Bump oxsecurity/megalinter from 9.3.0 to 9.4.0

[dependabot]

Bumps oxsecurity/megalinter from 9.3.0 to 9.4.0.

Release notes

Sourced from oxsecurity/megalinter's releases.

v9.4.0

What's Changed

• Core

  • Improve files browsing performances (2 PRs)
  • Optimize parallel linter processing and improve grouping logic
  • Improve performance of listing .gitignored files by sending excluded directories to git ls-files
  • If there are more than 500 .gitignored files, advise to add more excluded directories using variable ADDITIONAL_EXCLUDED_DIRECTORIES, to improve performances
  • Reduce redundant config lookups, environment copies, and dict rebuilds across config, linter, and utils modules
  • Cache subprocess environment per linter run and excluded directories per request
  • Optimize parallel linter result update from O(n²) to O(n)
  • Add support in the build of Docker images for linux/arm64 in compatible linters

• New linters

  • Add PYTHON_NBQA_MYPY for type-checking Jupyter notebooks using nbqa + mypy

• Disabled linters

  • LUA_SELENE: Kampfkarren/selene#662

• Linters enhancements

  • Use the official checkmake image by @​bdovaz
  • Spectral: Add sarif support to spectral by @​bdovaz
  • Spectral: Change cli_lint_mode to list_of_files to improve performances

• Fixes

  • Add support for SSH remote origins when building custom flavors (fixes: #6511)
  • Fix issue with plugins ignored when FLAVOR_SUGGESTIONS=false
  • Fix wrong tagging apply_fixes=True when linter has no fix options configured
  • Python mypy: Remove .ipynb from file extensions (mypy doesn't support notebooks directly) - fixes #6904
  • Fix operator precedence bug in pre_post_factory pre/post command logic
  • Fix file handle leak in GitleaksLinter
  • Fix variable name bug in utils.get_git_context_info
  • Minor fixes in logger, SqlFluffLinter, PowershellLinter, TrivyLinter

• Reporters

  • Add a link inviting to star MegaLinter
  • Display in the console reporter the working directory from which the commands are executed by @​bdovaz
  • Update WebHook reporter so it can send more events for a better integration with UI
  • When truncating long comments in markdown reports, keep the end of the text instead of the beginning (which usually contains less useful information)
  • In case GitHub Api returns 500, do not make the whole MegaLinter fail, display a warning instead
  • Azure Reporter: Use Azure DevOps Services REST API instead of unmaintained python wrapper lib

• Flavors

  • Custom flavor builder:
    • Add support for SSH remotes
    • Allow selection of platforms to build the custom flavor on (ex: linux/amd64, linux/arm64) and build compatible linters on these platforms
    • Build & release custom flavor builder image for linux/arm64

• Doc

  • JSON Schema: Add default values for file extensions and file names variables + improve descriptions

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

[v9.4.0] - 2026-02-28

• Core

  • Improve files browsing performances (2 PRs)
  • Optimize parallel linter processing and improve grouping logic
  • Improve performance of listing .gitignored files by sending excluded directories to git ls-files
  • If there are more than 500 .gitignored files, advise to add more excluded directories using variable ADDITIONAL_EXCLUDED_DIRECTORIES, to improve performances
  • Reduce redundant config lookups, environment copies, and dict rebuilds across config, linter, and utils modules
  • Cache subprocess environment per linter run and excluded directories per request
  • Optimize parallel linter result update from O(n²) to O(n)
  • Add support in the build of Docker images for linux/arm64 in compatible linters

• New linters

  • Add PYTHON_NBQA_MYPY for type-checking Jupyter notebooks using nbqa + mypy

• Disabled linters

  • LUA_SELENE: Kampfkarren/selene#662

• Linters enhancements

  • Use the official checkmake image by @​bdovaz
  • Spectral: Add sarif support to spectral by @​bdovaz
  • Spectral: Change cli_lint_mode to list_of_files to improve performances

• Fixes

  • Add support for SSH remote origins when building custom flavors (fixes: #6511)
  • Fix issue with plugins ignored when FLAVOR_SUGGESTIONS=false
  • Fix wrong tagging apply_fixes=True when linter has no fix options configured
  • Python mypy: Remove .ipynb from file extensions (mypy doesn't support notebooks directly) - fixes #6904
  • Fix operator precedence bug in pre_post_factory pre/post command logic
  • Fix file handle leak in GitleaksLinter
  • Fix variable name bug in utils.get_git_context_info
  • Minor fixes in logger, SqlFluffLinter, PowershellLinter, TrivyLinter

• Reporters

  • Add a link inviting to star MegaLinter
  • Display in the console reporter the working directory from which the commands are executed by @​bdovaz
  • Update WebHook reporter so it can send more events for a better integration with UI
  • When truncating long comments in markdown reports, keep the end of the text instead of the beginning (which usually contains less useful information)
  • In case GitHub Api returns 500, do not make the whole MegaLinter fail, display a warning instead
  • Azure Reporter: Use Azure DevOps Services REST API instead of unmaintained python wrapper lib

• Flavors

  • Custom flavor builder:
    • Add support for SSH remotes
    • Allow selection of platforms to build the custom flavor on (ex: linux/amd64, linux/arm64) and build compatible linters on these platforms
    • Build & release custom flavor builder image for linux/arm64

• Doc

  • JSON Schema: Add default values for file extensions and file names variables + improve descriptions
  • Update default secured env variables documentation

... (truncated)

Commits

• 8fbdead Release MegaLinter v9.4.0
• 9f605c4 Fix custom flavor builder workflow (#7306)
• b7dcb60 Update changelog to prepare release (#7304)
• 3077b04 chore(deps): update dependency regex to v2026.2.28 (#7303)
• edba876 [automation] Auto-update linters version, help and documentation (#7299)
• 07fb84d chore(deps): update dependency python-gitlab to v8.1.0 (#7302)
• 4d42e33 chore(deps): update dependency fastapi to v0.134.0 (#7301)
• 649726c chore(deps): update dependency rumdl to v0.1.32 (#7300)
• 768b5a3 chore(deps): update dependency virtualenv to v21.1.0 (#7298)
• 7e73a76 chore(deps): update dependency eslint-plugin-jsonc to v3 (#7260)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	3		0	0	0.13s
❌ COPYPASTE	jscpd	yes		3	no	2.32s
✅ CSS	stylelint	1		0	0	1.87s
✅ HTML	htmlhint	4		0	0	0.2s
✅ JAVASCRIPT	standard	1		0	0	1.35s
✅ JSON	jsonlint	1		0	0	0.09s
✅ JSON	v8r	1		0	0	2.54s
⚠️ MARKDOWN	markdownlint	18		11	0	0.83s
✅ MARKDOWN	markdown-table-formatter	18		0	0	0.26s
❌ REPOSITORY	checkov	yes		1	no	22.05s
❌ REPOSITORY	devskim	yes		1	no	2.04s
✅ REPOSITORY	dustilock	yes		no	no	0.01s
✅ REPOSITORY	gitleaks	yes		no	no	0.25s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
❌ REPOSITORY	grype	yes		10	no	41.71s
❌ REPOSITORY	kics	yes		5	no	2.29s
❌ REPOSITORY	secretlint	yes		1	no	1.61s
✅ REPOSITORY	syft	yes		no	no	1.37s
❌ REPOSITORY	trivy	yes		1	no	10.44s
✅ REPOSITORY	trivy-sbom	yes		no	no	2.37s
✅ REPOSITORY	trufflehog	yes		no	no	4.96s
❌ SPELL	lychee	38		6	0	31.38s
✅ YAML	v8r	15		0	0	7.22s
❌ YAML	yamllint	15		2	0	0.6s

Detailed Issues

❌ REPOSITORY / checkov - 1 error

secrets scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_SECRET_4: "Basic Auth Credentials"
	FAILED for resource: HIDDEN_BY_MEGALINTER	File: /test/dummy/config/database.yml:80-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-4

		80 | #   DATABASE_URL="postgres://myuser:m**********@localhost/somedatabase"

github_actions scan results:

Passed checks: 83, Failed checks: 0, Skipped checks: 0

❌ REPOSITORY / devskim - 1 error

"rules":[{"id":"DS176209","name":"SuspiciousComment","fullDescription":{"text":"Suspicious comment: A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality"},"help":{"text":"A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality","markdown":"Visit [https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md](https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md) for additional guidance on this issue."},"shortDescription":{"text":"A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality"},"defaultConfiguration":{"level":"note"},"helpUri":"https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md","properties":{"precision":"high","problem.severity":"recommendation","DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"id":"DS162092","name":"DoNotLeaveDebugCodeInProduction","fullDescription":{"text":"Do not leave debug code in production: Accessing localhost could indicate debug code, or could hinder scaling."},"help":{"text":"Accessing localhost could indicate debug code, or could hinder scaling.","markdown":"Visit [https://github.com/Microsoft/DevSkim/blob/main/guidance/DS162092.md](https://github.com/Microsoft/DevSkim/blob/main/guidance/DS162092.md) for additional guidance on this issue."},"shortDescription":{"text":"Accessing localhost could indicate debug code, or could hinder scaling."},"defaultConfiguration":{"level":"note"},"helpUri":"https://github.com/Microsoft/DevSkim/blob/main/guidance/DS162092.md","properties":{"precision":"high","problem.severity":"recommendation","DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}}]}},"versionControlProvenance":[{"repositoryUri":"https://github.com/HealthDataInsight/structured_store","revisionId":"HIDDEN_BY_MEGALINTER","branch":"(no branch)"}],"results":[{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/ci.yml"},"region":{"startLine":51,"startColumn":47,"endLine":51,"endColumn":56,"charOffset":1077,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"test/dummy/config/database.yml"},"region":{"startLine":69,"startColumn":8,"endLine":69,"endColumn":17,"charOffset":2208,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS162092","level":"note","message":{"text":"Do not leave debug code in production"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"test/dummy/config/database.yml"},"region":{"startLine":28,"startColumn":8,"endLine":28,"endColumn":17,"charOffset":798,"charLength":9,"snippet":{"text":"localhost","rendered":{"text":"localhost","markdown":"`localhost`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Network.AccessingLocalhost"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"lib/structured_store/schema_inspector.rb"},"region":{"startLine":49,"startColumn":12,"endLine":49,"endColumn":16,"charOffset":1346,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"ruby"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}}],"columnKind":"utf16CodeUnits"}]}

(Truncated to last 4000 characters out of 4290)

❌ REPOSITORY / grype - 10 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME      INSTALLED                   FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS           RISK   
rack      3.2.3                       3.2.5     gem   GHSA-mxw3-3hh2-x2mh  High      < 0.1% (20th)  < 0.1  
rack      3.2.3                       3.2.5     gem   GHSA-whrj-4476-wvmp  Medium    < 0.1% (10th)  < 0.1  
nokogiri  1.18.10-aarch64-linux-gnu   1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri  1.18.10-aarch64-linux-musl  1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri  1.18.10-arm-linux-gnu       1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri  1.18.10-arm-linux-musl      1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri  1.18.10-arm64-darwin        1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri  1.18.10-x86_64-darwin       1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri  1.18.10-x86_64-linux-gnu    1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A    
nokogiri  1.18.10-x86_64-linux-musl   1.19.1    gem   GHSA-wx95-c6cv-8532  Medium    N/A            N/A
[0041] ERROR discovered vulnerabilities at or above the severity threshold

❌ COPYPASTE / jscpd - 3 errors

Clone found (ruby):
 - test/dummy/test/ref_resolvers/blank_ref_resolver_test.rb [32:13 - 48:13] (16 lines, 99 tokens)
   test/dummy/test/ref_resolvers/definitions_resolver_test.rb [23:13 - 39:14]

Clone found (ruby):
 - test/dummy/test/models/example_record_test.rb [115:2 - 136:35] (21 lines, 178 tokens)
   test/dummy/test/models/example_record_test.rb [72:2 - 93:52]

Clone found (ruby):
 - test/dummy/test/models/example_record_test.rb [139:5 - 155:4] (16 lines, 133 tokens)
   test/dummy/test/models/example_record_test.rb [98:5 - 115:5]

┌────────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format     │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ javascript │ 1              │ 25          │ 50           │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ ruby       │ 72             │ 3846        │ 23689        │ 3            │ 53 (1.38%)       │ 410 (1.73%)       │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:     │ 73             │ 3871        │ 23739        │ 3            │ 53 (1.37%)       │ 410 (1.73%)       │
└────────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 3 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (1.37%) over threshold (0%)
Error: ERROR: jscpd found too many duplicates (1.37%) over threshold (0%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node-deps/node_modules/jscpd/dist/bin/jscpd.js:9:5

❌ REPOSITORY / kics - 5 errors

MMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM         MMMMMMMMML       MMMMMMMK     LMMMMMMMMMMMMMMMMMMMMMML  LMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM      MMMMMMMMMML         MMMMMMMK   LMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM    LMMMMMMMMML           MMMMMMMK  LMMMMMMMMMLLMLLLLLLLLLLLLLL LMMMMMMMLLLLLLLLLLLLLLLLLLLLM 
   MMMMMMM  MMMMMMMMMLM             MMMMMMMK LMMMMMMMM                    LMMMMMML                      
   MMMMMMMLMMMMMMMML                MMMMMMMK MMMMMMML                     LMMMMMMMMLLLLLLLLLLLLLMLL     
   MMMMMMMMMMMMMMMM                 MMMMMMMK MMMMMML                       LMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMMMMMMMMMMMMM               MMMMMMMK MMMMMMM                         LMMMMMMMMMMMMMMMMMMMMMMMML 
   MMMMMMM KLMMMMMMMMML             MMMMMMMK LMMMMMMM                                          MMMMMMMML
   MMMMMMM    LMMMMMMMMMM           MMMMMMMK LMMMMMMMMLL                                        MMMMMMML
   MMMMMMM      LMMMMMMMMMLL        MMMMMMMK  LMMMMMMMMMMMMMMMMMMMMMMMMML LLLLLLLLLLLLLLLLLLLLMMMMMMMMMM
   MMMMMMM        MMMMMMMMMMML      MMMMMMMK   MMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM          LLMMMMMMMMML    MMMMMMMK     LLMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMM             MMMMMMMMMML  MMMMMMMK         KLMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMLK    
                                                                                                            
                                                                                                                                                                                                                                                                                                                        


Scanning with Keeping Infrastructure as Code Secure v2.1.19





Unpinned Actions Full Length Commit SHA, Severity: LOW, Results: 3
Description: Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Platform: CICD
CWE: 829
Risk Score: 4.1
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9

	[1]: .github/workflows/ci.yml:63

		062:       - name: Set up Ruby
		063:         uses: ruby/setup-ruby@v1.288.0
		064:         with:


	[2]: .github/workflows/mega-linter.yml:45

		044:         # More info at https://megalinter.io/flavors/
		045:         uses: oxsecurity/megalinter@v9.4.0
		046:         env:


	[3]: .github/workflows/ci.yml:25

		024:       - name: Set up Ruby
		025:         uses: ruby/setup-ruby@v1.288.0
		026:         with:


Passwords And Secrets - Password in URL, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/ci.yml:51

		050:       CI: true
		051:       DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:5432/rails_test"
		052:       RAILS_ENV: test


Passwords And Secrets - Generic Password, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/ci.yml:41

		040:           POSTGRES_USER: rails
		041:           POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		042:         options: >-



Results Summary:
CRITICAL: 0
HIGH: 2
MEDIUM: 0
LOW: 3
INFO: 0
TOTAL: 5

(Truncated to last 4000 characters out of 4180)

❌ SPELL / lychee - 6 errors

[IGNORED] redis://localhost:6379/0 | Unsupported: Error creating request client: builder error for url (redis://localhost:6379/0)
[IGNORED] postgres://rails:password@localhost:5432/rails_test | Unsupported: Error creating request client: builder error for url (postgres://localhost:5432/rails_test)
[404] https://megalinter.io/configuration/ | Network error: Not Found
[404] https://megalinter.io/configuration/ | Error (cached)
[404] https://megalinter.io/flavors/ | Network error: Not Found
[IGNORED] postgres://myuser:mypass@localhost/somedatabase | Unsupported: Error creating request client: builder error for url (postgres://localhost/somedatabase)
[ERROR] file://docs/way_of_working/CODE_OF_CONDUCT.md | Cannot find file
[ERROR] https://gds-way.cloudapps.digital/standards/architecture-decisions.html | Network error: error sending request for url (https://gds-way.cloudapps.digital/standards/architecture-decisions.html) Maybe a certificate error?
[ERROR] https://www.contributor-covenant.org/ | Network error: error sending request for url (https://www.contributor-covenant.org/)
📝 Summary
---------------------
🔍 Total..........152
✅ Successful.....142
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........1
❓ Unknown..........0
🚫 Errors...........6

Errors in .mega-linter.yml
[404] https://megalinter.io/configuration/ | Network error: Not Found

Errors in docs/way_of_working/decision-records.md
[ERROR] https://gds-way.cloudapps.digital/standards/architecture-decisions.html | Network error: error sending request for url (https://gds-way.cloudapps.digital/standards/architecture-decisions.html) Maybe a certificate error?

Errors in CODE_OF_CONDUCT.md
[ERROR] https://www.contributor-covenant.org/ | Network error: error sending request for url (https://www.contributor-covenant.org/)

Errors in .github/workflows/mega-linter.yml
[404] https://megalinter.io/flavors/ | Network error: Not Found
[404] https://megalinter.io/configuration/ | Error (cached)

Errors in docs/way_of_working/code-of-conduct.md
[ERROR] file://docs/way_of_working/CODE_OF_CONDUCT.md | Cannot find file

❌ REPOSITORY / secretlint - 1 error

test/dummy/config/database.yml
  80:18  error  [PostgreSQLConnection] found PostgreSQL connection string: ************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

✖ 1 problem (1 error, 0 warnings, 0 infos)

❌ REPOSITORY / trivy - 1 error

ully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-03-02T18:12:24Z	INFO	[vuln] Vulnerability scanning is enabled
2026-03-02T18:12:24Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-03-02T18:12:24Z	INFO	[checks-client] Need to update the checks bundle
2026-03-02T18:12:24Z	INFO	[checks-client] Downloading the checks bundle...
235.65 KiB / 235.65 KiB [------------------------------------------------------] 100.00% ? p/s 200ms2026-03-02T18:12:28Z	INFO	Number of language-specific files	num=1
2026-03-02T18:12:28Z	INFO	[bundler] Detecting vulnerabilities...
2026-03-02T18:12:28Z	INFO	Detected config files	num=0

Report Summary

┌──────────────┬─────────┬─────────────────┬───────────────────┐
│    Target    │  Type   │ Vulnerabilities │ Misconfigurations │
├──────────────┼─────────┼─────────────────┼───────────────────┤
│ Gemfile.lock │ bundler │        3        │         -         │
└──────────────┴─────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


Gemfile.lock (bundler)
======================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌──────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library  │    Vulnerability    │ Severity │ Status │ Installed Version │         Fixed Version          │                            Title                             │
├──────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ nokogiri │ GHSA-wx95-c6cv-8532 │ MEDIUM   │ fixed  │ 1.18.10           │ >= 1.19.1                      │ Nokogiri does not check the return value from xmlC14NExecute │
│          │                     │          │        │                   │                                │ https://github.com/advisories/GHSA-wx95-c6cv-8532            │
├──────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ rack     │ CVE-2026-22860      │ HIGH     │        │ 3.2.3             │ ~> 2.2.22, ~> 3.1.20, >= 3.2.5 │ rubygem-rack: Rack Directory Traversal via Rack:Directory    │
│          │                     │          │        │                   │                                │ https://avd.aquasec.com/nvd/cve-2026-22860                   │
│          ├─────────────────────┼──────────┤        │                   │                                ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2026-25500      │ MEDIUM   │        │                   │                                │ rubygem-rack: Rack stored XSS in Rack::Directory             │
│          │                     │          │        │                   │                                │ https://avd.aquasec.com/nvd/cve-2026-25500                   │
└──────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────────────┴──────────────────────────────────────────────────────────────┘

📣 Notices:
  - Version 0.69.2 of Trivy is now available, current version is 0.69.1

To suppress version checks, run Trivy scans with the --skip-version-check flag

(Truncated to last 4000 characters out of 7171)

❌ YAML / yamllint - 2 errors

.github/workflows/mega-linter.yml
  53:7      warning  comment not indented like content  (comments-indentation)

test/dummy/config/database.yml
  62:1      error    syntax error: could not find expected ':' (syntax)

⚠️ MARKDOWN / markdownlint - 11 errors

.github/ISSUE_TEMPLATE/job-story.md:8 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Job Story"]
.github/pull_request_template.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## What?"]
.github/pull_request_template.md:29 error MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]
CHANGELOG.md:18 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Fixed"]
CHANGELOG.md:24 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Fixed"]
CHANGELOG.md:36 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Fixed"]
CHANGELOG.md:42 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Added"]
CHANGELOG.md:57 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Added"]
docs/way_of_working/code-linting/index.md:25:288 error MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]
docs/way_of_working/pull-request-template-and-guidelines.md:7:401 error MD013/line-length Line length [Expected: 400; Actual: 497]
README.md:7:401 error MD013/line-length Line length [Expected: 400; Actual: 451]

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/cupcake@v9.4.0 (91 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,COPYPASTE_JSCPD,CSS_STYLELINT,HTML_HTMLHINT,JAVASCRIPT_STANDARD,JSON_JSONLINT,JSON_V8R,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DEVSKIM,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository