megalinter

MegaLinter is an Open-Source tool for CI/CD workflows that analyzes the consistency of your code, IAC, configuration, and scripts in your repository sources, to ensure all your projects sources are clean and formatted whatever IDE/toolbox is used by their developers, powered by OX Security.

Supporting 62 languages, 23 formats, 20 tooling formats and ready to use out of the box, as a GitHub action or any CI system, highly configurable and free for all uses.

MegaLinter has native integrations with many of the major CI/CD tools of the market.

Upgrade to MegaLinter v8 :)

Before going below, see Online Documentation Web Site which has a much easier user navigation than this README

• Why MegaLinter
• Quick Start
• Supported Linters
  • Languages
  • Formats
  • Tooling formats
  • Other
• Installation
  • Assisted installation
  • Which version to use ?
  • GitHub Action
  • GitLab CI
    • Manual Setup
    • Using R2Devops
  • Azure Pipelines
    • Single Repository
    • Central Repository
    • Pull Request Comments
    • Detailed Tutorial
  • Bitbucket Pipelines
  • Jenkins
  • Concourse
    • Pipeline step
    • Use it as reusable task
  • Drone CI
    • (Optional) Adjusting trigger rules
  • Docker container
  • Run MegaLinter locally
• Configuration
  • .mega-linter.yml file
  • Common variables
  • Activation and deactivation
  • Filter linted files
  • Apply fixes
    • Apply fixes issues
    • Notes
  • Linter specific variables
  • Pre-commands
  • Post-commands
  • Environment variables security
    • Secured env variables
    • Secured configuration examples
    • Default secured variables
    • Unhide variables for linters
  • CLI lint mode
• Reporters
• Flavors
• Badge
  • Markdown
  • reStructuredText
• Plugins
  • External Plugins Catalog
  • Use external plugins
    • Example
  • Create your own plugin
    • Limitations
• They talk about MegaLinter
  • English articles
  • French articles
  • Videos
  • Web Sites
  • Linters
• Frequently Asked Questions
• How to contribute
• Special thanks
  • Maintainers
  • Contributors
  • Open-source teams
  • Super-Linter team
• License
• MegaLinter vs Super-Linter
  • Security
  • Performances
  • More languages and formats linted
  • Automatically apply formatting and fixes
  • Run locally
  • Reports
    • Capabilities
    • Additional Reporters
  • Enhanced Configuration
  • Enhanced Documentation
  • Plugins management
  • Simplify architecture and evolutive maintenance
  • Improve robustness & stability

Projects need to contain clean code, in order to avoid technical debt, that makes evolutive maintenance harder and time consuming.

By using code formatters and code linters, you ensure that your code base is easier to read and respects best practices, from the kick-off to each step of the project lifecycle

Not all developers have the good habit to use linters in their IDEs, making code reviews harder and longer to process

By using MegaLinter, you'll enjoy the following benefits for you and your team:

• At each pull request it will automatically analyze all updated code in all languages
• Reading error logs, developers learn best practices of the language they're using
• MegaLinter documentation provides the list of IDE plugins integrating each linter, so developers know which linter and plugins to install
• MegaLinter is ready out of the box after a quick setup
• Formatting and fixes can be automatically applied on the git branch or provided in reports
• This tool is 100% open-source and free for all uses (personal, professional, public and private repositories)
• MegaLinter can run on any CI tool and be run locally: no need to authorize an external application, and your code base never leaves your tooling ecosystem

• Run npx mega-linter-runner --install to generate configuration files (you need node.js to be installed)
• Commit, push, and create a pull request
• Watch !

Notes:

• This repo is a hard-fork of GitHub Super-Linter, rewritten in python to add lots of additional features
• If you are a Super-Linter user, you can transparently switch to MegaLinter and keep the same configuration (just replace super-linter/super-linter@v3 by oxsecurity/megalinter@v8 in your GitHub Action YML file, like on this PR)
• If you want to use MegaLinter extra features (recommended), please take 5 minutes to use MegaLinter assisted installation
• For a hand-holdy example of getting started with mega-linter check out this blog post by Alec Johnson

All linters are integrated in the MegaLinter docker image, which is frequently upgraded with their latest versions

	Language	Linter	Additional
	BASH	bash-exec BASH_EXEC
	BASH	shellcheck BASH_SHELLCHECK
	BASH	shfmt BASH_SHFMT
	C	cpplint C_CPPLINT
	C	clang-format C_CLANG_FORMAT
	CLOJURE	clj-kondo CLOJURE_CLJ_KONDO
	CLOJURE	cljstyle CLOJURE_CLJSTYLE
	COFFEE	coffeelint COFFEE_COFFEELINT
	C++ (CPP)	cpplint CPP_CPPLINT
	C++ (CPP)	clang-format CPP_CLANG_FORMAT
	C# (CSHARP)	dotnet-format CSHARP_DOTNET_FORMAT
	C# (CSHARP)	csharpier CSHARP_CSHARPIER
	C# (CSHARP)	roslynator CSHARP_ROSLYNATOR
	DART	dartanalyzer DART_DARTANALYZER
	GO	golangci-lint GO_GOLANGCI_LINT
	GO	revive GO_REVIVE
	GROOVY	npm-groovy-lint GROOVY_NPM_GROOVY_LINT
	JAVA	checkstyle JAVA_CHECKSTYLE
	JAVA	pmd JAVA_PMD
	JAVASCRIPT	eslint JAVASCRIPT_ES
	JAVASCRIPT	standard JAVASCRIPT_STANDARD
	JAVASCRIPT	prettier JAVASCRIPT_PRETTIER
	JSX	eslint JSX_ESLINT
	KOTLIN	ktlint KOTLIN_KTLINT
	KOTLIN	detekt KOTLIN_DETEKT
	LUA	luacheck LUA_LUACHECK
	LUA	selene LUA_SELENE
	LUA	stylua LUA_STYLUA
	MAKEFILE	checkmake MAKEFILE_CHECKMAKE
	PERL	perlcritic PERL_PERLCRITIC
	PHP	phpcs PHP_PHPCS
	PHP	phpstan PHP_PHPSTAN
	PHP	psalm PHP_PSALM
	PHP	phplint PHP_PHPLINT
	PHP	php-cs-fixer PHP_PHPCSFIXER
	POWERSHELL	powershell POWERSHELL_POWERSHELL
	POWERSHELL	powershell_formatter POWERSHELL_POWERSHELL_FORMATTER
	PYTHON	pylint PYTHON_PYLINT
	PYTHON	black PYTHON_BLACK
	PYTHON	flake8 PYTHON_FLAKE8
	PYTHON	isort PYTHON_ISORT
	PYTHON	bandit PYTHON_BANDIT
	PYTHON	mypy PYTHON_MYPY
	PYTHON	pyright PYTHON_PYRIGHT
	PYTHON	ruff PYTHON_RUFF
	R	lintr R_LINTR
	RAKU	raku RAKU_RAKU
	RUBY	rubocop RUBY_RUBOCOP
	RUST	clippy RUST_CLIPPY
	SALESFORCE	sfdx-scanner-apex SALESFORCE_SFDX_SCANNER_APEX
	SALESFORCE	sfdx-scanner-aura SALESFORCE_SFDX_SCANNER_AURA
	SALESFORCE	sfdx-scanner-lwc SALESFORCE_SFDX_SCANNER_LWC
	SALESFORCE	lightning-flow-scanner SALESFORCE_LIGHTNING_FLOW_SCANNER
	SCALA	scalafix SCALA_SCALAFIX
	SQL	sqlfluff SQL_SQLFLUFF
	SQL	tsqllint SQL_TSQLLINT
	SWIFT	swiftlint SWIFT_SWIFTLINT
	TSX	eslint TSX_ESLINT
	TYPESCRIPT	eslint TYPESCRIPT_ES
	TYPESCRIPT	ts-standard TYPESCRIPT_STANDARD
	TYPESCRIPT	prettier TYPESCRIPT_PRETTIER
	Visual Basic .NET (VBDOTNET)	dotnet-format VBDOTNET_DOTNET_FORMAT

	Format	Linter	Additional
	CSS	stylelint CSS_STYLELINT
	ENV	dotenv-linter ENV_DOTENV_LINTER
	GRAPHQL	graphql-schema-linter GRAPHQL_GRAPHQL_SCHEMA_LINTER
	HTML	djlint HTML_DJLINT
	HTML	htmlhint HTML_HTMLHINT
	JSON	jsonlint JSON_JSONLINT
	JSON	eslint-plugin-jsonc JSON_ESLINT_PLUGIN_JSONC
	JSON	v8r JSON_V8R
	JSON	prettier JSON_PRETTIER
	JSON	npm-package-json-lint JSON_NPM_PACKAGE_JSON_LINT
	LATEX	chktex LATEX_CHKTEX
	MARKDOWN	markdownlint MARKDOWN_MARKDOWNLINT
	MARKDOWN	remark-lint MARKDOWN_REMARK_LINT
	MARKDOWN	markdown-link-check MARKDOWN_MARKDOWN_LINK_CHECK
	MARKDOWN	markdown-table-formatter MARKDOWN_MARKDOWN_TABLE_FORMATTER
	PROTOBUF	protolint PROTOBUF_PROTOLINT
	RST	rst-lint RST_RST_LINT
	RST	rstcheck RST_RSTCHECK
	RST	rstfmt RST_RSTFMT
	XML	xmllint XML_XMLLINT
	YAML	prettier YAML_PRETTIER
	YAML	yamllint YAML_YAMLLINT
	YAML	v8r YAML_V8R

	Tooling format	Linter	Additional
	ACTION	actionlint ACTION_ACTIONLINT
	ANSIBLE	ansible-lint ANSIBLE_ANSIBLE_LINT
	API	spectral API_SPECTRAL
	ARM	arm-ttk ARM_ARM_TTK
	BICEP	bicep_linter BICEP_BICEP_LINTER
	CLOUDFORMATION	cfn-lint CLOUDFORMATION_CFN_LINT
	DOCKERFILE	hadolint DOCKERFILE_HADOLINT
	EDITORCONFIG	editorconfig-checker EDITORCONFIG_EDITORCONFIG_CHECKER
	GHERKIN	gherkin-lint GHERKIN_GHERKIN_LINT
	KUBERNETES	kubeconform KUBERNETES_KUBECONFORM
	KUBERNETES	helm KUBERNETES_HELM
	KUBERNETES	kubescape KUBERNETES_KUBESCAPE
	PUPPET	puppet-lint PUPPET_PUPPET_LINT
	SNAKEMAKE	snakemake SNAKEMAKE_LINT
	SNAKEMAKE	snakefmt SNAKEMAKE_SNAKEFMT
	TEKTON	tekton-lint TEKTON_TEKTON_LINT
	TERRAFORM	tflint TERRAFORM_TFLINT
	TERRAFORM	terrascan TERRAFORM_TERRASCAN
	TERRAFORM	terragrunt TERRAFORM_TERRAGRUNT
	TERRAFORM	terraform-fmt TERRAFORM_TERRAFORM_FMT

	Code quality checker	Linter	Additional
	COPYPASTE	jscpd COPYPASTE_JSCPD
	REPOSITORY	checkov REPOSITORY_CHECKOV
	REPOSITORY	devskim REPOSITORY_DEVSKIM
	REPOSITORY	dustilock REPOSITORY_DUSTILOCK
	REPOSITORY	git_diff REPOSITORY_GIT_DIFF
	REPOSITORY	gitleaks REPOSITORY_GITLEAKS
	REPOSITORY	grype REPOSITORY_GRYPE
	REPOSITORY	kics REPOSITORY_KICS
	REPOSITORY	ls-lint REPOSITORY_LS_LINT
	REPOSITORY	secretlint REPOSITORY_SECRETLINT
	REPOSITORY	semgrep REPOSITORY_SEMGREP
	REPOSITORY	syft REPOSITORY_SYFT
	REPOSITORY	trivy REPOSITORY_TRIVY
	REPOSITORY	trivy-sbom REPOSITORY_TRIVY_SBOM
	REPOSITORY	trufflehog REPOSITORY_TRUFFLEHOG
	SPELL	cspell SPELL_CSPELL
	SPELL	proselint SPELL_PROSELINT
	SPELL	vale SPELL_VALE
	SPELL	lychee SPELL_LYCHEE

Just run npx mega-linter-runner --install at the root of your repository and answer questions, it will generate ready to use configuration files for MegaLinter :)

The following instructions examples are using latest MegaLinter stable version (v8 , always corresponding to the latest release)

• Docker image: oxsecurity/megalinter:v8
• GitHub Action: oxsecurity/megalinter@v8

You can also use beta version (corresponding to the content of main branch)

• Docker image: oxsecurity/megalinter:beta
• GitHub Action: oxsecurity/megalinter@beta

1. Create a new file in your repository called .github/workflows/mega-linter.yml
2. Copy the example workflow from below into that new file, no extra configuration required
3. Commit that file to a new branch
4. Open up a pull request and observe the action working
5. Enjoy your more stable, and cleaner code base

NOTES:

• If you pass the Environment variable GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} in your workflow, then the MegaLinter will mark the status of each individual linter run in the Checks section of a pull request. Without this you will only see the overall status of the full run. There is no need to set the GitHub Secret as it's automatically set by GitHub, it only needs to be passed to the action.
• You can also use it outside of GitHub Actions (CircleCI, Azure Pipelines, Jenkins, GitLab, or even locally with a docker run) , and have status on Github Pull Request if GITHUB_TARGET_URL environment variable exists.

In your repository you should have a .github/workflows folder with GitHub Action similar to below:

• .github/workflows/mega-linter.yml

---
# MegaLinter GitHub Action configuration file
# More info at https://megalinter.io
name: MegaLinter

on:
  # Trigger mega-linter at every push. Action will also be visible from Pull Requests to main
  push: # Comment this line to trigger action only on pull-requests (not recommended if you don't pay for GH Actions)
  pull_request:
    branches: [master, main]

env: # Comment env block if you don't want to apply fixes
  # Apply linter fixes configuration
  APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)
  APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all)
  APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request)

concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

jobs:
  megalinter:
    name: MegaLinter
    runs-on: ubuntu-latest
    permissions:
      # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR
      # Remove the ones you do not need
      contents: write
      issues: write
      pull-requests: write
    steps:
      # Git Checkout
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
          fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances

      # MegaLinter
      - name: MegaLinter
        id: ml
        # You can override MegaLinter flavor used to have faster performances
        # More info at https://megalinter.io/flavors/
        uses: oxsecurity/megalinter@v8
        env:
          # All available variables are described in documentation
          # https://megalinter.io/configuration/
          VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} # Validates all source when push on main, else just the git diff with main. Override with true if you always want to lint all sources
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
          # DISABLE: COPYPASTE,SPELL # Uncomment to disable copy-paste and spell checks

      # Upload MegaLinter artifacts
      - name: Archive production artifacts
        if: success() || failure()
        uses: actions/upload-artifact@v4
        with:
          name: MegaLinter reports
          path: |
            megalinter-reports
            mega-linter.log

      # Create pull request if applicable (for now works only on PR from same repository, not from forks)
      - name: Create Pull Request with applied fixes
        id: cpr
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
        uses: peter-evans/create-pull-request@v6
        with:
          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
          commit-message: "[MegaLinter] Apply linters automatic fixes"
          title: "[MegaLinter] Apply linters automatic fixes"
          labels: bot
      - name: Create PR output
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
        run: |
          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"

      # Push new commit if applicable (for now works only on PR from same repository, not from forks)
      - name: Prepare commit
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
        run: sudo chown -Rc $UID .git/
      - name: Commit and push applied linter fixes
        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
        uses: stefanzweifel/git-auto-commit-action@v4
        with:
          branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
          commit_message: "[MegaLinter] Apply linters fixes"
          commit_user_name: megalinter-bot
          commit_user_email: [email protected]

Create or update .gitlab-ci.yml file at the root of your repository

# MegaLinter GitLab CI job configuration file
# More info at https://megalinter.io/

mega-linter:
  stage: test
  # You can override MegaLinter flavor used to have faster performances
  # More info at https://megalinter.io/flavors/
  image: oxsecurity/megalinter:v8
  script: [ "true" ] # if script: ["true"] doesn't work, you may try ->  script: [ "/bin/bash /entrypoint.sh" ]
  variables:
    # All available variables are described in documentation
    # https://megalinter.io/configuration/
    DEFAULT_WORKSPACE: $CI_PROJECT_DIR
    # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
  artifacts:
    when: always
    paths:
      - megalinter-reports
    expire_in: 1 week

Create a Gitlab access token and define it in a variable GITLAB_ACCESS_TOKEN_MEGALINTER in the project CI/CD masked variables. Make sure your token (e.g. if a project token) as the appropriate role for commenting a merge request (at least developer).

Our friends at R2Devops have packaged a Gitlab-CI MegaLinter workflow on their open-source templates marketplace, and it can post MegaLinter results in Gitlab Code Quality Reports !

Use the following Azure Pipelines YAML template

You can configure a build validation branch policy against a single repository or across all repositories. If you configure across all repositories then your pipeline is stored in a central repository.

Add the following to an azure-pipelines.yaml file within your code repository:

  # Run MegaLinter to detect linting and security issues
  - job: MegaLinter
    pool:
      vmImage: ubuntu-latest
    steps:
      # Checkout repo
      - checkout: self

      # Pull MegaLinter docker image
      - script: docker pull oxsecurity/megalinter:v8
        displayName: Pull MegaLinter

      # Run MegaLinter
      - script: |
          docker run -v $(System.DefaultWorkingDirectory):/tmp/lint 
            --env-file <(env | grep -e SYSTEM_ -e BUILD_ -e TF_ -e AGENT_) 
            -e SYSTEM_ACCESSTOKEN=$(System.AccessToken) 
            -e GIT_AUTHORIZATION_BEARER=$(System.AccessToken) 
            oxsecurity/megalinter:v8
        displayName: Run MegaLinter

      # Upload MegaLinter reports
      - task: PublishPipelineArtifact@1
        condition: succeededOrFailed()
        displayName: Upload MegaLinter reports
        inputs:
          targetPath: "$(System.DefaultWorkingDirectory)/megalinter-reports/"
          artifactName: MegaLinterReport

Add the following to an azure-pipelines.yaml file within a separate repository e.g. 'MegaLinter' repository:

# Run MegaLinter to detect linting and security issues

trigger: none

pool:
  vmImage: ubuntu-latest

variables:
  repoName: $[ replace(split(variables['System.PullRequest.SourceRepositoryURI'], '/')[6], '%20', ' ') ]

steps:
  # Checkout triggering repo
  - checkout: git://$(System.TeamProject)/$(repoName)@$(System.PullRequest.SourceBranch)
    displayName: Checkout Triggering Repository

  # Pull MegaLinter docker image
  - script: docker pull oxsecurity/megalinter:v8
    displayName: Pull MegaLinter

  # Run MegaLinter
  - script: |
      docker run -v $(System.DefaultWorkingDirectory):/tmp/lint 
        --env-file <(env | grep -e SYSTEM_ -e BUILD_ -e TF_ -e AGENT_) 
        -e SYSTEM_ACCESSTOKEN=$(System.AccessToken) 
        -e GIT_AUTHORIZATION_BEARER=$(System.AccessToken) 
        oxsecurity/megalinter:v8
    displayName: Run MegaLinter

  # Upload MegaLinter reports
  - task: PublishPipelineArtifact@1
    condition: succeededOrFailed()
    displayName: MegaLinter Report
    inputs:
      targetPath: $(System.DefaultWorkingDirectory)/megalinter-reports/
      artifactName: MegaLinterReport

To benefit from Pull Request comments, please follow configuration instructions

You can also follow this detailed tutorial by DonKoning

1. Create a bitbucket-pipelines.yml file on the root directory of your repository

2. Copy and paste the following template or add the step to your existing pipeline.

image: atlassian/default-image:3
pipelines:
  default:
    - parallel:
      - step:
          name: 
        
Expand