettier from 3.8.1 to 3.8.3
  • psalm from Psalm.6.15.1@​ to Psalm.6.16.1@​
  • pyright from 1.1.408 to 1.1.409
  • raku from 2025.11 to 2026.03
  • revive from 1.14.0 to 1.15.0
  • robocop from 8.2.2 to 8.2.8
  • rubocop from 1.85.0 to 1.86.2
  • ruff from 0.15.4 to 0.15.13
  • ruff-format from 0.15.4 to 0.15.13
  • rumdl from 0.1.32 to 0.1.93
  • secretlint from 11.3.1 to 11.7.1
  • semgrep from 1.153.1 to 1.163.0
  • shfmt from 3.12.0 to 3.13.1
  • snakefmt from 0.11.4 to 1.1.0
  • snakemake from 9.16.3 to 9.21.0
  • sqlfluff from 4.0.4 to 4.2.1
  • stylelint from 16.26.1 to 17.11.0
  • stylua from 2.0.0 to 2.4.1
  • syft from 1.42.1 to 1.44.0
  • terraform-fmt from 1.14.5 to 1.15.2
  • terragrunt from 0.99.4 to 1.0.4
  • tflint from 0.61.0 to 0.62.1
  • trivy from 0.69.1 to 0.70.0
  • trivy-sbom from 0.69.1 to 0.70.0
  • trufflehog from 3.93.6 to 3.95.3
  • vale from 3.13.1 to 3.14.2
  • zizmor from 1.23.1 to 1.25.0

v9.3.0

Compare Source

• Core

  • Add enum name support in MegaLinter config Json schema for better autocompletion in editors
  • Update base image to python:3.13-alpine3.23

• New linters

  • Add codespell
  • Add kingfisher by @​bdovaz
  • Add rumdl by @​bdovaz

• Linters enhancements

  • Change checkmake Docker image reference by @​bdovaz

• Reporters

  • Handle multiple MegaLinter runs on the same repo using custom value sent in variable MEGALINTER_MULTIRUN_KEY
  • Allow to override url to CI build in Git based reporters using REPORTERS_ACTION_RUN_URL variable
  • Fix sections display in Gitlab console logs

• Doc

  • Classify all JSON schema config variables by category and section

• CI

  • Free disk space on GitHub actions runner when releasing a new flavor
  • Add missing Dockerfile patterns to Renovate Dockerfile manager
  • Remove gitpod custom image, workflow, and makefile targets

• Linter versions upgrades (54)

  • actionlint from 1.7.9 to 1.7.10
  • ansible-lint from 25.11.1 to 25.12.2
  • bash-exec from 5.2.37 to 5.3.3
  • black from 25.11.0 to 25.12.0
  • cfn-lint from 1.41.0 to 1.43.1
  • checkov from 3.2.495 to 3.2.497
  • clang-format from 20.1.8 to 21.1.2
  • clippy from 0.1.91 to 0.1.92
  • clj-kondo from 2025.10.23 to 2025.12.23
  • code-analyzer-apex from 5.6.1 to 5.7.1
  • code-analyzer-aura from 5.6.1 to 5.7.1
  • code-analyzer-lwc from 5.6.1 to 5.7.1
  • cppcheck from 2.14.2 to 2.18.3
  • csharpier from 1.2.1 to 1.2.5
  • cspell from 9.3.2 to 9.4.0
  • dartanalyzer from 3.8.3 to 3.10.7
  • dotnet-format from 9.0.111 to 9.0.112
  • git_diff from 2.49.1 to 2.52.0
  • golangci-lint from 2.6.2 to 2.7.2
  • grype from 0.104.1 to 0.104.3
  • helm from 3.18.4 to 3.19.0
  • htmlhint from 1.7.1 to 1.8.0
  • kics from 2.1.16 to 2.1.18
  • kingfisher from 1.71.0 to 1.73.0
  • kubescape from 3.0.45 to 3.0.47
  • markdown-table-formatter from 1.6.1 to 1.7.0
  • markdownlint from 0.45.0 to 0.47.0
  • mypy from 1.18.2 to 1.19.1
  • npm-groovy-lint from 15.2.2 to 16.1.1
  • npm-package-json-lint from 9.0.0 to 9.1.0
  • php-cs-fixer from 3.90.0 to 3.92.4
  • phplint from 9.6.2 to 9.7.1
  • phpstan from 2.1.32 to 2.1.33
  • pmd from 7.18.0 to 7.20.0
  • prettier from 3.6.2 to 3.7.4
  • psalm from Psalm.6.13.1@​ to Psalm.6.14.3@​
  • pylint from 4.0.3 to 4.0.4
  • robocop from 6.11.0 to 7.2.0
  • roslynator from 0.11.0.0 to 0.12.0.0
  • rubocop from 1.81.7 to 1.82.0
  • rubocop from 1.82.0 to 1.82.1
  • ruff-format from 0.14.6 to 0.14.10
  • ruff from 0.14.6 to 0.14.10
  • rumdl from 0.0.199 to 0.0.208
  • scalafix from 0.14.4 to 0.14.5
  • snakemake from 9.13.7 to 9.14.5
  • stylelint from 16.26.0 to 16.26.1
  • swiftlint from 0.62.2 to 0.63.0
  • syft from 1.38.0 to 1.39.0
  • terraform-fmt from 1.14.0 to 1.14.1
  • terragrunt from 0.93.10 to 0.93.13
  • trivy-sbom from 0.67.2 to 0.68.2
  • trivy from 0.67.2 to 0.68.2
  • trufflehog from 3.91.1 to 3.92.4

v9.2.0

Compare Source

• New linters

  • Salesforce Code Analyzer, by @​abdeslamads
    • SALESFORCE_CODE_ANALYZER_APEX
    • SALESFORCE_CODE_ANALYZER_AURA
    • SALESFORCE_CODE_ANALYZER_LWC

• Disabled linters

  • Reactivate checkov

• Deprecated linters

  • Deprecate terrascan as the project is discontinued. Will be completely removed in a future version.
  • SALESFORCE_SFDX_SCANNER_* linters have been deprecated and will be removed in a future version. (they are replaced by SALESFORCE_CODE_ANALYZER_* linters)

• Media

  • Looking for the best CI/CD Pipeline Linting Tool? Try MegaLinter!, by Seasoned Developer
  • (Brazilian) Qualidade e Segurança em Código com MegaLinter: automatizando análises em MAUI com GitHub Actions, by Canal dotNET

• Linters enhancements

  • Install dotenv-linter deterministically, by @​bdovaz in #​6385

• Fixes

  • #​6544: Add GITHUB_TOKEN in docker build command for custom flavor
  • Hide warning when compiling a regex
  • Fix formatting in descriptor files to reduce changes in generated markdown, by @​echoix in #​6449

• Reporters

  • Add conversion from Jenkins variables to related Git based reporters variables

• Doc

  • Keep jsonschema html docs updated when using build.py --doc, by @​echoix in #​6447
  • Commit updated license info generated from build script by @​echoix in #​6448
  • Recreate docs/descriptors folder, delete old pages by @​echoix in #​6451

• Flavors

  • Add GITHUB_TOKEN in docker buildx build command for custom flavor, by @​davidfevre-gouv-nc in #​6545

• CI

  • Optimize performances of standalone linters releases
  • Renovate: Add langchain group for package updates, by @​echoix in #​6400
  • Refactor file handling in build.py to use pathlib for improved readability, by @​echoix in #​6450

• mega-linter-runner

  • Handle upgrade of stefanzweifel/git-auto-commit-action to v7

• Linter versions upgrades (53)

  • actionlint from 1.7.7 to 1.7.9
  • ansible-lint from 25.9.1 to 25.11.1
  • bandit from 1.8.6 to 1.9.2
  • bicep_linter from 0.38.33 to 0.39.26
  • black from 25.9.0 to 25.11.0
  • cfn-lint from 1.40.0 to 1.41.0
  • checkov from 3.2.413 to 3.2.495
  • checkstyle from 11.1.0 to 12.1.0
  • clippy from 0.1.90 to 0.1.91
  • clj-kondo from 2025.09.22 to 2025.10.23
  • csharpier from 1.1.2 to 1.2.1
  • cspell from 9.2.1 to 9.3.2
  • dotenv-linter from 3.3.0 to 4.0.0
  • dotnet-format from 9.0.110 to 9.0.111
  • editorconfig-checker from 3.4.0 to 3.6.0
  • git_diff from 2.47.0 to 2.49.1
  • gitleaks from 8.28.0 to 8.30.0
  • golangci-lint from 2.5.0 to 2.6.2
  • grype from 0.100.0 to 0.104.1
  • isort from 6.1.0 to 7.0.0
  • kics from 2.1.14 to 2.1.16
  • ktlint from 1.7.1 to 1.8.0
  • kubescape from 3.0.41 to 3.0.45
  • php-cs-fixer from 3.88.2 to 3.90.0
  • phpcs from 4.0.0 to 4.0.1
  • phpstan from 2.1.30 to 2.1.32
  • pmd from 7.17.0 to 7.18.0
  • powershell from 7.5.3 to 7.5.4
  • pylint from 3.3.9 to 4.0.3
  • pyright from 1.1.406 to 1.1.407
  • raku from 2024.12 to 2025.11
  • revive from 1.12.0 to 1.13.0
  • robocop from 6.7.2 to 6.11.0
  • roslynator from 0.10.2.0 to 0.11.0.0
  • rst-lint from 1.4.0 to 2.0.2
  • rubocop from 1.81.1 to 1.81.7
  • ruff-format from 0.13.3 to 0.14.6
  • ruff from 0.13.3 to 0.14.6
  • scalafix from 0.14.3 to 0.14.4
  • secretlint from 11.2.4 to 11.2.5
  • snakemake from 9.11.9 to 9.13.7
  • sqlfluff from 3.4.2 to 3.5.0
  • stylelint from 16.24.0 to 16.26.0
  • swiftlint from 0.61.0 to 0.62.2
  • syft from 1.33.0 to 1.38.0
  • terraform-fmt from 1.13.3 to 1.14.0
  • terragrunt from 0.88.1 to 0.93.10
  • tflint from 0.59.1 to 0.60.0
  • trivy-sbom from 0.67.0 to 0.67.2
  • trivy from 0.67.0 to 0.67.2
  • trufflehog from 3.90.11 to 3.91.1
  • vale from 3.12.0 to 3.13.0
  • xmllint from 21308 to 21309

v9.1.0

Compare Source

• New linters

  • Add Robocop linter, by @​bdovaz in #​6232

• Linters enhancements

  • Python Linting: Added more file type supports for various linters. Full description here

• Doc

  • Add OLLAMA_BASE_URL is MegaLinter config Json schema

• Flavors

  • Custom flavors: Add workflow to automate detection of new MegaLinter versions and generation of new Custom Flavor

• CI

  • Fix v9 release issue + mark hardcoded versions to upgrade at each new major release.

• Linter versions upgrades (22)

  • ansible-lint from 25.9.0 to 25.9.1
  • bicep_linter from 0.37.4 to 0.38.33
  • cfn-lint from 1.39.1 to 1.40.0
  • checkstyle from 11.0.1 to 11.1.0
  • clj-kondo from 2025.09.19 to 2025.09.22
  • golangci-lint from 2.4.0 to 2.5.0
  • hadolint from 2.13.1 to 2.14.0
  • isort from 6.0.1 to 6.1.0
  • kics from 2.1.13 to 2.1.14
  • npm-groovy-lint from 15.2.1 to 15.2.2
  • php-cs-fixer from 3.87.2 to 3.88.2
  • phpstan from 2.1.28 to 2.1.30
  • pylint from 3.3.8 to 3.3.9
  • pyright from 1.1.405 to 1.1.406
  • robocop from 6.7.0 to 6.7.2
  • rubocop from 1.80.2 to 1.81.1
  • ruff-format from 0.13.1 to 0.13.3
  • ruff from 0.13.1 to 0.13.3
  • snakemake from 9.11.4 to 9.11.9
  • terraform-fmt from 1.13.2 to 1.13.3
  • terragrunt from 0.87.2 to 0.88.1
  • trivy from 0.66.0 to 0.67.0

v9.0.1

Compare Source

• Fix v9 release issue

v9.0.0

Compare Source

• Core

  • Create your own Megalinter Custom Flavors to dramatically improve your performances
    • See documentation for usage
    • Use npx mega-linter-runner@beta --custom-flavor-setup to initialize repo
    • Suggest new flavors in reporters with a mega-linter-runner including the list of linters
  • New LLM Advisor: call external LLMs to get hints to solve linter errors, available in:
    • Console Reporter
    • Text Reporter
    • Git platforms PR/MR comments Reporter
  • Use ghcr.io docker images by default because of rate limits on docker.io
  • Use uv to create the venv folder for pip-installed linters
  • Add copilot instructions for GitHub Copilot
  • Update base image to python:3.13-alpine3.21 (also embeds go 1.24)

• Disabled linters

  • puppet-lint: Disabled Until fix is provided for puppetlabs/puppet-lint#251
  • checkov: Disabled until fix is provided for bridgecrewio/checkov#7263

• Removed linters

  • markdown-link-check has been removed because lychee can be used instead, and has much better performances

• Linters enhancements

  • PHP-CS-Fixer is able to run on PHP 8.4 without error (change default configuration) by @​llaville
  • cspell: Filter output lines that do not contain found issues
  • hadolint: Extend DOCKERFILE_HADOLINT_FILE_NAMES_REGEX to include the purpose.Dockerfile convention eg service.Dockerfile.
  • sqlfluff: Handle fixing of issues

• Fixes

  • When linter is docker based, force --platform=linux/amd64 so it works when running locally on Mac
  • Added checking of *.pyi and *.ipynb files to the ruff and ruff-format linters

• Reporters

  • New default display for Pull Request comments, with expandable sections containing the first 1000 lines of the output log. Former display remains available by defining REPORTERS_MARKDOWN_SUMMARY_TYPE=table
  • Markdown summary reporter:
    • Write a file for Github integration if GITHUB_STEP_SUMMARY is set
    • Truncate less linter output lines
  • Text reporter: Change the output file names to put the linter name first, then the status
  • Enhance display of markdown summary

• Doc

  • Update documentation in all megalinter descriptor files to improve accuracy and consistency
  • Fix incorrect information in linters documentation and descriptors
  • Remove dead links
  • Add linter description (linter_text) in all linter descriptor, to generate a more exhaustive documentation.
  • Update contributing guide to explain how to manage python dependencies in the codebase

• Flavors

  • Do not suggest flavors that have more linters than the current one

• CI

  • Update default MegaLinter CI/CD workflows to disable LLM_ADVISOR in case of bot pull requests

• mega-linter-runner

  • Add all CI/CD providers in the --install command
  • Use ghcr.io docker images by default
  • New parameter --container-engine allowing to use podman as runner
  • mega-linter-runner --upgrade: Handle upgrade of github actions to their latest version
  • mega-linter-runner --upgrade: Upgrades MegaLinter actions and images to v9

• Linter versions upgrades (68)

  • ansible-lint from 25.5.0 to 25.9.0
  • bandit from 1.8.3 to 1.8.6
  • bicep_linter from 0.36.1 to 0.37.4
  • black from 25.1.0 to 25.9.0
  • cfn-lint from 1.36.0 to 1.39.1
  • checkstyle from 10.25.0 to 11.0.1
  • clang-format from 19.1.4 to 20.1.8
  • clippy from 0.1.87 to 0.1.90
  • clj-kondo from 2025.06.05 to 2025.09.19
  • csharpier from 1.0.2 to 1.1.2
  • cspell from 9.1.1 to 9.2.1
  • dartanalyzer from 3.8.1 to 3.8.3
  • devskim from 1.0.59 to 1.0.67
  • dotnet-format from 9.0.106 to 9.0.110
  • editorconfig-checker from 3.3.0 to 3.4.0
  • flake8 from 7.2.0 to 7.3.0
  • git_diff from 2.47.2 to 2.49.1
  • gitleaks from 8.27.2 to 8.28.0
  • golangci-lint from 2.1.6 to 2.4.0
  • grype from 0.94.0 to 0.100.0
  • hadolint from 2.12.0 to 2.13.1
  • helm from 3.16.3 to 3.18.4
  • htmlhint from 1.5.1 to 1.7.1
  • kics from 2.1.10 to 2.1.13
  • ktlint from 1.6.0 to 1.7.1
  • kubescape from 3.0.34 to 3.0.41
  • lightning-flow-scanner from 3.23.0 to 3.29.0
  • mypy from 1.16.0 to 1.18.2
  • npm-groovy-lint from 15.2.0 to 15.2.1
  • npm-package-json-lint from 8.0.0 to 9.0.0
  • php-cs-fixer from 3.75.0 to 3.87.2
  • phpcs from 3.13.1 to 4.0.0
  • phpstan from 2.1.17 to 2.1.28
  • pmd from 7.14.0 to 7.17.0
  • powershell from 7.5.1 to 7.5.3
  • powershell_formatter from 7.5.1 to 7.5.3
  • prettier from 3.5.3 to 3.6.2
  • protolint from 0.55.6 to 0.56.4
  • psalm from Psalm.6.12.0@​ to Psalm.6.13.1@​
  • pylint from 3.3.7 to 3.3.8
  • pyright from 1.1.402 to 1.1.405
  • revive from 1.10.0 to 1.12.0
  • roslynator from 0.10.1.0 to 0.10.2.0
  • rubocop from 1.76.1 to 1.80.2
  • ruff-format from 0.11.13 to 0.13.1
  • ruff from 0.11.13 to 0.13.1
  • secretlint from 10.1.0 to 11.2.4
  • selene from 0.28.0 to 0.29.0
  • shellcheck from 0.10.0 to 0.11.0
  • shfmt from 3.11.0 to 3.12.0
  • snakefmt from 0.11.0 to 0.11.2
  • snakemake from 9.5.1 to 9.11.4
  • sqlfluff from 3.4.1 to 3.4.2
  • stylelint from 16.20.0 to 16.24.0
  • swiftlint from 0.59.1 to 0.61.0
  • syft from 1.27.1 to 1.33.0
  • terraform-fmt from 1.12.2 to 1.13.2
  • terragrunt from 0.81.6 to 0.87.2
  • tflint from 0.58.0 to 0.59.1
  • trivy-sbom from 0.63.0 to 0.66.0
  • trivy from 0.63.0 to 0.66.0
  • trufflehog from 3.89.1 to 3.90.8
  • v8r from 5.0.0 to 5.1.0
  • vale from 3.11.2 to 3.12.0
  • xmllint from 21304 to 21308

v9

Compare Source

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

  • Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved
  • YAML_V8R_CONFIG_FILE / JSON_V8R_CONFIG_FILE are now correctly applied (the v8r --catalogs option is wired through)
  • lychee: fix the configured headers / Accept settings being ignored
  • Custom flavor builder: works correctly for repositories whose name contains uppercase characters
  • Docs: corrected the documented default value for the pre-commands cwd option

• Reporters

  • Comment reporters (GitHub, GitLab, Azure DevOps, Bitbucket) now work when running MegaLinter from Jenkins CI
  • GitlabCommentReporter activates as soon as GITLAB_ACCESS_TOKEN_MEGALINTER is set (no longer requires CI_JOB_TOKEN)
  • BitbucketCommentReporter: per-linter sections rendered as ### headings (Bitbucket Cloud markdown was displaying the previous <details> HTML tags as literal text)
  • Display a default user notification on PR/console reports inviting users to read the MegaLinter 9.5.0 release announcement. Can be disabled by setting SECURITY_SUGGESTIONS: false.

• Flavors

  • Multi-arch images: In custom flavors, linters ca

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	1		0	0	0.33s
❌ ACTION	zizmor	1	0	1	0	0.34s
❌ COPYPASTE	jscpd	yes		10	no	2.64s
✅ EDITORCONFIG	editorconfig-checker	1		0	0	0.01s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
❌ REPOSITORY	osv-scanner	yes		1	no	0.1s
✅ REPOSITORY	secretlint	yes		no	no	1.11s
✅ REPOSITORY	syft	yes		no	no	6.54s
✅ REPOSITORY	trivy	yes		no	no	13.97s
✅ REPOSITORY	trivy-sbom	yes		no	no	2.46s
✅ REPOSITORY	trufflehog	yes		no	no	27.96s
✅ YAML	prettier	1	0	0	0	0.47s
✅ YAML	yamllint	1		0	0	0.4s

Detailed Issues

❌ COPYPASTE / jscpd - 10 errors

Clone found (typescript):
 - integration/search-stays.integration.ts [51:47 - 56:27] (5 lines, 53 tokens)
   integration/search-stays.integration.ts [29:51 - 34:30]

Clone found (typescript):
 - integration/search-stays.integration.ts [76:32 - 81:27] (5 lines, 53 tokens)
   integration/search-stays.integration.ts [29:51 - 34:30]

Clone found (typescript):
 - integration/search-stays.integration.ts [91:43 - 96:28] (5 lines, 53 tokens)
   integration/search-stays.integration.ts [29:51 - 34:30]

Clone found (typescript):
 - integration/search-flights.integration.ts [49:47 - 54:20] (5 lines, 53 tokens)
   integration/search-flights.integration.ts [29:54 - 34:20]

Clone found (typescript):
 - integration/search-flights.integration.ts [63:37 - 70:44] (7 lines, 54 tokens)
   integration/search-stays.integration.ts [48:51 - 55:42]

Clone found (typescript):
 - integration/search-flights.integration.ts [66:47 - 71:20] (5 lines, 53 tokens)
   integration/search-flights.integration.ts [29:54 - 34:20]

Clone found (typescript):
 - integration/search-flights.integration.ts [88:45 - 96:44] (8 lines, 57 tokens)
   integration/search-stays.integration.ts [72:43 - 80:42]

Clone found (typescript):
 - integration/search-flights.integration.ts [92:32 - 97:20] (5 lines, 53 tokens)
   integration/search-flights.integration.ts [29:54 - 34:20]

Clone found (typescript):
 - integration/search-flights.integration.ts [104:54 - 111:44] (7 lines, 54 tokens)
   integration/search-stays.integration.ts [88:54 - 95:42]

Clone found (typescript):
 - integration/search-flights.integration.ts [107:43 - 112:20] (5 lines, 53 tokens)
   integration/search-flights.integration.ts [29:54 - 34:20]

┌────────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format     │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ typescript │ 37             │ 4041        │ 30440        │ 10           │ 57 (1.41%)       │ 536 (1.76%)       │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ javascript │ 1              │ 41          │ 223          │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:     │ 38             │ 4082        │ 30663        │ 10           │ 57 (1.4%)        │ 536 (1.75%)       │
└────────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 10 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (1.4%) over threshold (0%)
Error: ERROR: jscpd found too many duplicates (1.4%) over threshold (0%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node-deps/node_modules/jscpd/dist/bin/jscpd.js:9:5

❌ REPOSITORY / osv-scanner - 1 error

Scanning dir .
Starting filesystem walk for root: /
End status: 25 dirs visited, 113 inodes visited, 0 Extract calls, 1.891811ms elapsed, 1.891972ms wall time
No package sources found, --help for usage information.

❌ ACTION / zizmor - 1 error

INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'ref-confusion' audit failed on file://.github/workflows/pr-checks.yaml

Caused by:
    0: error in 'ref-confusion' audit
    1: couldn't list branches for actions/checkout
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/actions/checkout.git/git-upload-pack)


[ZizmorLinter] Zizmor failed to reach the GitHub API.
To allow zizmor to use GITHUB_TOKEN, add the following to your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN

Notices

⚠️ ESLint v10 flat-config migration required - the following linters are disabled until you migrate: JAVASCRIPT_ES, JSON_ESLINT_PLUGIN_JSONC, JSX_ESLINT, TSX_ESLINT, TYPESCRIPT_ES. Only legacy .eslintrc.json was detected; ESLint v10 dropped support for the .eslintrc.* format. Please migrate to eslint.config.mjs. See the ESLint migration guide.

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository