Skip to content

chore(deps): bump megalinter/megalinter from 9.4.0 to 9.6.0#288

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/megalinter/megalinter-9.6.0
Open

chore(deps): bump megalinter/megalinter from 9.4.0 to 9.6.0#288
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/megalinter/megalinter-9.6.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps megalinter/megalinter from 9.4.0 to 9.6.0.

Release notes

Sourced from megalinter/megalinter's releases.

v9.6.0

What's Changed

  • Breaking changes

    • Linters can no longer be run via a sibling Docker image at runtime. The cli_docker_image, cli_docker_image_version and cli_docker_args descriptor properties (and the matching <LINTER>_DOCKER_IMAGE_VERSION variable) have been removed, and MegaLinter no longer mounts /var/run/docker.sock (in mega-linter-runner, the GitHub Action action.yml files, and the Docker daemon previously bundled in flavor images). This closes the host-privilege escalation surface that the mounted Docker socket exposed. The only linter that used this mechanism was SWIFT_SWIFTLINT, now installed natively (see below). (#8216)
    • SWIFT_SWIFTLINT is now installed from the static swiftlint-static binary instead of running the ghcr.io/realm/swiftlint container. It runs natively on the Alpine image with no Docker socket required. SourceKit-dependent rules are disabled in this build and reported to the console when encountered; pure-syntax style rules are unaffected. (#8216)
    • @eslint/eslintrc shim removed from JavaScript/TypeScript/JSX/TSX Docker images (was only needed for legacy FlatCompat); MegaLinter's bundled test fixtures use native flat config. (#7869)
    • ESLint linters now force migration off .eslintrc.*: JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT activate when they find any eslint.config.* or any deprecated .eslintrc.* / package.json#eslintConfig. In the legacy case the linter does not call ESLint at all — it emits a single hard failure with a migration message so the build stays red until the config is migrated to flat config. See the ESLint flat-config migration guide. To opt out, set DISABLE_LINTERS or DISABLE to exclude the affected linter/descriptor. (#7869)
    • JSON_ESLINT_PLUGIN_JSONC removed: upstream bug ota-meshi/eslint-plugin-jsonc#328 blocks ESLint v10 compatibility and will not be fixed. Use JSON_JSONLINT, JSON_PRETTIER, or JSON_V8R for JSON validation instead. (#7869)
  • Core

    • New linter descriptor property common_linter_errors: declare known non-lint failure patterns (config issue, remote service down, missing credentials…) and the guidance message shown to users, directly in YAML — no custom Python class needed. (#7907)
    • Skipped-linters summary now explains why a linter was skipped by an activation rule, including the variable to set to activate it (e.g. MARKDOWN_RUMDL: MARKDOWN_DEFAULT_STYLE=markdownlint (set MARKDOWN_DEFAULT_STYLE=rumdl to activate)), fixing #8017.
  • New linters

    • Add betterleaks linter for repository secrets scanning — successor to gitleaks with higher recall (98.6% vs 70.4%), lower false-positive rates, and 4–5× faster scanning via BPE-based detection and CEL filter expressions (#8186)
  • Disabled linters

    • SALESFORCE_SFDX_SCANNER_APEX, SALESFORCE_SFDX_SCANNER_AURA and SALESFORCE_SFDX_SCANNER_LWC — disabled because sfdx-scanner 4.12.0 crashes on Node.js 22+ (TypeError: Cannot read properties of undefined (reading 'prototype'), caused by the removal of SlowBuffer.prototype), which is shipped with Alpine 3.24. These linters were already deprecated; use the SALESFORCE_CODE_ANALYZER_APEX / SALESFORCE_CODE_ANALYZER_AURA / SALESFORCE_CODE_ANALYZER_LWC variants instead (#8080).
  • Deprecated linters

    • REPOSITORY_GITLEAKS — deprecated in favour of REPOSITORY_BETTERLEAKS (same author, fully compatible config, significantly better detection). Will be removed in the next major release. Disable it by adding REPOSITORY_GITLEAKS to DISABLE_LINTERS in your .mega-linter.yml. (#8186)
  • Removed linters

    • JSON_ESLINT_PLUGIN_JSONC — permanently broken by upstream bug (see Breaking changes) (#7869)
  • Linters enhancements

    • REPOSITORY_CHECKOV: in pull-request mode, scan only the files modified in the PR instead of the whole repository (#7119)
  • Fixes

    • REPOSITORY_BETTERLEAKS: default scan now runs in filesystem (dir) mode instead of auto-switching to git-history (git) mode when a git repository is detected. betterleaks does not read the global git safe.directory config, so git mode failed with fatal: detected dubious ownership in repository in CI environments (e.g. GitHub Actions /github/workspace). Git-history mode is still used for the opt-in REPOSITORY_BETTERLEAKS_PR_COMMITS_SCAN feature. (#8186)
    • REPOSITORY_BETTERLEAKS: added --verbose so detected findings (file, line and rule) are reported instead of only the leaks found: N summary, matching gitleaks behavior. Secret values stay redacted via --redact. (#8186)
    • REPOSITORY_OSV_SCANNER: exit code 128 ("No package sources found") is now treated as a clean pass instead of a failure — osv-scanner returns this code when the repo contains no lockfiles/manifests/SBOMs, which is not a vulnerability finding (#7917).
    • Fix intermittent ansible-lint load-failure[not-found] error on github_conf/branch_protection_rules.json caused by a race condition with checkov running in parallel. Checkov's transient GitHub-conf directory is now written to a hidden path (.megalinter_github_conf) that project-mode linters skip, eliminating the conflict (#8092).
    • Complete the Alpine 3.24 upgrade across the whole image and fix how alpine version is detected. Docker images now build on the python:3.14-alpine3.24 base image (#8080).
    • Avoid DeprecationWarning / future breakage on Python 3.14 by no longer passing count and flags as positional arguments to re.sub (#8211).
    • Exclude REPORT_OUTPUT_FOLDER from linting when configured as an absolute path inside the workspace (e.g. /tmp/lint/megalinter-reports), fixing #7845.
    • Fix command injection in Roslynator linter (DOTNET_ROSLYNATOR) where a crafted .csproj filename could break out of dotnet restore arguments and execute arbitrary shell commands. The command is now invoked via argv list instead of a shell string. Reported by Francesco Sabiu. (#7857)
    • Fix IndexError when building the single-linter Docker image for a linter whose activation depends on a file (e.g. SPELL_VALE requires .vale.ini): python -m megalinter.run --linterversion now bypasses activation filtering since the per-linter image is built for that linter unconditionally.
    • Fix make bootstrap appearing to hang because exported Make color variables re-evaluated tput during recursive make invocations. (#8090)
    • Allow MegaLinter containers to run in an opt-in non-root mode matching the host UID:GID on POSIX systems, avoiding root-owned generated files on the host (#1975).
    • Restore missing examples in the Dart descriptor that were dropped from the generated documentation (#7913).
  • Reporters

  • Doc

    • Add pnpm installation and usage documentation for JavaScript and TypeScript linters (#8177)
    • Update Docker pull counters in README badges and flavors-stats.json with latest ghcr.io stats
    • Bump peter-evans/create-pull-request to v8 in the documented workflow examples (#8089)

... (truncated)

Changelog

Sourced from megalinter/megalinter's changelog.

[v9.6.0] - 2026-06-28

  • Breaking changes

    • Linters can no longer be run via a sibling Docker image at runtime. The cli_docker_image, cli_docker_image_version and cli_docker_args descriptor properties (and the matching <LINTER>_DOCKER_IMAGE_VERSION variable) have been removed, and MegaLinter no longer mounts /var/run/docker.sock (in mega-linter-runner, the GitHub Action action.yml files, and the Docker daemon previously bundled in flavor images). This closes the host-privilege escalation surface that the mounted Docker socket exposed. The only linter that used this mechanism was SWIFT_SWIFTLINT, now installed natively (see below). (#8216)
    • SWIFT_SWIFTLINT is now installed from the static swiftlint-static binary instead of running the ghcr.io/realm/swiftlint container. It runs natively on the Alpine image with no Docker socket required. SourceKit-dependent rules are disabled in this build and reported to the console when encountered; pure-syntax style rules are unaffected. (#8216)
    • @eslint/eslintrc shim removed from JavaScript/TypeScript/JSX/TSX Docker images (was only needed for legacy FlatCompat); MegaLinter's bundled test fixtures use native flat config. (#7869)
    • ESLint linters now force migration off .eslintrc.*: JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT activate when they find any eslint.config.* or any deprecated .eslintrc.* / package.json#eslintConfig. In the legacy case the linter does not call ESLint at all — it emits a single hard failure with a migration message so the build stays red until the config is migrated to flat config. See the ESLint flat-config migration guide. To opt out, set DISABLE_LINTERS or DISABLE to exclude the affected linter/descriptor. (#7869)
    • JSON_ESLINT_PLUGIN_JSONC removed: upstream bug ota-meshi/eslint-plugin-jsonc#328 blocks ESLint v10 compatibility and will not be fixed. Use JSON_JSONLINT, JSON_PRETTIER, or JSON_V8R for JSON validation instead. (#7869)
  • Core

    • New linter descriptor property common_linter_errors: declare known non-lint failure patterns (config issue, remote service down, missing credentials…) and the guidance message shown to users, directly in YAML — no custom Python class needed. (#7907)
    • Skipped-linters summary now explains why a linter was skipped by an activation rule, including the variable to set to activate it (e.g. MARKDOWN_RUMDL: MARKDOWN_DEFAULT_STYLE=markdownlint (set MARKDOWN_DEFAULT_STYLE=rumdl to activate)), fixing #8017.
  • New linters

    • Add betterleaks linter for repository secrets scanning — successor to gitleaks with higher recall (98.6% vs 70.4%), lower false-positive rates, and 4–5× faster scanning via BPE-based detection and CEL filter expressions (#8186)
  • Disabled linters

    • SALESFORCE_SFDX_SCANNER_APEX, SALESFORCE_SFDX_SCANNER_AURA and SALESFORCE_SFDX_SCANNER_LWC — disabled because sfdx-scanner 4.12.0 crashes on Node.js 22+ (TypeError: Cannot read properties of undefined (reading 'prototype'), caused by the removal of SlowBuffer.prototype), which is shipped with Alpine 3.24. These linters were already deprecated; use the SALESFORCE_CODE_ANALYZER_APEX / SALESFORCE_CODE_ANALYZER_AURA / SALESFORCE_CODE_ANALYZER_LWC variants instead (#8080).
  • Deprecated linters

    • REPOSITORY_GITLEAKS — deprecated in favour of REPOSITORY_BETTERLEAKS (same author, fully compatible config, significantly better detection). Will be removed in the next major release. Disable it by adding REPOSITORY_GITLEAKS to DISABLE_LINTERS in your .mega-linter.yml. (#8186)
  • Removed linters

    • JSON_ESLINT_PLUGIN_JSONC — permanently broken by upstream bug (see Breaking changes) (#7869)
  • Linters enhancements

    • REPOSITORY_CHECKOV: in pull-request mode, scan only the files modified in the PR instead of the whole repository (#7119)
  • Fixes

    • REPOSITORY_BETTERLEAKS: default scan now runs in filesystem (dir) mode instead of auto-switching to git-history (git) mode when a git repository is detected. betterleaks does not read the global git safe.directory config, so git mode failed with fatal: detected dubious ownership in repository in CI environments (e.g. GitHub Actions /github/workspace). Git-history mode is still used for the opt-in REPOSITORY_BETTERLEAKS_PR_COMMITS_SCAN feature. (#8186)
    • REPOSITORY_BETTERLEAKS: added --verbose so detected findings (file, line and rule) are reported instead of only the leaks found: N summary, matching gitleaks behavior. Secret values stay redacted via --redact. (#8186)
    • REPOSITORY_OSV_SCANNER: exit code 128 ("No package sources found") is now treated as a clean pass instead of a failure — osv-scanner returns this code when the repo contains no lockfiles/manifests/SBOMs, which is not a vulnerability finding (#7917).
    • Fix intermittent ansible-lint load-failure[not-found] error on github_conf/branch_protection_rules.json caused by a race condition with checkov running in parallel. Checkov's transient GitHub-conf directory is now written to a hidden path (.megalinter_github_conf) that project-mode linters skip, eliminating the conflict (#8092).
    • Complete the Alpine 3.24 upgrade across the whole image and fix how alpine version is detected. Docker images now build on the python:3.14-alpine3.24 base image (#8080).
    • Avoid DeprecationWarning / future breakage on Python 3.14 by no longer passing count and flags as positional arguments to re.sub (#8211).
    • Exclude REPORT_OUTPUT_FOLDER from linting when configured as an absolute path inside the workspace (e.g. /tmp/lint/megalinter-reports), fixing #7845.
    • Fix command injection in Roslynator linter (DOTNET_ROSLYNATOR) where a crafted .csproj filename could break out of dotnet restore arguments and execute arbitrary shell commands. The command is now invoked via argv list instead of a shell string. Reported by Francesco Sabiu. (#7857)
    • Fix IndexError when building the single-linter Docker image for a linter whose activation depends on a file (e.g. SPELL_VALE requires .vale.ini): python -m megalinter.run --linterversion now bypasses activation filtering since the per-linter image is built for that linter unconditionally.
    • Fix make bootstrap appearing to hang because exported Make color variables re-evaluated tput during recursive make invocations. (#8090)
    • Allow MegaLinter containers to run in an opt-in non-root mode matching the host UID:GID on POSIX systems, avoiding root-owned generated files on the host (#1975).
    • Restore missing examples in the Dart descriptor that were dropped from the generated documentation (#7913).
  • Reporters

  • Doc

    • Add pnpm installation and usage documentation for JavaScript and TypeScript linters (#8177)
    • Update Docker pull counters in README badges and flavors-stats.json with latest ghcr.io stats
    • Bump peter-evans/create-pull-request to v8 in the documented workflow examples (#8089)

... (truncated)

Commits
  • ef3e84b Release MegaLinter v9.6.0
  • 8b9259b Skill prepare-release (#8245)
  • 5810155 chore(deps): bump pymdown-extensions from 10.21.3 to 11.0 in /.config/python/...
  • aca415c chore(deps): update dependency semver to v7.8.5 (#8198)
  • 2d8b274 Remove max-parallel for linters
  • e9ab3e9 chore(ci): manual run of deploy linters beta job (#8242)
  • a8a6368 Changelog (#8241)
  • 7f363c6 [automation] Auto-update linters version, help and documentation (#8215)
  • bce5232 chore(deps): update ghcr.io/astral-sh/uv docker tag to v0.11.25 (#8232)
  • 9d98266 chore(deps): update dependency realm/swiftlint to v0.65.0 (#8240)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [megalinter/megalinter](https://github.com/megalinter/megalinter) from 9.4.0 to 9.6.0.
- [Release notes](https://github.com/megalinter/megalinter/releases)
- [Changelog](https://github.com/oxsecurity/megalinter/blob/main/CHANGELOG.md)
- [Commits](oxsecurity/megalinter@v9.4.0...v9.6.0)

---
updated-dependencies:
- dependency-name: megalinter/megalinter
  dependency-version: 9.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 29, 2026
@github-actions

Copy link
Copy Markdown

MegaLinter analysis: Error

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 4 0 0 0.37s
❌ ACTION zizmor 4 0 1 0 0.35s
❌ COPYPASTE jscpd yes 71 no 0.42s
✅ DOCKERFILE hadolint 1 0 0 0.04s
✅ GO golangci-lint yes yes no no 46.48s
✅ GO revive yes no no 0.02s
✅ MARKDOWN markdownlint 2 0 0 0 0.48s
✅ MARKDOWN markdown-table-formatter 2 0 0 0 0.18s
✅ REPOSITORY betterleaks yes no no 0.81s
✅ REPOSITORY checkov yes no no 38.24s
✅ REPOSITORY gitleaks yes no no 0.25s
✅ REPOSITORY git_diff yes no no 0.0s
⚠️ REPOSITORY grype yes 13 no 63.69s
❌ REPOSITORY osv-scanner yes 1 no 19.87s
✅ REPOSITORY secretlint yes no no 0.52s
✅ REPOSITORY syft yes no no 2.16s
❌ REPOSITORY trivy yes 1 no 12.91s
✅ REPOSITORY trivy-sbom yes no no 2.83s
✅ REPOSITORY trufflehog yes no no 2.54s
✅ SPELL lychee 14 0 0 0.05s
✅ YAML prettier 12 0 0 0 0.5s
✅ YAML v8r 12 0 0 10.8s
✅ YAML yamllint 12 0 0 0.56s

Detailed Issues

❌ COPYPASTE / jscpd - 71 errors
5:35 - 316:17]
Clone found (go)
 - internal/openapi/api.gen.go [281:69 - 292:17] (12 lines, 63 tokens)
   internal/openapi/api.gen.go [293:48 - 304:17]
Clone found (go)
 - internal/openapi/api.gen.go [281:56 - 290:2] (10 lines, 59 tokens)
   internal/openapi/api.gen.go [401:88 - 410:2]
Clone found (go)
 - internal/openapi/api.gen.go [317:36 - 328:17] (12 lines, 69 tokens)
   internal/openapi/api.gen.go [329:36 - 340:17]
Clone found (go)
 - internal/openapi/api.gen.go [353:38 - 364:17] (12 lines, 73 tokens)
   internal/openapi/api.gen.go [365:34 - 376:17]
Clone found (go)
 - internal/openapi/api.gen.go [377:42 - 388:17] (12 lines, 75 tokens)
   internal/openapi/api.gen.go [389:42 - 400:17]
Clone found (go)
 - internal/openapi/api.gen.go [421:45 - 437:2] (17 lines, 73 tokens)
   internal/openapi/api.gen.go [448:46 - 464:2]
Clone found (go)
 - internal/openapi/api.gen.go [421:45 - 437:2] (17 lines, 73 tokens)
   internal/openapi/api.gen.go [502:38 - 518:2]
Clone found (go)
 - internal/openapi/api.gen.go [421:45 - 437:2] (17 lines, 73 tokens)
   internal/openapi/api.gen.go [536:48 - 552:2]
Clone found (go)
 - internal/openapi/api.gen.go [421:45 - 437:2] (17 lines, 73 tokens)
   internal/openapi/api.gen.go [658:63 - 674:2]
Clone found (go)
 - internal/openapi/api.gen.go [421:45 - 437:2] (17 lines, 73 tokens)
   internal/openapi/api.gen.go [747:84 - 763:2]
Clone found (go)
 - internal/openapi/api.gen.go [421:45 - 437:2] (17 lines, 73 tokens)
   internal/openapi/api.gen.go [802:93 - 818:2]
Clone found (go)
 - internal/openapi/api.gen.go [421:45 - 437:2] (17 lines, 73 tokens)
   internal/openapi/api.gen.go [981:113 - 997:2]
Clone found (go)
 - internal/openapi/api.gen.go [440:30 - 458:30] (19 lines, 93 tokens)
   internal/openapi/api.gen.go [467:31 - 485:30]
Clone found (go)
 - internal/openapi/api.gen.go [521:57 - 546:30] (26 lines, 126 tokens)
   internal/openapi/api.gen.go [566:96 - 591:30]
Clone found (go)
 - internal/openapi/api.gen.go [521:31 - 536:31] (16 lines, 82 tokens)
   internal/openapi/api.gen.go [602:27 - 617:31]
Clone found (go)
 - internal/openapi/api.gen.go [536:36 - 552:2] (17 lines, 75 tokens)
   internal/openapi/api.gen.go [617:44 - 633:2]
Clone found (go)
 - internal/openapi/api.gen.go [566:54 - 574:3] (9 lines, 56 tokens)
   internal/openapi/api.gen.go [1000:114 - 1008:3]
Clone found (go)
 - internal/openapi/api.gen.go [581:48 - 591:56] (11 lines, 55 tokens)
   internal/openapi/api.gen.go [919:114 - 929:56]
Clone found (go)
 - internal/openapi/api.gen.go [582:22 - 601:60] (20 lines, 77 tokens)
   internal/openapi/api.gen.go [1044:22 - 1063:5]
Clone found (go)
 - internal/openapi/api.gen.go [636:28 - 658:31] (23 lines, 119 tokens)
   internal/openapi/api.gen.go [677:28 - 699:31]
Clone found (go)
 - internal/openapi/api.gen.go [636:63 - 651:3] (16 lines, 82 tokens)
   internal/openapi/api.gen.go [718:76 - 733:3]
Clone found (go)
 - internal/openapi/api.gen.go [636:63 - 658:63] (23 lines, 116 tokens)
   internal/openapi/api.gen.go [766:94 - 788:3]
Clone found (go)
 - internal/openapi/api.gen.go [636:63 - 665:9] (30 lines, 150 tokens)
   internal/openapi/api.gen.go [876:111 - 905:3]
Clone found (go)
 - internal/openapi/api.gen.go [636:69 - 699:18] (64 lines, 306 tokens)
   internal/openapi/api.gen.go [1000:156 - 1061:2]
Clone found (go)
 - internal/openapi/api.gen.go [658:39 - 674:2] (17 lines, 77 tokens)
   internal/openapi/api.gen.go [699:48 - 715:2]
Clone found (go)
 - internal/openapi/api.gen.go [766:30 - 802:31] (37 lines, 193 tokens)
   internal/openapi/api.gen.go [821:26 - 857:31]
Clone found (go)
 - internal/openapi/api.gen.go [802:45 - 818:2] (17 lines, 81 tokens)
   internal/openapi/api.gen.go [857:59 - 873:2]
Clone found (go)
 - internal/openapi/api.gen.go [876:34 - 919:31] (44 lines, 230 tokens)
   internal/openapi/api.gen.go [938:34 - 981:31]
Clone found (go)
 - internal/openapi/api.gen.go [919:54 - 929:30] (11 lines, 57 tokens)
   internal/openapi/api.gen.go [981:53 - 991:30]
Clone found (go)
 - internal/openapi/api.gen.go [1699:3 - 1714:2] (16 lines, 89 tokens)
   internal/openapi/api.gen.go [1758:3 - 1773:2]
Clone found (go)
 - internal/openapi/api.gen.go [1699:3 - 1714:2] (16 lines, 89 tokens)
   internal/openapi/api.gen.go [1791:3 - 1806:2]
Clone found (go)
 - internal/openapi/api.gen.go [1699:3 - 1714:2] (16 lines, 89 tokens)
   internal/openapi/api.gen.go [1824:3 - 1839:2]
Clone found (go)
 - internal/openapi/api.gen.go [1699:3 - 1714:2] (16 lines, 89 tokens)
   internal/openapi/api.gen.go [1857:3 - 1872:2]
Clone found (go)
 - internal/openapi/api.gen.go [1699:3 - 1714:2] (16 lines, 89 tokens)
   internal/openapi/api.gen.go [1956:3 - 1971:2]
Clone found (go)
 - internal/openapi/api.gen.go [1699:3 - 1714:2] (16 lines, 89 tokens)
   internal/openapi/api.gen.go [2022:3 - 2037:2]
Clone found (go)
 - internal/openapi/api.gen.go [1724:38 - 1735:27] (12 lines, 76 tokens)
   internal/openapi/api.gen.go [1816:35 - 1827:27]
Clone found (go)
 - internal/openapi/api.gen.go [1724:38 - 1746:17] (23 lines, 135 tokens)
   internal/openapi/api.gen.go [1915:37 - 1938:2]
Clone found (go)
 - internal/openapi/api.gen.go [1724:38 - 1746:17] (23 lines, 135 tokens)
   internal/openapi/api.gen.go [1981:41 - 2004:2]
Clone found (go)
 - internal/openapi/api.gen.go [1750:33 - 1773:2] (24 lines, 131 tokens)
   internal/openapi/api.gen.go [1882:32 - 1905:2]
Clone found (go)
 - internal/openapi/api.gen.go [2014:41 - 2037:2] (24 lines, 131 tokens)
   internal/openapi/api.gen.go [2047:36 - 2070:2]
Clone found (go)
 - internal/openapi/api.gen.go [2163:49 - 2176:18] (14 lines, 98 tokens)
   internal/openapi/api.gen.go [2181:44 - 2194:18]
Clone found (go)
 - internal/openapi/api.gen.go [2163:49 - 2176:18] (14 lines, 98 tokens)
   internal/openapi/api.gen.go [2199:45 - 2212:18]
Clone found (go)
 - internal/openapi/api.gen.go [2163:49 - 2171:3] (9 lines, 79 tokens)
   internal/openapi/api.gen.go [2217:46 - 2225:3]
Clone found (go)
 - internal/openapi/api.gen.go [2163:49 - 2186:190] (24 lines, 166 tokens)
   internal/openapi/api.gen.go [2243:46 - 2264:18]
Clone found (go)
 - internal/openapi/api.gen.go [2163:49 - 2186:81] (24 lines, 147 tokens)
   internal/openapi/api.gen.go [2269:43 - 2285:3]
Clone found (go)
 - internal/openapi/api.gen.go [2163:49 - 2194:29] (32 lines, 215 tokens)
   internal/openapi/api.gen.go [2303:48 - 2327:3]
Clone found (go)
 - internal/openapi/api.gen.go [2163:49 - 2206:62] (44 lines, 302 tokens)
   internal/openapi/api.gen.go [2345:44 - 2382:18]
Clone found (go)
 - internal/openapi/api.gen.go [2163:49 - 2204:196] (42 lines, 283 tokens)
   internal/openapi/api.gen.go [2387:52 - 2419:3]
Clone found (go)
 - internal/openapi/api.gen.go [2163:49 - 2222:63] (60 lines, 370 tokens)
   internal/openapi/api.gen.go [2437:52 - 2482:18]
Clone found (go)
 - internal/openapi/api.gen.go [2163:49 - 2222:63] (60 lines, 370 tokens)
   internal/openapi/api.gen.go [2487:47 - 2532:18]
Clone found (go)
 - internal/openapi/api.gen.go [2282:85 - 2295:5] (14 lines, 117 tokens)
   internal/openapi/api.gen.go [2316:85 - 2329:54]
┌────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ go     │ 13             │ 4273        │ 30947        │ 71           │ 1351 (31.62%)    │ 13456 (43.48%)    │
├────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total: │ 13             │ 4273        │ 30947        │ 71           │ 1351 (31.62%)    │ 13456 (43.48%)    │
└────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 71 clones.
HTML report saved to megalinter-reports/copy-paste/jscpd-report.html
ERROR: jscpd found too many duplicates (31.6%) over threshold (9.0%)
time: 116.147ms

(Truncated to last 8000 characters out of 10639)
❌ REPOSITORY / osv-scanner - 1 error
Scanning dir .
Starting filesystem walk for root: /
Scanned go.mod file and found 59 packages
End status: 67 dirs visited, 173 inodes visited, 1 Extract calls, 10.006012ms elapsed, 10.006202ms wall time

Total 2 packages affected by 29 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 29 Unknown) from 1 ecosystem.
29 vulnerabilities can be fixed.

+------------------------------+------+-----------+---------------------+---------+---------------+--------+
| OSV URL                      | CVSS | ECOSYSTEM | PACKAGE             | VERSION | FIXED VERSION | SOURCE |
+------------------------------+------+-----------+---------------------+---------+---------------+--------+
| https://osv.dev/GO-2026-5013 |      | Go        | golang.org/x/crypto | 0.51.0  | 0.52.0        | go.mod |
| https://osv.dev/GO-2026-5017 |      | Go        | golang.org/x/crypto | 0.51.0  | 0.52.0        | go.mod |
| https://osv.dev/GO-2026-5018 |      | Go        | golang.org/x/crypto | 0.51.0  | 0.52.0        | go.mod |
| https://osv.dev/GO-2026-5019 |      | Go        | golang.org/x/crypto | 0.51.0  | 0.52.0        | go.mod |
| https://osv.dev/GO-2026-5020 |      | Go        | golang.org/x/crypto | 0.51.0  | 0.52.0        | go.mod |
| https://osv.dev/GO-2025-4007 |      | Go        | stdlib              | 1.25.0  | 1.25.3        | go.mod |
| https://osv.dev/GO-2025-4008 |      | Go        | stdlib              | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4009 |      | Go        | stdlib              | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4010 |      | Go        | stdlib              | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4011 |      | Go        | stdlib              | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4012 |      | Go        | stdlib              | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4013 |      | Go        | stdlib              | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4014 |      | Go        | stdlib              | 1.25.0  | 1.25.2        | go.mod |
| https://osv.dev/GO-2025-4155 |      | Go        | stdlib              | 1.25.0  | 1.25.5        | go.mod |
| https://osv.dev/GO-2025-4175 |      | Go        | stdlib              | 1.25.0  | 1.25.5        | go.mod |
| https://osv.dev/GO-2026-4337 |      | Go        | stdlib              | 1.25.0  | 1.25.7        | go.mod |
| https://osv.dev/GO-2026-4340 |      | Go        | stdlib              | 1.25.0  | 1.25.6        | go.mod |
| https://osv.dev/GO-2026-4341 |      | Go        | stdlib              | 1.25.0  | 1.25.6        | go.mod |
| https://osv.dev/GO-2026-4601 |      | Go        | stdlib              | 1.25.0  | 1.25.8        | go.mod |
| https://osv.dev/GO-2026-4602 |      | Go        | stdlib              | 1.25.0  | 1.25.8        | go.mod |
| https://osv.dev/GO-2026-4865 |      | Go        | stdlib              | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4869 |      | Go        | stdlib              | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4870 |      | Go        | stdlib              | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4918 |      | Go        | stdlib              | 1.25.0  | 1.25.10       | go.mod |
| https://osv.dev/GO-2026-4946 |      | Go        | stdlib              | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4947 |      | Go        | stdlib              | 1.25.0  | 1.25.9        | go.mod |
| https://osv.dev/GO-2026-4971 |      | Go        | stdlib              | 1.25.0  | 1.25.10       | go.mod |
| https://osv.dev/GO-2026-5037 |      | Go        | stdlib              | 1.25.0  | 1.25.11       | go.mod |
| https://osv.dev/GO-2026-5039 |      | Go        | stdlib              | 1.25.0  | 1.25.11       | go.mod |
+------------------------------+------+-----------+---------------------+---------+---------------+--------+
❌ REPOSITORY / trivy - 1 error
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39828                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39829 │          │        │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of  │
│                     │                │          │        │                   │               │ Service via crafted public key with excessive parameters...  │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39829                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39830 │          │        │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of  │
│                     │                │          │        │                   │               │ Service via resource leak from unsolicited SSH responses...  │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39830                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39832 │          │        │                   │               │ golang.org/x/crypto/ssh/agent:                               │
│                     │                │          │        │                   │               │ golang.org/x/crypto/ssh/agent: Security bypass due to        │
│                     │                │          │        │                   │               │ improper handling of key restrictions                        │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39832                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39835 │          │        │                   │               │ SSH servers which use CertChecker as a public key callback   │
│                     │                │          │        │                   │               │ without set...                                               │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39835                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-42508 │          │        │                   │               │ golang.org/x/crypto/ssh/knownhosts: golang:                  │
│                     │                │          │        │                   │               │ golang.org/x/crypto/ssh/knownhosts: Revocation bypass via    │
│                     │                │          │        │                   │               │ unchecked SignatureKey                                       │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-42508                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-46595 │          │        │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh:            │
│                     │                │          │        │                   │               │ Authorization bypass due to skipped source-address           │
│                     │                │          │        │                   │               │ validation                                                   │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-46595                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-46597 │          │        │                   │               │ An incorrectly placed cast from bytes to int allowed for     │
│                     │                │          │        │                   │               │ server-side p...                                             │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-46597                   │
│                     ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39831 │ MEDIUM   │        │                   │               │ The Verify() method for FIDO/U2F security key types          │
│                     │                │          │        │                   │               │ (sk-ecdsa-sha2-nis ...                                       │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39831                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39833 │          │        │                   │               │ The in-memory keyring returned by NewKeyring() silently      │
│                     │                │          │        │                   │               │ accepted keys ...                                            │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39833                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-39834 │          │        │                   │               │ When writing data larger than 4GB in a single Write call     │
│                     │                │          │        │                   │               │ on...                                                        │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-39834                   │
│                     ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2026-46598 │          │        │                   │               │ golang.org/x/crypto/ssh/agent: golang:                       │
│                     │                │          │        │                   │               │ golang.org/x/crypto/ssh/agent: Denial of Service via         │
│                     │                │          │        │                   │               │ malformed input                                              │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-46598                   │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

(Truncated to last 8000 characters out of 14483)
❌ ACTION / zizmor - 1 error
INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'ref-confusion' audit failed on file://.github/workflows/buildpush.yaml

Caused by:
    0: error in 'ref-confusion' audit
    1: couldn't list branches for actions/checkout
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/actions/checkout.git/git-upload-pack)


[ACTION_ZIZMOR_ERROR_GITHUB_API_UNREACHABLE] Zizmor could not access a repository referenced by a `uses:` clause via the GitHub API (missing token, insufficient scope, or cross-repo private access).
To allow zizmor to authenticate with GITHUB_TOKEN (or a PAT with `Contents: read-only`), whitelist the variable in your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN
If the referenced workflow is in a private repo outside the current one, provide a PAT with cross-repo access instead of the default GITHUB_TOKEN, or run zizmor in offline mode.
⚠️ REPOSITORY / grype - 13 errors
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME                 INSTALLED  FIXED IN  TYPE       VULNERABILITY  SEVERITY  EPSS         RISK   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5020   Critical  0.5% (36th)  0.4    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5023   Critical  0.4% (30th)  0.4    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5006   Critical  0.4% (31st)  0.4    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5017   Critical  0.4% (31st)  0.4    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5019   Critical  0.4% (29th)  0.3    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5021   Critical  0.4% (28th)  0.3    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5005   Critical  0.4% (27th)  0.3    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5013   High      0.4% (27th)  0.3    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5018   High      0.3% (22nd)  0.2    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5033   Medium    0.3% (23rd)  0.2    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5016   Medium    0.2% (9th)   0.1    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5015   Medium    0.2% (11th)  0.1    
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5014   Medium    0.2% (7th)   < 0.1
[0063] ERROR discovered vulnerabilities at or above the severity threshold

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx mega-linter-runner@9.6.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,ACTION_ZIZMOR,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,GO_GOLANGCI_LINT,GO_REVIVE,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_BETTERLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant