Skip to content

🦙 Mega-Linter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.

License

oxsecurity/megalinter

Use this GitHub Action with your project

Add this Action to an existing workflow or create a new one.

View on Marketplace
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

* [automation] Auto-update linters version, help and documentation

* [MegaLinter] Apply linters fixes

---------

Co-authored-by: nvuillam <nvuillam@users.noreply.github.com>
dbf17b6

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
sh
July 10, 2022 14:38
January 25, 2021 21:20
February 21, 2022 21:37
November 1, 2022 00:39
January 7, 2023 10:46
July 10, 2022 14:38

MegaLinter, by OX Security

GitHub release Docker Pulls Downloads/week GitHub stars MegaLinter codecov

Secured with Trivy GitHub contributors GitHub Sponsors PRs Welcome Tweet

MegaLinter is an Open-Source tool for CI/CD workflows that analyzes the consistency of your code, IAC, configuration, and scripts in your repository sources, to ensure all your projects sources are clean and formatted whatever IDE/toolbox is used by their developers, powered by OX Security.

Supporting 53 languages, 24 formats, 21 tooling formats and ready to use out of the box, as a GitHub action or any CI system highly configurable and free for all uses.

Upgrade to MegaLinter v6 !

See Online Documentation Web Site which has a much easier user navigation than this README


See Article on Medium

See Article on Medium


Process

Archi


Console reporter

Screenshot


Github PR reporter

Screenshot

Table of Contents

Why MegaLinter

Projects need to contain clean code, in order to avoid technical debt, that makes evolutive maintenance harder and time consuming.

By using code formatters and code linters, you ensure that your code base is easier to read and respects best practices, from the kick-off to each step of the project lifecycle

Not all developers have the good habit to use linters in their IDEs, making code reviews harder and longer to process

By using MegaLinter, you'll enjoy the following benefits for you and your team:

  • At each pull request it will automatically analyze all updated code in all languages
  • Reading error logs, developers learn best practices of the language they are using
  • MegaLinter documentation provides the list of IDE plugins integrating each linter, so developers know which linter and plugins to install
  • MegaLinter is ready out of the box after a quick setup
  • Formatting and fixes can be automatically applied on the git branch or provided in reports
  • This tool is 100% open-source and free for all uses (personal, professional, public and private repositories)
  • MegaLinter can run on any CI tool and be run locally: no need to authorize an external application, and your code base never leaves your tooling ecosystem

Quick Start

  • Run npx mega-linter-runner --install to generate configuration files (you need node.js to be installed)
  • Commit, push, and create a pull request
  • Watch !

Runner Install

Notes:

  • This repo is a hard-fork of GitHub Super-Linter, rewritten in python to add lots of additional features
  • If you are a Super-Linter user, you can transparently switch to MegaLinter and keep the same configuration (just replace github/super-linter@v3 by oxsecurity/megalinter@v6 in your GitHub Action YML file, like on this PR)
  • If you want to use MegaLinter extra features (recommended), please take 5 minutes to use MegaLinter assisted installation
  • For a hand-holdy example of getting started with mega-linter check out this blog post by Alec Johnson

Supported Linters

All linters are integrated in the MegaLinter docker image, which is frequently upgraded with their latest versions

Languages

Language Linter Additional
BASH bash-exec
BASH_EXEC
BASH shellcheck
BASH_SHELLCHECK
GitHub stars sarif
BASH shfmt
BASH_SHFMT
GitHub stars formatter
C cpplint
C_CPPLINT
GitHub stars
CLOJURE clj-kondo
CLOJURE_CLJ_KONDO
GitHub stars
COFFEE coffeelint
COFFEE_COFFEELINT
GitHub stars
C++ (CPP) cpplint
CPP_CPPLINT
GitHub stars
C# (CSHARP) dotnet-format
CSHARP_DOTNET_FORMAT
GitHub stars formatter
C# (CSHARP) csharpier
CSHARP_CSHARPIER
GitHub stars formatter
DART dartanalyzer
DART_DARTANALYZER
GitHub stars
GO golangci-lint
GO_GOLANGCI_LINT
GitHub stars
GO revive
GO_REVIVE
GitHub stars sarif
GROOVY npm-groovy-lint
GROOVY_NPM_GROOVY_LINT
GitHub stars autofix sarif
JAVA checkstyle
JAVA_CHECKSTYLE
GitHub stars sarif
JAVA pmd
JAVA_PMD
GitHub stars sarif
JAVASCRIPT eslint
JAVASCRIPT_ES
GitHub stars autofix sarif
JAVASCRIPT standard
JAVASCRIPT_STANDARD
GitHub stars autofix
JAVASCRIPT prettier
JAVASCRIPT_PRETTIER
GitHub stars formatter
JSX eslint
JSX_ESLINT
GitHub stars autofix sarif
KOTLIN ktlint
KOTLIN_KTLINT
GitHub stars autofix sarif
LUA luacheck
LUA_LUACHECK
GitHub stars
MAKEFILE checkmake
MAKEFILE_CHECKMAKE
GitHub stars
PERL perlcritic
PERL_PERLCRITIC
GitHub stars
PHP phpcs
PHP_PHPCS
GitHub stars
PHP phpstan
PHP_PHPSTAN
GitHub stars
PHP psalm
PHP_PSALM
GitHub stars sarif
PHP phplint
PHP_PHPLINT
GitHub stars
POWERSHELL powershell
POWERSHELL_POWERSHELL
GitHub stars autofix
POWERSHELL powershell_formatter
POWERSHELL_POWERSHELL_FORMATTER
GitHub stars formatter
PYTHON pylint
PYTHON_PYLINT
GitHub stars
PYTHON black
PYTHON_BLACK
GitHub stars formatter
PYTHON flake8
PYTHON_FLAKE8
GitHub stars
PYTHON isort
PYTHON_ISORT
GitHub stars formatter
PYTHON bandit
PYTHON_BANDIT
GitHub stars sarif
PYTHON mypy
PYTHON_MYPY
GitHub stars
PYTHON pyright
PYTHON_PYRIGHT
GitHub stars
R lintr
R_LINTR
GitHub stars
RAKU raku
RAKU_RAKU
GitHub stars
RUBY rubocop
RUBY_RUBOCOP
GitHub stars autofix
RUST clippy
RUST_CLIPPY
GitHub stars
SALESFORCE sfdx-scanner-apex
SALESFORCE_SFDX_SCANNER_APEX
GitHub stars
SALESFORCE sfdx-scanner-aura
SALESFORCE_SFDX_SCANNER_AURA
GitHub stars
SALESFORCE sfdx-scanner-lwc
SALESFORCE_SFDX_SCANNER_LWC
GitHub stars
SCALA scalafix
SCALA_SCALAFIX
GitHub stars
SQL sql-lint
SQL_SQL_LINT
GitHub stars
SQL sqlfluff
SQL_SQLFLUFF
GitHub stars
SQL tsqllint
SQL_TSQLLINT
GitHub stars
SWIFT swiftlint
SWIFT_SWIFTLINT
GitHub stars autofix
TSX eslint
TSX_ESLINT
GitHub stars autofix sarif
TYPESCRIPT eslint
TYPESCRIPT_ES
GitHub stars autofix sarif
TYPESCRIPT standard
TYPESCRIPT_STANDARD
GitHub stars autofix
TYPESCRIPT prettier
TYPESCRIPT_PRETTIER
GitHub stars formatter
Visual Basic .NET (VBDOTNET) dotnet-format
VBDOTNET_DOTNET_FORMAT
GitHub stars formatter

Formats

Format Linter Additional
CSS stylelint
CSS_STYLELINT
GitHub stars autofix
CSS scss-lint
CSS_SCSS_LINT
GitHub stars
ENV dotenv-linter
ENV_DOTENV_LINTER
GitHub stars autofix
GRAPHQL graphql-schema-linter
GRAPHQL_GRAPHQL_SCHEMA_LINTER
GitHub stars
HTML djlint
HTML_DJLINT
GitHub stars
HTML htmlhint
HTML_HTMLHINT
GitHub stars
JSON jsonlint
JSON_JSONLINT
GitHub stars
JSON eslint-plugin-jsonc
JSON_ESLINT_PLUGIN_JSONC
GitHub stars autofix sarif
JSON v8r
JSON_V8R
GitHub stars
JSON prettier
JSON_PRETTIER
GitHub stars formatter
JSON npm-package-json-lint
JSON_NPM_PACKAGE_JSON_LINT
GitHub stars
LATEX chktex
LATEX_CHKTEX
MARKDOWN markdownlint
MARKDOWN_MARKDOWNLINT
GitHub stars formatter
MARKDOWN remark-lint
MARKDOWN_REMARK_LINT
GitHub stars formatter
MARKDOWN markdown-link-check
MARKDOWN_MARKDOWN_LINK_CHECK
GitHub stars
MARKDOWN markdown-table-formatter
MARKDOWN_MARKDOWN_TABLE_FORMATTER
GitHub stars formatter
PROTOBUF protolint
PROTOBUF_PROTOLINT
GitHub stars autofix
RST rst-lint
RST_RST_LINT
GitHub stars
RST rstcheck
RST_RSTCHECK
GitHub stars
RST rstfmt
RST_RSTFMT
formatter
XML xmllint
XML_XMLLINT
autofix
YAML prettier
YAML_PRETTIER
GitHub stars formatter
YAML yamllint
YAML_YAMLLINT
GitHub stars
YAML v8r
YAML_V8R
GitHub stars

Tooling formats

Tooling format Linter Additional
ACTION actionlint
ACTION_ACTIONLINT
GitHub stars
ANSIBLE ansible-lint
ANSIBLE_ANSIBLE_LINT
GitHub stars sarif
ARM arm-ttk
ARM_ARM_TTK
GitHub stars
BICEP bicep_linter
BICEP_BICEP_LINTER
GitHub stars
CLOUDFORMATION cfn-lint
CLOUDFORMATION_CFN_LINT
GitHub stars sarif
DOCKERFILE hadolint
DOCKERFILE_HADOLINT
GitHub stars sarif
EDITORCONFIG editorconfig-checker
EDITORCONFIG_EDITORCONFIG_CHECKER
GitHub stars
GHERKIN gherkin-lint
GHERKIN_GHERKIN_LINT
GitHub stars
KUBERNETES kubeval
KUBERNETES_KUBEVAL
deprecated GitHub stars
KUBERNETES kubeconform
KUBERNETES_KUBECONFORM
GitHub stars
OPENAPI spectral
OPENAPI_SPECTRAL
GitHub stars
PUPPET puppet-lint
PUPPET_PUPPET_LINT
GitHub stars autofix
SNAKEMAKE snakemake
SNAKEMAKE_LINT
GitHub stars
SNAKEMAKE snakefmt
SNAKEMAKE_SNAKEFMT
GitHub stars formatter
TEKTON tekton-lint
TEKTON_TEKTON_LINT
GitHub stars
TERRAFORM tflint
TERRAFORM_TFLINT
GitHub stars sarif
TERRAFORM terrascan
TERRAFORM_TERRASCAN
GitHub stars sarif
TERRAFORM terragrunt
TERRAFORM_TERRAGRUNT
GitHub stars autofix
TERRAFORM terraform-fmt
TERRAFORM_TERRAFORM_FMT
GitHub stars formatter
TERRAFORM checkov
TERRAFORM_CHECKOV
deprecated GitHub stars sarif
TERRAFORM kics
TERRAFORM_KICS
GitHub stars

Other

Code quality checker Linter Additional
COPYPASTE jscpd
COPYPASTE_JSCPD
GitHub stars
REPOSITORY checkov
REPOSITORY_CHECKOV
GitHub stars sarif
REPOSITORY devskim
REPOSITORY_DEVSKIM
GitHub stars sarif
REPOSITORY dustilock
REPOSITORY_DUSTILOCK
GitHub stars sarif
REPOSITORY git_diff
REPOSITORY_GIT_DIFF
GitHub stars
REPOSITORY gitleaks
REPOSITORY_GITLEAKS
GitHub stars sarif
REPOSITORY goodcheck
REPOSITORY_GOODCHECK
GitHub stars
REPOSITORY secretlint
REPOSITORY_SECRETLINT
GitHub stars sarif
REPOSITORY semgrep
REPOSITORY_SEMGREP
GitHub stars sarif
REPOSITORY syft
REPOSITORY_SYFT
GitHub stars sarif
REPOSITORY trivy
REPOSITORY_TRIVY
GitHub stars sarif
SPELL misspell
SPELL_MISSPELL
GitHub stars autofix
SPELL cspell
SPELL_CSPELL
GitHub stars
SPELL proselint
SPELL_PROSELINT
GitHub stars

Installation

Assisted installation

Just run npx mega-linter-runner --install at the root of your repository and answer questions, it will generate ready to use configuration files for MegaLinter :)

Runner Install

Upgrade to MegaLinter v6

  • Run npx mega-linter-runner --upgrade to automatically upgrade your configuration from v4 or v5 to v6 :)

Manual installation

The following instructions examples are using latest MegaLinter stable version (v6 , always corresponding to the latest release)

  • Docker image: oxsecurity/megalinter:v6
  • GitHub Action: oxsecurity/megalinter@v6

You can also use beta version (corresponding to the content of main branch)

  • Docker image: oxsecurity/megalinter:beta
  • GitHub Action: oxsecurity/megalinter@beta

GitHub Action

  1. Create a new file in your repository called .github/workflows/mega-linter.yml
  2. Copy the example workflow from below into that new file, no extra configuration required
  3. Commit that file to a new branch
  4. Open up a pull request and observe the action working
  5. Enjoy your more stable, and cleaner code base

NOTES:

  • If you pass the Environment variable GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} in your workflow, then the MegaLinter will mark the status of each individual linter run in the Checks section of a pull request. Without this you will only see the overall status of the full run. There is no need to set the GitHub Secret as it is automatically set by GitHub, it only needs to be passed to the action.
  • You can also use it outside of GitHub Actions (CircleCI, Azure Pipelines, Jenkins, GitLab, or even locally with a docker run) , and have status on Github Pull Request if GITHUB_TARGET_URL environment variable exists.

In your repository you should have a .github/workflows folder with GitHub Action similar to below:

  • .github/workflows/mega-linter.yml
This file should have this code
---
# MegaLinter GitHub Action configuration file
# More info at https://megalinter.github.io
name: MegaLinter

on:
  # Trigger mega-linter at every push. Action will also be visible from Pull Requests to main
  push: # Comment this line to trigger action only on pull-requests (not recommended if you don't pay for GH Actions)
  pull_request:
    branches: [master, main]

env: # Comment env block if you do not want to apply fixes
  # Apply linter fixes configuration
  APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)
  APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all)
  APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request)

concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

jobs:
  build:
    name: MegaLinter
    runs-on: ubuntu-latest
    steps:
      # Git Checkout
      - name: Checkout Code
        uses: actions/checkout@v3
        with:
          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
          fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances

      # MegaLinter
      - name: MegaLinter
        id: ml
        # You can override MegaLinter flavor used to have faster performances
        # More info at https://megalinter.github.io/flavors/
        uses: oxsecurity/megalinter@v6
        env:
          # All available variables are described in documentation
          # https://megalinter.github.io/configuration/
          VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} # Validates all source when push on main, else just the git diff with main. Override with true if you always want to lint all sources
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
          # DISABLE: COPYPASTE,SPELL # Uncomment to disable copy-paste and spell checks

      # Upload MegaLinter artifacts
      - name: Archive production artifacts
        if: ${{ success() }} || ${{ failure() }}
        uses: actions/upload-artifact@v3
        with:
          name: MegaLinter reports
          path: |
            megalinter-reports
            mega-linter.log

      # Create pull request if applicable (for now works only on PR from same repository, not from forks)
      - name: Create Pull Request with applied fixes
        id: cpr
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
        uses: peter-evans/create-pull-request@v4
        with:
          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
          commit-message: "[MegaLinter] Apply linters automatic fixes"
          title: "[MegaLinter] Apply linters automatic fixes"
          labels: bot
      - name: Create PR output
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
        run: |
          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"

      # Push new commit if applicable (for now works only on PR from same repository, not from forks)
      - name: Prepare commit
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
        run: sudo chown -Rc $UID .git/
      - name: Commit and push applied linter fixes
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
        uses: stefanzweifel/git-auto-commit-action@v4
        with:
          branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
          commit_message: "[MegaLinter] Apply linters fixes"

GitLab CI

Create or update .gitlab-ci.yml file at the root of your repository

# MegaLinter GitLab CI job configuration file
# More info at https://megalinter.github.io/

mega-linter:
  stage: test
  # You can override MegaLinter flavor used to have faster performances
  # More info at https://megalinter.github.io/flavors/
  image: oxsecurity/megalinter:v6
  script: [ "true" ] # if script: ["true"] does not work, you may try ->  script: [ "/bin/bash /entrypoint.sh" ]
  variables:
    # All available variables are described in documentation
    # https://megalinter.github.io/configuration/
    DEFAULT_WORKSPACE: $CI_PROJECT_DIR
    # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
  artifacts:
    when: always
    paths:
      - megalinter-reports
    expire_in: 1 week

Create a Gitlab access token and define it in a variable GITLAB_ACCESS_TOKEN_MEGALINTER in the project CI/CD masked variables

config-gitlab-access-token

Screenshot

Azure Pipelines

Use the following Azure Pipelines YAML template

Add the following job in your azure-pipelines.yaml file

  # Run MegaLinter to detect linting and security issues
  - job: MegaLinter
    pool:
      vmImage: ubuntu-latest
    steps:
      # Pull MegaLinter docker image
      - script: docker pull oxsecurity/megalinter:v6
        displayName: Pull MegaLinter

      # Run MegaLinter
      - script: |
          docker run -v $(System.DefaultWorkingDirectory):/tmp/lint \
            -e GIT_AUTHORIZATION_BEARER=$(System.AccessToken) \
            -e CI=true \
            -e TF_BUILD=true \
            -e SYSTEM_ACCESSTOKEN=$(System.AccessToken) \
            -e SYSTEM_COLLECTIONURI=$(System.CollectionUri) \
            -e SYSTEM_PULLREQUEST_PULLREQUESTID=$(System.PullRequest.PullRequestId) \
            -e SYSTEM_TEAMPROJECT="$(System.TeamProject)" \
            -e BUILD_BUILD_ID=$(Build.BuildId) \
            -e BUILD_REPOSITORY_ID=$(Build.Repository.ID) \
            oxsecurity/megalinter:v6
        displayName: Run MegaLinter

      # Upload MegaLinter reports
      - task: PublishPipelineArtifact@1
        condition: succeededOrFailed()
        displayName: Upload MegaLinter reports
        inputs:
          targetPath: "$(System.DefaultWorkingDirectory)/megalinter-reports/"
          artifactName: MegaLinterReport

To benefit from Pull Request comments, please follow configuration instructions

Jenkins

Add the following stage in your Jenkinsfile

You may activate File.io reporter or E-mail reporter to access detailed logs and fixed source

// Lint with MegaLinter: https://megalinter.github.io/
stage('MegaLinter') {
    agent {
        docker {
            image 'oxsecurity/megalinter:v6'
            args "-u root -e VALIDATE_ALL_CODEBASE=true -v ${WORKSPACE}:/tmp/lint --entrypoint=''"
            reuseNode true
        }
    }
    steps {
        sh '/entrypoint.sh'
    }
    post {
        always {
            archiveArtifacts allowEmptyArchive: true, artifacts: 'mega-linter.log,megalinter-reports/**/*',