Bump oxsecurity/megalinter from 9.5.0 to 9.6.0

[dependabot]

Bumps oxsecurity/megalinter from 9.5.0 to 9.6.0.

Release notes

Sourced from oxsecurity/megalinter's releases.

v9.6.0

What's Changed

• Breaking changes

  • Linters can no longer be run via a sibling Docker image at runtime. The cli_docker_image, cli_docker_image_version and cli_docker_args descriptor properties (and the matching <LINTER>_DOCKER_IMAGE_VERSION variable) have been removed, and MegaLinter no longer mounts /var/run/docker.sock (in mega-linter-runner, the GitHub Action action.yml files, and the Docker daemon previously bundled in flavor images). This closes the host-privilege escalation surface that the mounted Docker socket exposed. The only linter that used this mechanism was SWIFT_SWIFTLINT, now installed natively (see below). (#8216)
  • SWIFT_SWIFTLINT is now installed from the static swiftlint-static binary instead of running the ghcr.io/realm/swiftlint container. It runs natively on the Alpine image with no Docker socket required. SourceKit-dependent rules are disabled in this build and reported to the console when encountered; pure-syntax style rules are unaffected. (#8216)
  • @eslint/eslintrc shim removed from JavaScript/TypeScript/JSX/TSX Docker images (was only needed for legacy FlatCompat); MegaLinter's bundled test fixtures use native flat config. (#7869)
  • ESLint linters now force migration off .eslintrc.*: JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT activate when they find any eslint.config.* or any deprecated .eslintrc.* / package.json#eslintConfig. In the legacy case the linter does not call ESLint at all — it emits a single hard failure with a migration message so the build stays red until the config is migrated to flat config. See the ESLint flat-config migration guide. To opt out, set DISABLE_LINTERS or DISABLE to exclude the affected linter/descriptor. (#7869)
  • JSON_ESLINT_PLUGIN_JSONC removed: upstream bug ota-meshi/eslint-plugin-jsonc#328 blocks ESLint v10 compatibility and will not be fixed. Use JSON_JSONLINT, JSON_PRETTIER, or JSON_V8R for JSON validation instead. (#7869)

• Core

  • New linter descriptor property common_linter_errors: declare known non-lint failure patterns (config issue, remote service down, missing credentials…) and the guidance message shown to users, directly in YAML — no custom Python class needed. (#7907)
  • Skipped-linters summary now explains why a linter was skipped by an activation rule, including the variable to set to activate it (e.g. MARKDOWN_RUMDL: MARKDOWN_DEFAULT_STYLE=markdownlint (set MARKDOWN_DEFAULT_STYLE=rumdl to activate)), fixing #8017.

• New linters

  • Add betterleaks linter for repository secrets scanning — successor to gitleaks with higher recall (98.6% vs 70.4%), lower false-positive rates, and 4–5× faster scanning via BPE-based detection and CEL filter expressions (#8186)

• Disabled linters

  • SALESFORCE_SFDX_SCANNER_APEX, SALESFORCE_SFDX_SCANNER_AURA and SALESFORCE_SFDX_SCANNER_LWC — disabled because sfdx-scanner 4.12.0 crashes on Node.js 22+ (TypeError: Cannot read properties of undefined (reading 'prototype'), caused by the removal of SlowBuffer.prototype), which is shipped with Alpine 3.24. These linters were already deprecated; use the SALESFORCE_CODE_ANALYZER_APEX / SALESFORCE_CODE_ANALYZER_AURA / SALESFORCE_CODE_ANALYZER_LWC variants instead (#8080).

• Deprecated linters

  • REPOSITORY_GITLEAKS — deprecated in favour of REPOSITORY_BETTERLEAKS (same author, fully compatible config, significantly better detection). Will be removed in the next major release. Disable it by adding REPOSITORY_GITLEAKS to DISABLE_LINTERS in your .mega-linter.yml. (#8186)

• Removed linters

  • JSON_ESLINT_PLUGIN_JSONC — permanently broken by upstream bug (see Breaking changes) (#7869)

• Linters enhancements

  • REPOSITORY_CHECKOV: in pull-request mode, scan only the files modified in the PR instead of the whole repository (#7119)

• Fixes

  • REPOSITORY_BETTERLEAKS: default scan now runs in filesystem (dir) mode instead of auto-switching to git-history (git) mode when a git repository is detected. betterleaks does not read the global git safe.directory config, so git mode failed with fatal: detected dubious ownership in repository in CI environments (e.g. GitHub Actions /github/workspace). Git-history mode is still used for the opt-in REPOSITORY_BETTERLEAKS_PR_COMMITS_SCAN feature. (#8186)
  • REPOSITORY_BETTERLEAKS: added --verbose so detected findings (file, line and rule) are reported instead of only the leaks found: N summary, matching gitleaks behavior. Secret values stay redacted via --redact. (#8186)
  • REPOSITORY_OSV_SCANNER: exit code 128 ("No package sources found") is now treated as a clean pass instead of a failure — osv-scanner returns this code when the repo contains no lockfiles/manifests/SBOMs, which is not a vulnerability finding (#7917).
  • Fix intermittent ansible-lint load-failure[not-found] error on github_conf/branch_protection_rules.json caused by a race condition with checkov running in parallel. Checkov's transient GitHub-conf directory is now written to a hidden path (.megalinter_github_conf) that project-mode linters skip, eliminating the conflict (#8092).
  • Complete the Alpine 3.24 upgrade across the whole image and fix how alpine version is detected. Docker images now build on the python:3.14-alpine3.24 base image (#8080).
  • Avoid DeprecationWarning / future breakage on Python 3.14 by no longer passing count and flags as positional arguments to re.sub (#8211).
  • Exclude REPORT_OUTPUT_FOLDER from linting when configured as an absolute path inside the workspace (e.g. /tmp/lint/megalinter-reports), fixing #7845.
  • Fix command injection in Roslynator linter (DOTNET_ROSLYNATOR) where a crafted .csproj filename could break out of dotnet restore arguments and execute arbitrary shell commands. The command is now invoked via argv list instead of a shell string. Reported by Francesco Sabiu. (#7857)
  • Fix IndexError when building the single-linter Docker image for a linter whose activation depends on a file (e.g. SPELL_VALE requires .vale.ini): python -m megalinter.run --linterversion now bypasses activation filtering since the per-linter image is built for that linter unconditionally.
  • Fix make bootstrap appearing to hang because exported Make color variables re-evaluated tput during recursive make invocations. (#8090)
  • Allow MegaLinter containers to run in an opt-in non-root mode matching the host UID:GID on POSIX systems, avoiding root-owned generated files on the host (#1975).
  • Restore missing examples in the Dart descriptor that were dropped from the generated documentation (#7913).

• Reporters

  • Update Bitbucket pipeline generator template to trigger builds on pull requests from any branch, by @​yermulnik in oxsecurity/megalinter#7421

• Doc

  • Add pnpm installation and usage documentation for JavaScript and TypeScript linters (#8177)
  • Update Docker pull counters in README badges and flavors-stats.json with latest ghcr.io stats
  • Bump peter-evans/create-pull-request to v8 in the documented workflow examples (#8089)

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

[v9.6.0] - 2026-06-28

• Breaking changes

  • Linters can no longer be run via a sibling Docker image at runtime. The cli_docker_image, cli_docker_image_version and cli_docker_args descriptor properties (and the matching <LINTER>_DOCKER_IMAGE_VERSION variable) have been removed, and MegaLinter no longer mounts /var/run/docker.sock (in mega-linter-runner, the GitHub Action action.yml files, and the Docker daemon previously bundled in flavor images). This closes the host-privilege escalation surface that the mounted Docker socket exposed. The only linter that used this mechanism was SWIFT_SWIFTLINT, now installed natively (see below). (#8216)
  • SWIFT_SWIFTLINT is now installed from the static swiftlint-static binary instead of running the ghcr.io/realm/swiftlint container. It runs natively on the Alpine image with no Docker socket required. SourceKit-dependent rules are disabled in this build and reported to the console when encountered; pure-syntax style rules are unaffected. (#8216)
  • @eslint/eslintrc shim removed from JavaScript/TypeScript/JSX/TSX Docker images (was only needed for legacy FlatCompat); MegaLinter's bundled test fixtures use native flat config. (#7869)
  • ESLint linters now force migration off .eslintrc.*: JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT activate when they find any eslint.config.* or any deprecated .eslintrc.* / package.json#eslintConfig. In the legacy case the linter does not call ESLint at all — it emits a single hard failure with a migration message so the build stays red until the config is migrated to flat config. See the ESLint flat-config migration guide. To opt out, set DISABLE_LINTERS or DISABLE to exclude the affected linter/descriptor. (#7869)
  • JSON_ESLINT_PLUGIN_JSONC removed: upstream bug ota-meshi/eslint-plugin-jsonc#328 blocks ESLint v10 compatibility and will not be fixed. Use JSON_JSONLINT, JSON_PRETTIER, or JSON_V8R for JSON validation instead. (#7869)

• Core

  • New linter descriptor property common_linter_errors: declare known non-lint failure patterns (config issue, remote service down, missing credentials…) and the guidance message shown to users, directly in YAML — no custom Python class needed. (#7907)
  • Skipped-linters summary now explains why a linter was skipped by an activation rule, including the variable to set to activate it (e.g. MARKDOWN_RUMDL: MARKDOWN_DEFAULT_STYLE=markdownlint (set MARKDOWN_DEFAULT_STYLE=rumdl to activate)), fixing #8017.

• New linters

  • Add betterleaks linter for repository secrets scanning — successor to gitleaks with higher recall (98.6% vs 70.4%), lower false-positive rates, and 4–5× faster scanning via BPE-based detection and CEL filter expressions (#8186)

• Disabled linters

  • SALESFORCE_SFDX_SCANNER_APEX, SALESFORCE_SFDX_SCANNER_AURA and SALESFORCE_SFDX_SCANNER_LWC — disabled because sfdx-scanner 4.12.0 crashes on Node.js 22+ (TypeError: Cannot read properties of undefined (reading 'prototype'), caused by the removal of SlowBuffer.prototype), which is shipped with Alpine 3.24. These linters were already deprecated; use the SALESFORCE_CODE_ANALYZER_APEX / SALESFORCE_CODE_ANALYZER_AURA / SALESFORCE_CODE_ANALYZER_LWC variants instead (#8080).

• Deprecated linters

  • REPOSITORY_GITLEAKS — deprecated in favour of REPOSITORY_BETTERLEAKS (same author, fully compatible config, significantly better detection). Will be removed in the next major release. Disable it by adding REPOSITORY_GITLEAKS to DISABLE_LINTERS in your .mega-linter.yml. (#8186)

• Removed linters

  • JSON_ESLINT_PLUGIN_JSONC — permanently broken by upstream bug (see Breaking changes) (#7869)

• Linters enhancements

  • REPOSITORY_CHECKOV: in pull-request mode, scan only the files modified in the PR instead of the whole repository (#7119)

• Fixes

  • REPOSITORY_BETTERLEAKS: default scan now runs in filesystem (dir) mode instead of auto-switching to git-history (git) mode when a git repository is detected. betterleaks does not read the global git safe.directory config, so git mode failed with fatal: detected dubious ownership in repository in CI environments (e.g. GitHub Actions /github/workspace). Git-history mode is still used for the opt-in REPOSITORY_BETTERLEAKS_PR_COMMITS_SCAN feature. (#8186)
  • REPOSITORY_BETTERLEAKS: added --verbose so detected findings (file, line and rule) are reported instead of only the leaks found: N summary, matching gitleaks behavior. Secret values stay redacted via --redact. (#8186)
  • REPOSITORY_OSV_SCANNER: exit code 128 ("No package sources found") is now treated as a clean pass instead of a failure — osv-scanner returns this code when the repo contains no lockfiles/manifests/SBOMs, which is not a vulnerability finding (#7917).
  • Fix intermittent ansible-lint load-failure[not-found] error on github_conf/branch_protection_rules.json caused by a race condition with checkov running in parallel. Checkov's transient GitHub-conf directory is now written to a hidden path (.megalinter_github_conf) that project-mode linters skip, eliminating the conflict (#8092).
  • Complete the Alpine 3.24 upgrade across the whole image and fix how alpine version is detected. Docker images now build on the python:3.14-alpine3.24 base image (#8080).
  • Avoid DeprecationWarning / future breakage on Python 3.14 by no longer passing count and flags as positional arguments to re.sub (#8211).
  • Exclude REPORT_OUTPUT_FOLDER from linting when configured as an absolute path inside the workspace (e.g. /tmp/lint/megalinter-reports), fixing #7845.
  • Fix command injection in Roslynator linter (DOTNET_ROSLYNATOR) where a crafted .csproj filename could break out of dotnet restore arguments and execute arbitrary shell commands. The command is now invoked via argv list instead of a shell string. Reported by Francesco Sabiu. (#7857)
  • Fix IndexError when building the single-linter Docker image for a linter whose activation depends on a file (e.g. SPELL_VALE requires .vale.ini): python -m megalinter.run --linterversion now bypasses activation filtering since the per-linter image is built for that linter unconditionally.
  • Fix make bootstrap appearing to hang because exported Make color variables re-evaluated tput during recursive make invocations. (#8090)
  • Allow MegaLinter containers to run in an opt-in non-root mode matching the host UID:GID on POSIX systems, avoiding root-owned generated files on the host (#1975).
  • Restore missing examples in the Dart descriptor that were dropped from the generated documentation (#7913).

• Reporters

  • Update Bitbucket pipeline generator template to trigger builds on pull requests from any branch, by @​yermulnik in oxsecurity/megalinter#7421

• Doc

  • Add pnpm installation and usage documentation for JavaScript and TypeScript linters (#8177)
  • Update Docker pull counters in README badges and flavors-stats.json with latest ghcr.io stats
  • Bump peter-evans/create-pull-request to v8 in the documented workflow examples (#8089)

... (truncated)

Commits

• ef3e84b Release MegaLinter v9.6.0
• 8b9259b Skill prepare-release (#8245)
• 5810155 chore(deps): bump pymdown-extensions from 10.21.3 to 11.0 in /.config/python/...
• aca415c chore(deps): update dependency semver to v7.8.5 (#8198)
• 2d8b274 Remove max-parallel for linters
• e9ab3e9 chore(ci): manual run of deploy linters beta job (#8242)
• a8a6368 Changelog (#8241)
• 7f363c6 [automation] Auto-update linters version, help and documentation (#8215)
• bce5232 chore(deps): update ghcr.io/astral-sh/uv docker tag to v0.11.25 (#8232)
• 9d98266 chore(deps): update dependency realm/swiftlint to v0.65.0 (#8240)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	3		0	0	0.11s
❌ COPYPASTE	jscpd	yes		5	no	0.64s
✅ CSS	stylelint	1		0	0	1.19s
✅ HTML	htmlhint	4		0	0	0.23s
✅ JAVASCRIPT	standard	1		0	0	1.46s
✅ JSON	jsonlint	1		0	0	0.08s
✅ JSON	v8r	1		0	0	2.17s
⚠️ MARKDOWN	markdownlint	18		11	0	2.8s
✅ MARKDOWN	markdown-table-formatter	18		0	0	0.66s
❌ REPOSITORY	checkov	yes		1	no	24.25s
❌ REPOSITORY	devskim	yes		1	no	1.85s
✅ REPOSITORY	dustilock	yes		no	no	0.04s
✅ REPOSITORY	gitleaks	yes		no	no	0.35s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
❌ REPOSITORY	grype	yes		129	no	55.41s
❌ REPOSITORY	secretlint	yes		1	no	1.21s
✅ REPOSITORY	syft	yes		no	no	2.13s
❌ REPOSITORY	trivy	yes		1	no	13.1s
✅ REPOSITORY	trivy-sbom	yes		no	no	1.92s
✅ REPOSITORY	trufflehog	yes		no	no	5.2s
❌ SPELL	lychee	38		5	0	4.82s
✅ YAML	v8r	15		0	0	6.44s
❌ YAML	yamllint	15		2	0	0.93s

Detailed Issues

❌ REPOSITORY / checkov - 1 error

secrets scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_SECRET_4: "Basic Auth Credentials"
	FAILED for resource: HIDDEN_BY_MEGALINTER	File: /test/dummy/config/database.yml:80-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-4

		80 | #   DATABASE_URL="postgres://myuser:m**********@localhost/somedatabase"

github_actions scan results:

Passed checks: 83, Failed checks: 0, Skipped checks: 0

❌ REPOSITORY / devskim - 1 error

{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.6.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"devskim","fullName":"Microsoft DevSkim Command Line Interface","version":"1.0.70+d69541fde7","informationUri":"https://github.com/microsoft/DevSkim/","rules":[{"id":"DS176209","name":"SuspiciousComment","fullDescription":{"text":"Suspicious comment: A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality"},"help":{"text":"A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality","markdown":"Visit [https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md](https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md) for additional guidance on this issue."},"shortDescription":{"text":"A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality"},"defaultConfiguration":{"level":"note"},"helpUri":"https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md","properties":{"precision":"high","problem.severity":"recommendation","DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"id":"DS162092","name":"DoNotLeaveDebugCodeInProduction","fullDescription":{"text":"Do not leave debug code in production: Accessing localhost could indicate debug code, or could hinder scaling."},"help":{"text":"Accessing localhost could indicate debug code, or could hinder scaling.","markdown":"Visit [https://github.com/Microsoft/DevSkim/blob/main/guidance/DS162092.md](https://github.com/Microsoft/DevSkim/blob/main/guidance/DS162092.md) for additional guidance on this issue."},"shortDescription":{"text":"Accessing localhost could indicate debug code, or could hinder scaling."},"defaultConfiguration":{"level":"note"},"helpUri":"https://github.com/Microsoft/DevSkim/blob/main/guidance/DS162092.md","properties":{"precision":"high","problem.severity":"recommendation","DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}}]}},"versionControlProvenance":[{"repositoryUri":"https://github.com/HealthDataInsight/structured_store","revisionId":"HIDDEN_BY_MEGALINTER","branch":"(no branch)"}],"results":[{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"test/dummy/config/database.yml"},"region":{"startLine":69,"startColumn":8,"endLine":69,"endColumn":17,"charOffset":2208,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"test/dummy/config/database.yml"},"region":{"startLine":28,"startColumn":8,"endLine":28,"endColumn":17,"charOffset":798,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/ci.yml"},"region":{"startLine":51,"startColumn":47,"endLine":51,"endColumn":56,"charOffset":1077,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lib/structured_store/schema_inspector.rb"},"region":{"startLine":49,"startColumn":12,"endLine":49,"endColumn":16,"charOffset":1346,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"ruby"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}}],"columnKind":"utf16CodeUnits"}]}

❌ REPOSITORY / grype - 129 errors

x-gnu       1.19.4    gem   GHSA-p67v-3w7g-wjg7  Low       N/A          N/A    
nokogiri         1.18.10-arm-linux-gnu       1.19.4    gem   GHSA-phwj-rprq-35pp  Low       N/A          N/A    
nokogiri         1.18.10-arm-linux-gnu       1.19.4    gem   GHSA-wfpw-mmfh-qq69  Low       N/A          N/A    
nokogiri         1.18.10-arm-linux-gnu       1.19.4    gem   GHSA-wjv4-x9w8-wm3h  Low       N/A          N/A    
nokogiri         1.18.10-arm-linux-musl      1.19.4    gem   GHSA-5v8h-3h3q-446p  Low       N/A          N/A    
nokogiri         1.18.10-arm-linux-musl      1.19.4    gem   GHSA-8678-w3jw-xfc2  Low       N/A          N/A    
nokogiri         1.18.10-arm-linux-musl      1.19.4    gem   GHSA-9cv2-cfxc-v4v2  Low       N/A          N/A    
nokogiri         1.18.10-arm-linux-musl      1.19.4    gem   GHSA-p67v-3w7g-wjg7  Low       N/A          N/A    
nokogiri         1.18.10-arm-linux-musl      1.19.4    gem   GHSA-phwj-rprq-35pp  Low       N/A          N/A    
nokogiri         1.18.10-arm-linux-musl      1.19.4    gem   GHSA-wfpw-mmfh-qq69  Low       N/A          N/A    
nokogiri         1.18.10-arm-linux-musl      1.19.4    gem   GHSA-wjv4-x9w8-wm3h  Low       N/A          N/A    
nokogiri         1.18.10-arm64-darwin        1.19.4    gem   GHSA-5v8h-3h3q-446p  Low       N/A          N/A    
nokogiri         1.18.10-arm64-darwin        1.19.4    gem   GHSA-8678-w3jw-xfc2  Low       N/A          N/A    
nokogiri         1.18.10-arm64-darwin        1.19.4    gem   GHSA-9cv2-cfxc-v4v2  Low       N/A          N/A    
nokogiri         1.18.10-arm64-darwin        1.19.4    gem   GHSA-p67v-3w7g-wjg7  Low       N/A          N/A    
nokogiri         1.18.10-arm64-darwin        1.19.4    gem   GHSA-phwj-rprq-35pp  Low       N/A          N/A    
nokogiri         1.18.10-arm64-darwin        1.19.4    gem   GHSA-wfpw-mmfh-qq69  Low       N/A          N/A    
nokogiri         1.18.10-arm64-darwin        1.19.4    gem   GHSA-wjv4-x9w8-wm3h  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-darwin       1.19.4    gem   GHSA-5v8h-3h3q-446p  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-darwin       1.19.4    gem   GHSA-8678-w3jw-xfc2  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-darwin       1.19.4    gem   GHSA-9cv2-cfxc-v4v2  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-darwin       1.19.4    gem   GHSA-p67v-3w7g-wjg7  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-darwin       1.19.4    gem   GHSA-phwj-rprq-35pp  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-darwin       1.19.4    gem   GHSA-wfpw-mmfh-qq69  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-darwin       1.19.4    gem   GHSA-wjv4-x9w8-wm3h  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-gnu    1.19.4    gem   GHSA-5v8h-3h3q-446p  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-gnu    1.19.4    gem   GHSA-8678-w3jw-xfc2  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-gnu    1.19.4    gem   GHSA-9cv2-cfxc-v4v2  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-gnu    1.19.4    gem   GHSA-p67v-3w7g-wjg7  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-gnu    1.19.4    gem   GHSA-phwj-rprq-35pp  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-gnu    1.19.4    gem   GHSA-wfpw-mmfh-qq69  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-gnu    1.19.4    gem   GHSA-wjv4-x9w8-wm3h  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-musl   1.19.4    gem   GHSA-5v8h-3h3q-446p  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-musl   1.19.4    gem   GHSA-8678-w3jw-xfc2  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-musl   1.19.4    gem   GHSA-9cv2-cfxc-v4v2  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-musl   1.19.4    gem   GHSA-p67v-3w7g-wjg7  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-musl   1.19.4    gem   GHSA-phwj-rprq-35pp  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-musl   1.19.4    gem   GHSA-wfpw-mmfh-qq69  Low       N/A          N/A    
nokogiri         1.18.10-x86_64-linux-musl   1.19.4    gem   GHSA-wjv4-x9w8-wm3h  Low       N/A          N/A
[0055] ERROR discovered vulnerabilities at or above the severity threshold

(Truncated to last 4444 characters out of 14905)

❌ COPYPASTE / jscpd - 5 errors

Using config from /action/lib/.automation/.jscpd.json
Clone found (ruby)
 - bin/rake [8:1 - 27:19] (20 lines, 93 tokens)
   bin/rubocop [8:1 - 27:19]
Clone found (ruby)
 - test/dummy/test/models/example_record_test.rb [72:60 - 92:93] (21 lines, 111 tokens)
   test/dummy/test/models/example_record_test.rb [115:54 - 135:93]
Clone found (ruby)
 - test/dummy/test/models/example_record_test.rb [98:5 - 113:6] (16 lines, 80 tokens)
   test/dummy/test/models/example_record_test.rb [139:5 - 154:6]
Clone found (ruby)
 - test/dummy/test/models/warehouse_record_test.rb [41:60 - 53:14] (13 lines, 51 tokens)
   test/dummy/test/models/warehouse_record_test.rb [64:54 - 76:14]
Clone found (ruby)
 - test/dummy/test/ref_resolvers/blank_ref_resolver_test.rb [32:13 - 47:30] (16 lines, 53 tokens)
   test/dummy/test/ref_resolvers/definitions_resolver_test.rb [23:13 - 38:30]
┌────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ ruby   │ 47             │ 3726        │ 13392        │ 5            │ 81 (2.17%)       │ 388 (2.90%)       │
├────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total: │ 47             │ 3726        │ 13392        │ 5            │ 81 (2.17%)       │ 388 (2.90%)       │
└────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 5 clones.
HTML report saved to megalinter-reports/copy-paste/jscpd-report.html
ERROR: jscpd found too many duplicates (2.2%) over threshold (0.0%)
time: 59.144ms

❌ SPELL / lychee - 5 errors

📝 Summary
---------------------
🔍 Total..........158
🔗 Unique.........140
✅ Successful.....149
⏳ Timeouts.........0
🔀 Redirected......12
👻 Excluded.........1
❓ Unknown..........0
🚫 Errors...........5
⛔ Unsupported......5

Errors in .github/workflows/mega-linter.yml
[404] https://megalinter.io/configuration/ (at 48:13) | Rejected status code: 404 Not Found
[404] https://megalinter.io/flavors/ (at 44:24) | Rejected status code: 404 Not Found

Errors in .mega-linter.yml
[404] https://megalinter.io/configuration/ (at 3:34) | Rejected status code: 404 Not Found

Errors in docs/way_of_working/code-of-conduct.md
[ERROR] file://docs/way_of_working/CODE_OF_CONDUCT.md (at 6:1) | File not found. Check if file exists and path is correct

Errors in docs/way_of_working/decision-records.md
[ERROR] https://gds-way.cloudapps.digital/standards/architecture-decisions.html (at 14:71) | Connection failed. Check network connectivity and firewall settings

Hint: Followed 12 redirects. You might want to consider replacing redirecting URLs with the resolved URLs. Use verbose mode (`-v`/`-vv`) to see redirection details.
Hint: You can configure accepted/rejected response codes with `-a` or `--accept`

❌ REPOSITORY / secretlint - 1 error

test/dummy/config/database.yml
  80:18  error  [PostgreSQLConnection] found PostgreSQL connection string: ************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

✖ 1 problem (1 error, 0 warnings, 0 infos)

❌ REPOSITORY / trivy - 1 error

│                 │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-34826                   │
│                 ├─────────────────────┤          │        │                   │                                                        ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-34830      │          │        │                   │                                                        │ rack: Rack: Information disclosure via regular expression    │
│                 │                     │          │        │                   │                                                        │ injection in X-Accel-Mapping header                          │
│                 │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-34830                   │
│                 ├─────────────────────┤          │        │                   │                                                        ├──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-34831      │          │        │                   │                                                        │ rack: Rack: HTTP response desynchronization via incorrect    │
│                 │                     │          │        │                   │                                                        │ Content-Length calculation with UTF-8 characters...          │
│                 │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-34831                   │
│                 ├─────────────────────┤          │        │                   ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-34835      │          │        │                   │ ~> 3.1.21, >= 3.2.6                                    │ rack: Rack: Host header poisoning due to malformed Host      │
│                 │                     │          │        │                   │                                                        │ header bypasses validation...                                │
│                 │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-34835                   │
│                 ├─────────────────────┼──────────┤        │                   ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2026-26961      │ LOW      │        │                   │ ~> 2.2.23, ~> 3.1.21, >= 3.2.6                         │ github.com/rack/rack: Rack: Content smuggling via multipart  │
│                 │                     │          │        │                   │                                                        │ boundary parsing mismatch                                    │
│                 │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-26961                   │
├─────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ rack-session    │ CVE-2026-39324      │ CRITICAL │        │ 2.1.1             │ >= 2.1.2                                               │ Rack::Session is a session management implementation for     │
│                 │                     │          │        │                   │                                                        │ Rack. From 2. ...                                            │
│                 │                     │          │        │                   │                                                        │ https://avd.aquasec.com/nvd/cve-2026-39324                   │
└─────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

(Truncated to last 4444 characters out of 51896)

❌ YAML / yamllint - 2 errors

.github/workflows/mega-linter.yml
  53:7      warning  comment not indented like content  (comments-indentation)

test/dummy/config/database.yml
  62:1      error    syntax error: could not find expected ':' (syntax)

⚠️ MARKDOWN / markdownlint - 11 errors

.github/ISSUE_TEMPLATE/job-story.md:8 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Job Story"]
.github/pull_request_template.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## What?"]
.github/pull_request_template.md:29 error MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]
CHANGELOG.md:18 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Fixed"]
CHANGELOG.md:24 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Fixed"]
CHANGELOG.md:36 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Fixed"]
CHANGELOG.md:42 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Added"]
CHANGELOG.md:57 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Added"]
docs/way_of_working/code-linting/index.md:25:288 error MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]
docs/way_of_working/pull-request-template-and-guidelines.md:7:401 error MD013/line-length Line length [Expected: 400; Actual: 497]
README.md:7:401 error MD013/line-length Line length [Expected: 400; Actual: 451]

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/javascript@v9.6.0 (63 linters)
• oxsecurity/megalinter/flavors/dotnetweb@v9.6.0 (77 linters)
• oxsecurity/megalinter/flavors/cupcake@v9.6.0 (93 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.6.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,COPYPASTE_JSCPD,CSS_STYLELINT,HTML_HTMLHINT,JAVASCRIPT_STANDARD,JSON_JSONLINT,JSON_V8R,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DEVSKIM,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository