Update oxsecurity/megalinter action to v8

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
oxsecurity/megalinter	action	major	v7.13.0 -> v8.3.0

---

Release Notes

oxsecurity/megalinter (oxsecurity/megalinter)

v8.3.0

Compare Source

• Core

  • Display command log (truncated to 250 chars) even when LOG_LEVEL is not DEBUG
  • Allow to replace an ENV var value with the value of another ENV var before calling a PRE_COMMAND (helps for tflint run from GitHub Enterprise)
  • Fix handling of git submodule paths

• Fixes

  • trivy: retry in case of BLOB_UNKNOWN while downloading vulnerability list

• Reporters

  • Fix UpdatedSourcesReporter when APPLY_FIXES is list (array)
  • Fix AzureCommentReporter when the repo is not found: fallback using BUILD_REPOSITORY_ID. (+ disable space replacement in repo name with AZURE_COMMENT_REPORTER_REPLACE_WITH_SPACES: false)

• CI

  • Fix Docker mirroring job for release context
  • Remove max parallel jobs for release linters workflow

• Linter versions upgrades (13)

  • cfn-lint from 1.19.0 to 1.20.0
  • checkov from 3.2.298 to 3.2.311
  • csharpier from 0.29.2 to 0.30.2
  • markdownlint from 0.42.0 to 0.43.0
  • phpstan from 2.0.1 to 2.0.2
  • ruff from 0.7.4 to 0.8.0
  • spectral from 6.14.1 to 6.14.2
  • stylua from 0.20.0 to 2.0.0
  • syft from 1.16.0 to 1.17.0
  • trivy-sbom from 0.57.0 to 0.57.1
  • trivy from 0.57.0 to 0.57.1
  • trufflehog from 3.83.7 to 3.84.1
  • vale from 3.9.0 to 3.9.1

v8.2.0

Compare Source

• Media

  • 10 MegaLinter Tips and Tricks Unlock its Full Potential by Wes Dean
  • MegaLinter Performance Tuning for Maximum Efficiency by Wes Dean

• Linters enhancements

  • detekt Enable SARIF output + count errors
  • lintr: Support files in subdirectories, fix unit tests
  • phpcs: Activate APPLY_FIXES
  • Salesforce linters: Add SF_CLI_DISABLE_AUTOUPDATE for SF CLI JIT plugins
  • trivy: handle retry if failed to download Java DB is detected
  • tsqllint Re-enabled after .net 8 and security updates

• Fixes

  • Add message in PR comment if FAIL_IF_UPDATED_SOURCES is triggered
  • Fix linting errors in GitHub Actions template

• Reporters

  • UpdatedSourcesReporter will git commit & push fixed files to source branch if APPLY_FIXES is set
  • Fix AzureCommentReporter not adding comments to PR
  • Fix AzureCommentReporter fails when target repo contains spaces

• Doc

  • Updated documentation with Azure central pipeline use case
  • Update DevSkim documentation to show a valid exclusion config file
  • Note about risky rules and how to fix rule violations with PHP-CS-Fixer

• CI

  • Also prune volumes before pulling and pushing to docker hub
  • Externalize mirroring from ghcr.io to docker hub in another workflow to avoid memory issues
  • Squash docker images to have less layers and size
  • Comment jobs related to GitHub Worker images, as CodeTotal is not actively maintained
  • Make gitpod workflow not blocking until uv install is fixed
  • Update stale comment
  • Try several times to embed trivy db during Docker build, as a workaround to the random failures
  • Wait 10 secondes instead of 1 before retrying a failing test method, to avoid race conditions

• Linter versions upgrades (104)

  • actionlint from 1.7.3 to 1.7.4
  • ansible-lint from 24.9.2 to 24.10.0
  • bicep_linter from 0.30.23 to 0.31.92
  • cfn-lint from 1.16.1 to 1.19.0
  • checkov from 3.2.257 to 3.2.298
  • checkstyle from 10.18.2 to 10.20.1
  • clippy from 0.1.81 to 0.1.82
  • clj-kondo from 2024.09.27 to 2024.11.14
  • cspell from 8.15.1 to 8.16.0
  • devskim from 1.0.33 to 1.0.44
  • djlint from 1.35.2 to 1.36.1
  • dotnet-format from 8.0.110 to 8.0.111
  • gitleaks from 8.20.1 to 8.21.2
  • golangci-lint from 1.61.0 to 1.62.0
  • ktlint from 1.3.1 to 1.4.1
  • lightning-flow-scanner from 2.34.0 to 2.36.0
  • lychee from 0.16.1 to 0.17.0
  • mypy from 1.11.2 to 1.13.0
  • perlcritic from 1.152 to 1.156
  • phpcs from 3.10.3 to 3.11.1
  • phplint from 9.5.3 to 9.5.4
  • phpstan from 1.12.6 to 2.0.1
  • pmd from 7.6.0 to 7.7.0
  • pyright from 1.1.384 to 1.1.389
  • revive from 1.4.0 to 1.5.1
  • roslynator from 0.9.1.0 to 0.9.3.0
  • rubocop from 1.66.1 to 1.68.0
  • ruff from 0.6.9 to 0.7.4
  • secretlint from 8.4.0 to 9.0.0
  • sfdx-scanner-apex from 4.6.0 to 4.7.0
  • sfdx-scanner-aura from 4.6.0 to 4.7.0
  • sfdx-scanner-lwc from 4.6.0 to 4.7.0
  • shfmt from 3.9.0 to 3.10.0
  • snakemake from 8.21.0 to 8.25.3
  • spectral from 6.13.1 to 6.14.1
  • sqlfluff from 3.2.3 to 3.2.5
  • syft from 1.14.0 to 1.16.0
  • terraform-fmt from 1.9.5 to 1.9.8
  • terragrunt from 0.67.5 to 0.68.14
  • tflint from 0.53.0 to 0.54.0
  • trivy-sbom from 0.56.2 to 0.57.0
  • trivy from 0.56.2 to 0.57.0
  • trufflehog from 3.82.11 to 3.83.7
  • tsqllint from 1.15.3.0 to 1.16.0.0
  • v8r from 4.1.0 to 4.2.0
  • vale from 3.7.1 to 3.9.0

v8.1.0

Compare Source

• Core

  • Allow to tag PRE_COMMANDS to run them before loading plugins, by @​nvuillam in #​3944
  • Replace usage of setup.py with a pyproject.toml package install, by @​echoix in #​3893
  • Allow to add custom messages at the end of PR / MR MegaLinter Summary using variable JOB_SUMMARY_ADDITIONAL_MARKDOWN

• New linters

  • New LUA linter: selene, by @​AlejandroSuero in #​3978
  • New LUA formatter: stylua, by @​AlejandroSuero in #​3985

• Linters enhancements

  • Trivy
    • Embed vulnerability database in Docker Image for running trivy on internet-free network
    • Retry 5 times after 3 seconds in case of TooManyRequests when downloading vulnerability database
    • If the retries did not succeed, call trivy with --skip-db-update --skip-check-update (not ideal but better than nothing)
  • Bash/Perl: Support shell scripts with no extension and only support perl shebangs at the beginning of a file in #​4076

• Fixes

  • Add debug traces to investigate reporters activation
  • Add more traces for ApiReporter
  • Activate ApiReporter by default

• Reporters

  • Fix ApiReporter not called in MegaLinter flavors

• Doc

  • Fix Grafana Home Dashboard to add missing criteria
  • Update PRE_COMMANDS documentation to describe all properties
  • Update Grafana documentation to fix secrets typo

• CI

  • Free space in release job to avoid no space left on device, by @​nvuillam in #​3914
  • Add pytest-rerunfailures to improve CI control jobs success, by @​AlejandroSuero in #​3993
  • Send GITHUB_TOKEN to trivy-action
  • Workaround to avoid to reach Docker Hub rate limits: Build & push first on ghcr.io, then login to docker hub, then push to docker hub

• Linter versions upgrades

  • actionlint from 1.7.1 to 1.7.3 on 2024-09-29
  • ansible-lint from 24.7.0 to 24.9.2 on 2024-09-20
  • bandit from 1.7.9 to 1.7.10 on 2024-09-23
  • bicep_linter from 0.29.47 to 0.30.23 on 2024-09-24
  • black from 24.8.0 to 24.10.0 on 2024-10-07
  • cfn-lint from 1.10.3 to 1.16.1 on 2024-10-11
  • checkov from 3.2.232 to 3.2.257 on 2024-10-06
  • checkstyle from 10.17.0 to 10.18.2 on 2024-09-29
  • clippy from 0.1.80 to 0.1.81 on 2024-09-06
  • clj-kondo from 2024.08.01 to 2024.09.27 on 2024-09-26
  • cpplint from 1.6.1 to 2.0.0 on 2024-10-06
  • csharpier from 0.29.0 to 0.29.2 on 2024-09-16
  • cspell from 8.14.1 to 8.15.1 on 2024-10-11
  • detekt from 1.23.6 to 1.23.7 on 2024-09-08
  • djlint from 1.34.1 to 1.35.2 on 2024-08-29
  • dotnet-format from 8.0.108 to 8.0.110 on 2024-10-11
  • eslint from 8.57.0 to 8.57.1 on 2024-09-16
  • gitleaks from 8.18.4 to 8.20.1 on 2024-10-08
  • golangci-lint from 1.60.1 to 1.61.0 on 2024-09-09
  • kics from 2.1.2 to 2.1.3 on 2024-10-04
  • lightning-flow-scanner from 2.33.0 to 2.34.0 on 2024-08-25
  • lychee from 0.15.1 to 0.16.1 on 2024-10-07
  • markdownlint from 0.41.0 to 0.42.0 on 2024-09-24
  • mypy from 1.11.1 to 1.11.2 on 2024-08-25
  • npm-groovy-lint from 14.6.0 to 15.0.2 on 2024-08-29
  • php-cs-fixer from 3.62.0 to 3.64.0 on 2024-08-31
  • phpcs from 3.10.2 to 3.10.3 on 2024-09-20
  • phplint from 9.4.1 to 9.5.3 on 2024-10-11
  • phpstan from 1.11.11 to 1.12.6 on 2024-10-06
  • pmd from 7.4.0 to 7.6.0 on 2024-09-27
  • psalm from Psalm.5.25.0@​ to Psalm.5.26.1@​ on 2024-09-09
  • pylint from 3.2.6 to 3.3.1 on 2024-09-24
  • pyright from 1.1.376 to 1.1.384 on 2024-10-11
  • revive from 1.3.9 to 1.4.0 on 2024-09-23
  • roslynator from 0.8.9.0 to 0.9.1.0 on 2024-10-11
  • rubocop from 1.65.1 to 1.66.1 on 2024-09-06
  • ruff from 0.6.1 to 0.6.9 on 2024-10-04
  • scalafix from 0.12.1 to 0.13.0 on 2024-09-27
  • secretlint from 8.2.4 to 8.4.0 on 2024-10-06
  • sfdx-scanner-apex from 4.4.0 to 4.6.0 on 2024-09-26
  • sfdx-scanner-aura from 4.4.0 to 4.6.0 on 2024-09-26
  • sfdx-scanner-lwc from 4.4.0 to 4.6.0 on 2024-09-26
  • shfmt from 3.8.0 to 3.9.0 on 2024-09-03
  • snakemake from 8.18.1 to 8.21.0 on 2024-10-13
  • spectral from 6.11.1 to 6.13.1 on 2024-09-21
  • sqlfluff from 3.1.0 to 3.2.3 on 2024-10-11
  • standard from 17.1.0 to 17.1.2 on 2024-09-13
  • stylelint from 16.8.2 to 16.10.0 on 2024-10-11
  • swiftlint from 0.56.1 to 0.57.0 on 2024-09-09
  • syft from 1.11.0 to 1.14.0 on 2024-10-07
  • terraform-fmt from 1.9.4 to 1.9.5 on 2024-08-28
  • terragrunt from 0.66.8 to 0.67.5 on 2024-09-16
  • terrascan from 1.18.11 to 1.19.9 on 2024-09-21
  • trivy-sbom from 0.54.1 to 0.56.2 on 2024-10-11
  • trivy from 0.54.1 to 0.56.2 on 2024-10-11
  • trufflehog from 3.81.10 to 3.82.8 on 2024-10-13
  • v8r from 4.0.1 to 4.1.0 on 2024-08-25
  • vale from 3.7.0 to 3.7.1 on 2024-09-26

v8.0.0

Compare Source

• Reporters
  • New ApiReporter (can be used to build Grafana dashboards), by @​nvuillam in #​3540

• Removed deprecated linters, by @​nvuillam in #​3854

  • CSS_SCSSLINT: Project discontinued and advising to use stylelint
  • OPENAPI_SPECTRAL: Replaced by API_SPECTRAL (same linter but more formats handled)
  • SQL_SQL_LINT: Project no longer maintained

• Core

  • Hide to linters by default all environment variables that contain TOKEN, USERNAME or PASSWORD, by @​nvuillam in #​3881
  • Allow to override CLI_LINT_MODE when defined as project, by @​nvuillam in #​3772
  • Allow to use absolute paths for LINTER_RULES_PATH, by @​nvuillam in #​3775
  • Allow to update variables from PRE/POST Commands using output_variables property, by @​nvuillam in #​3861

• Media

  • MegaLinter: un linter pour les gouverner tous (FR), by Guillaume Arnaud from WeScale
  • MegaLinter, by Stéphane Robert, from 3DS OutScale
  • 30 Seconds to Setup MegaLinter: Your Go-To Tool for Automated Code Quality, by Peng Cao |

• Linters enhancements

  • bandit Call bandit with quiet mode to generate less logs, by @​nvuillam in #​3892
  • grype Count number of errors returned by Grype, by @​nvuillam in #​3906
  • yamllint Fix yamllint default format to avoid special characters or GitHub sections in text logs, by @​nvuillam in #​3898

• Fixes

  • terrascan fixed errors and removed redundant code, by @​TommyE123 in #​3767
  • dotnet-format various performance improvements and ability to specify sln or proj paths, by @​TommyE123 in #​3741
  • swiftlint Remove deprecated argument --path
  • Salesforce linters: Disable SF CLI auto update warning, by @​nvuillam in #​3883

• Doc

  • Add images and links to Git, CI/CD & other tools integrations at the beginning of the README, by @​nvuillam in #​3885
  • Create README animated GIF presentation of MegaLinter, by @​nvuillam in #​3910
  • Format mkdocs search index in place, by @​echoix in #​3890
  • Use consistent spelling of 'flavor', by @​InputUsername in #​3789

• CI

  • Fix docker warnings, by @​nvuillam in #​3853
    • FromAsCasing: 'as' and 'FROM' keywords' casing do not match
    • NoEmptyContinuation: Empty continuation line
    • SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data
  • Port Beta workflows to use docker/metadata-action, by @​echoix in #​3860
  • AutoUpdate linters: Always create a PR if the job has been started manually, by @​nvuillam in #​3863
  • Add skip_checkout: true to default MegaLinter GitHub Action template
  • Remove path filters in deploy-DEV workflow as it is a required check by @​echoix in #​3894

• mega-linter-runner

  • Add new rules to upgrade to MegaLinter v8, by @​nvuillam in #​3896
  • Replace glob-promise by glob library, by @​nvuillam in #​3902
    • Minimum NodeJs version is now 20.x

• Linter versions upgrades

  • ansible-lint from 24.6.1 to 24.7.0
  • bicep_linter from 0.28.1 to 0.29.47
  • black from 24.4.2 to 24.8.0
  • cfn-lint from 1.5.0 to 1.10.3
  • checkov from 3.2.174 to 3.2.232
  • clippy from 0.1.79 to 0.1.80
  • clj-kondo from 2024.05.24 to 2024.08.01
  • csharpier from 0.28.2 to 0.29.0
  • cspell from 8.10.4 to 8.14.1
  • dotnet-format from 8.0.106 to 8.0.108
  • flake8 from 7.1.0 to 7.1.1
  • golangci-lint from 1.59.1 to 1.60.1
  • grype from 0.79.2 to 0.79.5
  • jsonlint from 14.0.3 to 16.0.0
  • kics from 2.1.1 to 2.1.2
  • kubeconform from 0.6.6 to 0.6.7
  • lightning-flow-scanner from 2.28.0 to 2.33.0
  • mypy from 1.10.1 to 1.11.1
  • php-cs-fixer from 3.59.3 to 3.62.0
  • phpcs from 3.10.1 to 3.10.2
  • phpstan from 1.11.9 to 1.11.11
  • pmd from 7.3.0 to 7.4.0
  • prettier from 3.3.2 to 3.3.3
  • protolint from 0.50.2 to 0.50.5
  • pylint from 3.2.5 to 3.2.6
  • pyright from 1.1.370 to 1.1.376
  • revive from 1.3.7 to 1.3.9
  • rstcheck from 6.2.1 to 6.2.4
  • rubocop from 1.64.1 to 1.65.1
  • ruff from 0.5.1 to 0.6.1
  • sfdx-scanner-apex from 4.3.2 to 4.4.0
  • sfdx-scanner-aura from 4.3.2 to 4.4.0
  • sfdx-scanner-lwc from 4.3.2 to 4.4.0
  • snakemake from 8.15.2 to 8.18.1
  • stylelint from 16.6.1 to 16.8.2
  • swiftlint from 0.55.1 to 0.56.1
  • syft from 1.8.0 to 1.11.0
  • terraform-fmt from 1.9.0 to 1.9.4
  • terragrunt from 0.59.6 to 0.66.8
  • tflint from 0.52.0 to 0.53.0
  • trivy-sbom from 0.53.0 to 0.54.1
  • trivy from 0.53.0 to 0.54.1
  • trufflehog from 3.79.0 to 3.81.9
  • v8r from 3.1.0 to 4.0.1
  • vale from 3.6.0 to 3.7.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🦙 MegaLinter status: ⚠️ WARNING

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ ACTION	actionlint	3		0	0.02s
✅ COPYPASTE	jscpd	yes		no	0.89s
✅ JSON	jsonlint	1		0	0.13s
⚠️ JSON	prettier	1		1	0.26s
✅ JSON	v8r	1		0	2.56s
✅ MARKDOWN	markdownlint	1		0	0.19s
✅ MARKDOWN	markdown-link-check	1		0	0.7s
✅ MARKDOWN	markdown-table-formatter	1		0	0.17s
⚠️ REPOSITORY	checkov	yes		3	14.13s
✅ REPOSITORY	gitleaks	yes		no	0.07s
✅ REPOSITORY	git_diff	yes		no	0.0s
✅ REPOSITORY	grype	yes		no	12.52s
✅ REPOSITORY	kics	yes		no	2.48s
✅ REPOSITORY	secretlint	yes		no	0.8s
✅ REPOSITORY	trivy	yes		no	12.69s
✅ REPOSITORY	trivy-sbom	yes		no	0.19s
✅ REPOSITORY	trufflehog	yes		no	3.14s
⚠️ SPELL	cspell	8		16	3.78s
✅ SPELL	lychee	5		0	0.09s
⚠️ YAML	prettier	3		1	0.61s
✅ YAML	v8r	3		0	2.71s
✅ YAML	yamllint	3		0	0.27s

See detailed report in MegaLinter reports

MegaLinter is graciously provided by