Scan only the files modified in a PR with checkov by bdovaz · Pull Request #7119 · oxsecurity/megalinter

bdovaz · 2026-02-12T21:30:54Z

Note

Medium Risk
Changes how a security scanner is invoked and what scope it scans, which may reduce coverage if file selection/modes are misdetected, but the change is small and isolated to Checkov.

Overview
Adds a dedicated CheckovLinter implementation and wires the checkov descriptor to use it.

When running on PRs with VALIDATE_ALL_CODEBASE=false, Checkov now lints only the changed files by passing repeated --file <path> arguments; otherwise it falls back to --directory . for project-mode scans, removing the previous always-scan-directory behavior.

^{Written by Cursor Bugbot for commit ef95833. This will update automatically on new commits. Configure here.}

github-actions · 2026-02-12T21:32:21Z

✅⚠️MegaLinter analysis: Success with warnings

⚠️ PYTHON / bandit - 82 errors

rt os.path.isdir(config.get(request_id, "DEFAULT_WORKSPACE")), (
118	        "DEFAULT_WORKSPACE "
119	        + config.get(request_id, "DEFAULT_WORKSPACE")
120	        + " is not a valid folder"
121	    )
122	

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.3/plugins/b101_assert_used.html
   Location: ./megalinter/utilstest.py:165:4
164	    tmp_report_folder = tempfile.gettempdir() + os.path.sep + str(uuid.uuid4())
165	    assert os.path.isdir(workspace), f"Test folder {workspace} is not existing"
166	    linter_name = linter.linter_name

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.3/plugins/b101_assert_used.html
   Location: ./megalinter/utilstest.py:231:4
230	    tmp_report_folder = tempfile.gettempdir() + os.path.sep + str(uuid.uuid4())
231	    assert os.path.isdir(workspace), f"Test folder {workspace} is not existing"
232	    if os.path.isfile(workspace + os.path.sep + "no_test_failure"):

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.3/plugins/b101_assert_used.html
   Location: ./megalinter/utilstest.py:466:4
465	    )
466	    assert os.path.isdir(workspace), f"Test folder {workspace} is not existing"
467	    expected_file_name = ""

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.3/plugins/b101_assert_used.html
   Location: ./megalinter/utilstest.py:566:4
565	        workspace += os.path.sep + "bad"
566	    assert os.path.isdir(workspace), f"Test folder {workspace} is not existing"
567	    # Call linter

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.3/plugins/b101_assert_used.html
   Location: ./megalinter/utilstest.py:670:4
669	    tmp_report_folder = tempfile.gettempdir() + os.path.sep + str(uuid.uuid4())
670	    assert os.path.isdir(workspace), f"Test folder {workspace} is not existing"
671	

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.3/plugins/b101_assert_used.html
   Location: ./megalinter/utilstest.py:768:12
767	            ]
768	            assert (len(list(diffs))) > 0, f"No changes in the {file} file"
769	

--------------------------------------------------
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
   Severity: Medium   Confidence: Medium
   CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
   More Info: https://bandit.readthedocs.io/en/1.9.3/plugins/b108_hardcoded_tmp_directory.html
   Location: ./server/server.py:81:42
80	    if item.fileUploadId:
81	        uploaded_file_path = os.path.join("/tmp/server-files", item.fileUploadId)
82	        if not os.path.isdir(uploaded_file_path):

--------------------------------------------------
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
   Severity: Medium   Confidence: Medium
   CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
   More Info: https://bandit.readthedocs.io/en/1.9.3/plugins/b108_hardcoded_tmp_directory.html
   Location: ./server/server.py:103:38
102	    file_upload_id = "FILE_" + str(uuid1())
103	    uploaded_file_path = os.path.join("/tmp/server-files", file_upload_id)
104	    os.makedirs(uploaded_file_path)

--------------------------------------------------
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
   Severity: Medium   Confidence: Medium
   CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
   More Info: https://bandit.readthedocs.io/en/1.9.3/plugins/b108_hardcoded_tmp_directory.html
   Location: ./server/server_worker.py:98:34
97	        temp_dir = self.create_temp_dir()
98	        upload_dir = os.path.join("/tmp/server-files", file_upload_id)
99	        if os.path.exists(upload_dir):

--------------------------------------------------

Code scanned:
	Total lines of code: 17866
	Total lines skipped (#nosec): 0
	Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 49
		Medium: 24
		High: 9
	Total issues (by confidence):
		Undefined: 0
		Low: 16
		Medium: 18
		High: 48
Files skipped (0):

(Truncated to last 5714 characters out of 56237)

⚠️ BASH / bash-exec - 1 error

Results of bash-exec linter (version 5.3.3)
See documentation on https://megalinter.io/beta/descriptors/bash_bash_exec/
-----------------------------------------------

✅ [SUCCESS] .automation/build_schemas_doc.sh
✅ [SUCCESS] .automation/format-tables.sh
✅ [SUCCESS] .vscode/testlinter.sh
✅ [SUCCESS] build.sh
✅ [SUCCESS] entrypoint.sh
❌ [ERROR] sh/megalinter_exec
    Error: File:[sh/megalinter_exec] is not executable

⚠️ REPOSITORY / grype - 41 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME                           INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS           RISK   
ejs                            3.1.6      3.1.7     npm     GHSA-phwq-j96m-2c2q  Critical  93.5% (99th)   87.9   
ip                             1.1.5                npm     GHSA-2p57-rm9w-gvfp  High      88.0% (99th)   68.7   
tar                            6.0.1      6.1.1     npm     GHSA-3jfq-g458-7qm9  High      85.0% (99th)   66.7   
requests                       2.24.0     2.31.0    python  GHSA-j8r2-6x86-q33q  Medium    6.1% (90th)    3.4    
minimist                       1.2.5      1.2.6     npm     GHSA-xvch-5gv4-984h  Critical  0.9% (74th)    0.8    
ejs                            3.1.6      3.1.10    npm     GHSA-ghr5-ch3p-vcr6  Medium    1.3% (79th)    0.7    
node-fetch                     2.6.6      2.6.7     npm     GHSA-r683-j2x4-v87g  High      0.6% (70th)    0.5    
tar                            6.0.1      6.1.9     npm     GHSA-5955-9wpr-37jh  High      0.6% (69th)    0.5    
semver                         7.3.5      7.5.2     npm     GHSA-c2qf-rxjj-qqgw  High      0.6% (68th)    0.4    
minimatch                      3.0.4      3.0.5     npm     GHSA-f8q6-p94x-37v3  High      0.5% (63rd)    0.3    
@octokit/request               5.6.2      8.4.1     npm     GHSA-rmvr-2pp2-xj38  Medium    0.6% (67th)    0.3    
tar                            6.0.1      6.2.1     npm     GHSA-f5x3-32g6-xq36  Medium    0.5% (64th)    0.3    
tar                            6.1.11     6.2.1     npm     GHSA-f5x3-32g6-xq36  Medium    0.5% (64th)    0.3    
braces                         3.0.2      3.0.3     npm     GHSA-grv7-fg5c-xmjg  High      0.2% (44th)    0.2    
ip                             1.1.5      1.1.9     npm     GHSA-78xj-cgh5-2h22  Low       0.5% (67th)    0.2    
ansi-regex                     3.0.0      3.0.1     npm     GHSA-93q8-gq69-wqmw  High      0.2% (43rd)    0.2    
tar                            6.0.1      6.1.2     npm     GHSA-r628-mhmh-qjhw  High      0.2% (39th)    0.1    
http-cache-semantics           4.1.0      4.1.1     npm     GHSA-rc47-6667-2j5j  High      0.2% (38th)    0.1    
@octokit/plugin-paginate-rest  2.17.0     9.2.2     npm     GHSA-h5c3-5r3r-rr8q  Medium    0.2% (45th)    0.1    
@octokit/request-error         2.1.0      5.1.1     npm     GHSA-xx4v-prfh-6cgc  Medium    0.2% (43rd)    0.1    
micromatch                     4.0.4      4.0.8     npm     GHSA-952p-6rrq-rcjv  Medium    0.1% (32nd)    < 0.1  
requests                       2.24.0     2.32.4    python  GHSA-9hjg-9r4m-mvj7  Medium    0.1% (28th)    < 0.1  
cross-spawn                    7.0.3      7.0.5     npm     GHSA-3xgq-45jj-v275  High      < 0.1% (21st)  < 0.1  
lodash                         4.17.21    4.17.23   npm     GHSA-xxjr-mmjv-4gpg  Medium    < 0.1% (18th)  < 0.1  
lodash-es                      4.17.21    4.17.23   npm     GHSA-xxjr-mmjv-4gpg  Medium    < 0.1% (18th)  < 0.1  
debug                          4.2.0      4.3.1     npm     GHSA-gxpj-cx7g-858c  Low       < 0.1% (26th)  < 0.1  
requests                       2.24.0     2.32.0    python  GHSA-9wx4-h78v-vm56  Medium    < 0.1% (13th)  < 0.1  
tmp                            0.0.33     0.2.4     npm     GHSA-52f5-9888-hmc6  Low       < 0.1% (22nd)  < 0.1  
tar                            6.0.1      6.1.7     npm     GHSA-9r2w-394v-53qc  High      < 0.1% (6th)   < 0.1  
tar                            6.0.1      7.5.7     npm     GHSA-34x7-hfp2-rc4v  High      < 0.1% (6th)   < 0.1  
tar                            6.1.11     7.5.7     npm     GHSA-34x7-hfp2-rc4v  High      < 0.1% (6th)   < 0.1  
diff                           5.2.0      5.2.2     npm     GHSA-73rr-hh4g-fpgx  Low       < 0.1% (17th)  < 0.1  
diff                           7.0.0      8.0.3     npm     GHSA-73rr-hh4g-fpgx  Low       < 0.1% (17th)  < 0.1  
word-wrap                      1.2.3      1.2.4     npm     GHSA-j8xg-fqg3-53r7  Medium    < 0.1% (7th)   < 0.1  
tar                            6.0.1      6.1.9     npm     GHSA-qq89-hq3f-393p  High      < 0.1% (3rd)   < 0.1  
tar                            6.0.1      7.5.4     npm     GHSA-r6q2-hw4h-h46w  High      < 0.1% (2nd)   < 0.1  
tar                            6.1.11     7.5.4     npm     GHSA-r6q2-hw4h-h46w  High      < 0.1% (2nd)   < 0.1  
js-yaml                        3.14.0     3.14.2    npm     GHSA-mh29-5h37-fv8m  Medium    < 0.1% (4th)   < 0.1  
tar                            6.0.1      7.5.3     npm     GHSA-8qq5-rm4j-mr97  High      < 0.1% (0th)   < 0.1  
tar                            6.1.11     7.5.3     npm     GHSA-8qq5-rm4j-mr97  High      < 0.1% (0th)   < 0.1  
brace-expansion                1.1.11     1.1.12    npm     GHSA-v6h2-p8h4-qcjw  Low       < 0.1% (4th)   < 0.1
[0071] ERROR discovered vulnerabilities at or above the severity threshold

⚠️ SPELL / lychee - 28 errors

ttps://stackoverflow.com/a/73711302 | Error (cached)
[403] https://stackoverflow.com/a/73711302 | Network error: Forbidden
[403] https://cppcheck.sourceforge.io/ | Network error: Forbidden
[403] https://cppcheck.sourceforge.io/manual.html#configuration | Network error: Forbidden
[403] https://htmlhint.com/integrations/task-runner/ | Error (cached)
[403] https://cppcheck.sourceforge.io/ | Network error: Forbidden
[403] https://cppcheck.sourceforge.io/manual.html#configuration | Network error: Forbidden
[403] https://pmd.sourceforge.io/pmd-6.55.0/pmd_userdocs_tools_ci.html | Error (cached)
[403] https://htmlhint.com/ | Network error: Forbidden
[403] https://htmlhint.com/docs/user-guide/list-rules | Network error: Forbidden
[403] https://htmlhint.com/configuration/ | Network error: Forbidden
[404] https://htmlhint.com/_astro/htmlhint.DIRCoA_t_Z1czEXa.webp | Network error: Not Found
[ERROR] https://eslint.org/docs/latest/use/configure/ignore#the-eslintignore-file | Network error: error sending request for url (https://eslint.org/docs/latest/use/configure/ignore#the-eslintignore-file)
[403] https://www.npmjs.com/package/markdown-table-formatter | Network error: Forbidden
[403] https://stackoverflow.com/a/73711302 | Error (cached)
[403] https://docutils.sourceforge.io/docs/ref/rst/directives.html#raw-data-pass-through | Network error: Forbidden
[ERROR] https://eslint.org/docs/latest/use/configure/ignore#the-eslintignore-file | Error (cached)
[404] https://github.com/mongodb/kingfisher/tree/main/data/rules | Network error: Not Found
[ERROR] https://eslint.org/docs/latest/use/configure/ignore#the-eslintignore-file | Error (cached)
[404] https://github.com/gruntwork-io/terragrunt/blob/master/docs/assets/img/favicon/ms-icon-310x310.png | Network error: Not Found
[TIMEOUT] https://generated.at/ | Timeout
[TIMEOUT] https://generated.at/ | Timeout
📝 Summary
---------------------
🔍 Total.........2430
✅ Successful....1928
⏳ Timeouts.........2
🔀 Redirected.......0
👻 Excluded.......472
❓ Unknown..........0
🚫 Errors..........28

Errors in megalinter/descriptors/javascript.megalinter-descriptor.yml
[ERROR] https://eslint.org/docs/latest/use/configure/ignore#the-eslintignore-file | Network error: error sending request for url (https://eslint.org/docs/latest/use/configure/ignore#the-eslintignore-file)

Errors in megalinter/descriptors/clojure.megalinter-descriptor.yml
[403] https://stackoverflow.com/a/73711302 | Error (cached)

Errors in README.md
[TIMEOUT] https://generated.at/ | Timeout
[403] https://htmlhint.com/integrations/task-runner/ | Network error: Forbidden
[403] https://cloudtuned.hashnode.dev/ | Network error: Forbidden
[403] https://npmjs.org/package/mega-linter-runner | Network error: Forbidden
[403] https://pmd.sourceforge.io/pmd-6.55.0/pmd_userdocs_tools_ci.html | Network error: Forbidden
[403] https://cloudtuned.hashnode.dev/introducing-megalinter-streamlining-code-quality-checks-across-multiple-languages | Network error: Forbidden

Errors in megalinter/descriptors/tsx.megalinter-descriptor.yml
[ERROR] https://eslint.org/docs/latest/use/configure/ignore#the-eslintignore-file | Error (cached)

Errors in mega-linter-runner/README.md
[403] https://npmjs.org/package/mega-linter-runner | Error (cached)

Errors in megalinter/descriptors/typescript.megalinter-descriptor.yml
[ERROR] https://eslint.org/docs/latest/use/configure/ignore#the-eslintignore-file | Error (cached)

Errors in mega-linter-runner/generators/mega-linter-custom-flavor/templates/check-new-megalinter-version.yml
[404] https://github.com/$ | Network error: Not Found

Errors in megalinter/descriptors/rst.megalinter-descriptor.yml
[403] https://docutils.sourceforge.io/docs/ref/rst/directives.html#raw-data-pass-through | Network error: Forbidden

Errors in megalinter/descriptors/terraform.megalinter-descriptor.yml
[404] https://github.com/gruntwork-io/terragrunt/blob/master/docs/assets/img/favicon/ms-icon-310x310.png | Network error: Not Found

Errors in megalinter/descriptors/cpp.megalinter-descriptor.yml
[403] https://cppcheck.sourceforge.io/ | Network error: Forbidden
[403] https://cppcheck.sourceforge.io/manual.html#configuration | Network error: Forbidden

Errors in megalinter/descriptors/bicep.megalinter-descriptor.yml
[403] https://stackoverflow.com/a/73711302 | Network error: Forbidden

Errors in megalinter/descriptors/arm.megalinter-descriptor.yml
[403] https://stackoverflow.com/a/73711302 | Network error: Forbidden

Errors in megalinter/descriptors/html.megalinter-descriptor.yml
[404] https://htmlhint.com/_astro/htmlhint.DIRCoA_t_Z1czEXa.webp | Network error: Not Found
[403] https://htmlhint.com/integrations/task-runner/ | Error (cached)
[403] https://htmlhint.com/docs/user-guide/list-rules | Network error: Forbidden
[403] https://htmlhint.com/configuration/ | Network error: Forbidden
[403] https://htmlhint.com/ | Network error: Forbidden

Errors in megalinter/descriptors/java.megalinter-descriptor.yml
[403] https://pmd.sourceforge.io/pmd-6.55.0/pmd_userdocs_tools_ci.html | Error (cached)

Errors in megalinter/descriptors/markdown.megalinter-descriptor.yml
[403] https://www.npmjs.com/package/markdown-table-formatter | Network error: Forbidden

Errors in megalinter/descriptors/repository.megalinter-descriptor.yml
[404] https://github.com/mongodb/kingfisher/tree/main/data/rules | Network error: Not Found

Errors in megalinter/descriptors/c.megalinter-descriptor.yml
[403] https://cppcheck.sourceforge.io/manual.html#configuration | Network error: Forbidden
[403] https://cppcheck.sourceforge.io/ | Network error: Forbidden

Errors in megalinter/descriptors/powershell.megalinter-descriptor.yml
[403] https://stackoverflow.com/a/73711302 | Error (cached)

(Truncated to last 5714 characters out of 6544)

⚠️ MARKDOWN / markdownlint - 335 errors

ngle-h1 Multiple top-level headings in the same document [Context: "IDE Configuration Reporter"]
docs/reporters/ConsoleReporter.md:5 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Console Reporter"]
docs/reporters/EmailReporter.md:5 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "E-mail Reporter"]
docs/reporters/FileIoReporter.md:5 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "File.io Reporter"]
docs/reporters/GitHubCommentReporter.md:6 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "GitHub Comment Reporter"]
docs/reporters/GitHubCommentReporter.md:27:196 error MD056/table-column-count Table column count [Expected: 4; Actual: 3; Too few cells, row will be missing data]
docs/reporters/GitHubCommentReporter.md:27:46 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:27:174 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:27:196 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:28:179 error MD056/table-column-count Table column count [Expected: 4; Actual: 3; Too few cells, row will be missing data]
docs/reporters/GitHubCommentReporter.md:28:46 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:28:160 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:28:179 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:29:159 error MD056/table-column-count Table column count [Expected: 4; Actual: 3; Too few cells, row will be missing data]
docs/reporters/GitHubCommentReporter.md:29:48 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:29:143 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:29:159 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:30:171 error MD056/table-column-count Table column count [Expected: 4; Actual: 3; Too few cells, row will be missing data]
docs/reporters/GitHubCommentReporter.md:30:46 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:30:152 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubCommentReporter.md:30:171 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
docs/reporters/GitHubStatusReporter.md:6 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "GitHub Status Reporter"]
docs/reporters/GitlabCommentReporter.md:6 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Gitlab Comment Reporter"]
docs/reporters/JsonReporter.md:5 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "JSON Reporter"]
docs/reporters/MarkdownSummaryReporter.md:6 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Markdown Summary Reporter"]
docs/reporters/SarifReporter.md:6 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "SARIF Reporter (beta)"]
docs/reporters/TapReporter.md:5 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "TAP Reporter"]
docs/reporters/TextReporter.md:5 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Text Reporter"]
docs/reporters/UpdatedSourcesReporter.md:5 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Updated Sources Reporter"]
docs/special-thanks.md:9 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Special thanks"]
docs/special-thanks.md:23:3 error MD045/no-alt-text Images should have alternate text (alt text)
docs/sponsor.md:5 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Sponsoring"]
docs/supported-linters.md:9 error MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Supported Linters"]
mega-linter-runner/generators/mega-linter-custom-flavor/templates/README.md:63 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "How to use the custom flavor"]
mega-linter-runner/README.md:27:274 error MD051/link-fragments Link fragments should be valid [Context: "[**apply formatting and auto-fixes**](#apply-fixes)"]
mega-linter-runner/README.md:27:217 error MD051/link-fragments Link fragments should be valid [Context: "[**reports in several formats**](#reports)"]
README.md:190:127 error MD051/link-fragments Link fragments should be valid [Context: "[many additional features](#mega-linter-vs-super-linter)"]
README.md:1768:3 error MD045/no-alt-text Images should have alternate text (alt text)

(Truncated to last 5714 characters out of 43922)

⚠️ YAML / prettier - 6 errors

ov.yml 2ms (unchanged)
mega-linter-runner/.eslintrc.yml 3ms (unchanged)
mega-linter-runner/.mega-linter.yml 11ms (unchanged)
mega-linter-runner/generators/mega-linter-custom-flavor/templates/action.yml 7ms (unchanged)
mega-linter-runner/generators/mega-linter-custom-flavor/templates/check-new-megalinter-version.yml 37ms (unchanged)
mega-linter-runner/generators/mega-linter-custom-flavor/templates/megalinter-custom-flavor-builder.yml 34ms (unchanged)
[error] mega-linter-runner/generators/mega-linter-custom-flavor/templates/megalinter-custom-flavor.yml: SyntaxError: Implicit map keys need to be followed by map values (6:1)
[error]   4 | label: <%= CUSTOM_FLAVOR_LABEL %>
[error]   5 | linters:
[error] > 6 | <%= CUSTOM_FLAVOR_LINTERS %>
[error]     | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[error]   7 |
mega-linter-runner/generators/mega-linter/templates/.drone.yml 5ms (unchanged)
mega-linter-runner/generators/mega-linter/templates/.gitlab-ci.yml 10ms (unchanged)
mega-linter-runner/generators/mega-linter/templates/azure-pipelines.yml 8ms (unchanged)
mega-linter-runner/generators/mega-linter/templates/bitbucket-pipelines.yml 5ms (unchanged)
mega-linter-runner/generators/mega-linter/templates/concourse-task.yml 3ms (unchanged)
mega-linter-runner/generators/mega-linter/templates/mega-linter.yml 24ms (unchanged)
megalinter/descriptors/action.megalinter-descriptor.yml 12ms (unchanged)
megalinter/descriptors/ansible.megalinter-descriptor.yml 18ms (unchanged)
megalinter/descriptors/api.megalinter-descriptor.yml 32ms (unchanged)
megalinter/descriptors/arm.megalinter-descriptor.yml 11ms (unchanged)
megalinter/descriptors/bash.megalinter-descriptor.yml 25ms (unchanged)
megalinter/descriptors/bicep.megalinter-descriptor.yml 8ms (unchanged)
megalinter/descriptors/c.megalinter-descriptor.yml 13ms (unchanged)
megalinter/descriptors/clojure.megalinter-descriptor.yml 12ms (unchanged)
megalinter/descriptors/cloudformation.megalinter-descriptor.yml 5ms (unchanged)
megalinter/descriptors/coffee.megalinter-descriptor.yml 3ms (unchanged)
megalinter/descriptors/copypaste.megalinter-descriptor.yml 5ms (unchanged)
megalinter/descriptors/cpp.megalinter-descriptor.yml 14ms (unchanged)
megalinter/descriptors/csharp.megalinter-descriptor.yml 17ms (unchanged)
megalinter/descriptors/css.megalinter-descriptor.yml 7ms (unchanged)
megalinter/descriptors/dart.megalinter-descriptor.yml 7ms (unchanged)
megalinter/descriptors/dockerfile.megalinter-descriptor.yml 7ms (unchanged)
megalinter/descriptors/editorconfig.megalinter-descriptor.yml 6ms (unchanged)
megalinter/descriptors/env.megalinter-descriptor.yml 6ms (unchanged)
megalinter/descriptors/gherkin.megalinter-descriptor.yml 12ms (unchanged)
megalinter/descriptors/go.megalinter-descriptor.yml 10ms (unchanged)
megalinter/descriptors/graphql.megalinter-descriptor.yml 8ms (unchanged)
megalinter/descriptors/groovy.megalinter-descriptor.yml 7ms (unchanged)
megalinter/descriptors/html.megalinter-descriptor.yml 9ms (unchanged)
megalinter/descriptors/java.megalinter-descriptor.yml 9ms (unchanged)
megalinter/descriptors/javascript.megalinter-descriptor.yml 33ms (unchanged)
megalinter/descriptors/json.megalinter-descriptor.yml 45ms (unchanged)
megalinter/descriptors/jsx.megalinter-descriptor.yml 10ms (unchanged)
megalinter/descriptors/kotlin.megalinter-descriptor.yml 18ms (unchanged)
megalinter/descriptors/kubernetes.megalinter-descriptor.yml 11ms (unchanged)
megalinter/descriptors/latex.megalinter-descriptor.yml 8ms (unchanged)
megalinter/descriptors/lua.megalinter-descriptor.yml 20ms (unchanged)
megalinter/descriptors/makefile.megalinter-descriptor.yml 6ms (unchanged)
megalinter/descriptors/markdown.megalinter-descriptor.yml 20ms (unchanged)
megalinter/descriptors/perl.megalinter-descriptor.yml 3ms (unchanged)
megalinter/descriptors/php.megalinter-descriptor.yml 45ms (unchanged)
megalinter/descriptors/powershell.megalinter-descriptor.yml 16ms (unchanged)
megalinter/descriptors/protobuf.megalinter-descriptor.yml 8ms (unchanged)
megalinter/descriptors/puppet.megalinter-descriptor.yml 8ms (unchanged)
megalinter/descriptors/python.megalinter-descriptor.yml 60ms (unchanged)
megalinter/descriptors/r.megalinter-descriptor.yml 10ms (unchanged)
megalinter/descriptors/raku.megalinter-descriptor.yml 4ms (unchanged)
megalinter/descriptors/repository.megalinter-descriptor.yml 54ms (unchanged)
megalinter/descriptors/robotframework.megalinter-descriptor.yml 7ms (unchanged)
megalinter/descriptors/rst.megalinter-descriptor.yml 18ms (unchanged)
megalinter/descriptors/ruby.megalinter-descriptor.yml 11ms (unchanged)
megalinter/descriptors/rust.megalinter-descriptor.yml 8ms (unchanged)
megalinter/descriptors/salesforce.megalinter-descriptor.yml 90ms (unchanged)
megalinter/descriptors/scala.megalinter-descriptor.yml 5ms (unchanged)
megalinter/descriptors/snakemake.megalinter-descriptor.yml 11ms (unchanged)
megalinter/descriptors/spell.megalinter-descriptor.yml 31ms (unchanged)
megalinter/descriptors/sql.megalinter-descriptor.yml 9ms (unchanged)
megalinter/descriptors/swift.megalinter-descriptor.yml 6ms (unchanged)
megalinter/descriptors/tekton.megalinter-descriptor.yml 5ms (unchanged)
megalinter/descriptors/terraform.megalinter-descriptor.yml 13ms (unchanged)
megalinter/descriptors/tsx.megalinter-descriptor.yml 14ms (unchanged)
megalinter/descriptors/typescript.megalinter-descriptor.yml 38ms (unchanged)
megalinter/descriptors/vbdotnet.megalinter-descriptor.yml 9ms (unchanged)
megalinter/descriptors/xml.megalinter-descriptor.yml 6ms (unchanged)
megalinter/descriptors/yaml.megalinter-descriptor.yml 29ms (unchanged)
server/docker-compose-dev.yml 10ms (unchanged)
server/docker-compose.yml 10ms (unchanged)
trivy-secret.yaml 1ms (unchanged)

(Truncated to last 5714 characters out of 11511)

⚠️ YAML / yamllint - 30 errors

mega-linter-runner/.eslintrc.yml
  11:9      warning  too few spaces inside empty braces  (braces)

mega-linter-runner/generators/mega-linter-custom-flavor/templates/megalinter-custom-flavor.yml
  7:1       error    syntax error: could not find expected ':' (syntax)

megalinter/descriptors/copypaste.megalinter-descriptor.yml
  18:301    warning  line too long (313 > 300 characters)  (line-length)

megalinter/descriptors/javascript.megalinter-descriptor.yml
  234:301   warning  line too long (307 > 300 characters)  (line-length)

megalinter/descriptors/markdown.megalinter-descriptor.yml
  74:301    warning  line too long (366 > 300 characters)  (line-length)

megalinter/descriptors/perl.megalinter-descriptor.yml
  26:301    warning  line too long (310 > 300 characters)  (line-length)

megalinter/descriptors/php.megalinter-descriptor.yml
  149:301   warning  line too long (389 > 300 characters)  (line-length)
  163:301   warning  line too long (302 > 300 characters)  (line-length)

megalinter/descriptors/repository.megalinter-descriptor.yml
  153:301   warning  line too long (408 > 300 characters)  (line-length)
  266:301   warning  line too long (306 > 300 characters)  (line-length)
  271:301   warning  line too long (321 > 300 characters)  (line-length)
  448:301   warning  line too long (338 > 300 characters)  (line-length)
  516:301   warning  line too long (306 > 300 characters)  (line-length)
  566:301   warning  line too long (316 > 300 characters)  (line-length)
  816:301   warning  line too long (1263 > 300 characters)  (line-length)
  881:301   warning  line too long (879 > 300 characters)  (line-length)
  895:301   warning  line too long (358 > 300 characters)  (line-length)
  951:301   warning  line too long (346 > 300 characters)  (line-length)
  958:301   warning  line too long (307 > 300 characters)  (line-length)

megalinter/descriptors/salesforce.megalinter-descriptor.yml
  51:301    warning  line too long (359 > 300 characters)  (line-length)
  295:301   warning  line too long (359 > 300 characters)  (line-length)

megalinter/descriptors/sql.megalinter-descriptor.yml
  64:301    warning  line too long (319 > 300 characters)  (line-length)

megalinter/descriptors/terraform.megalinter-descriptor.yml
  27:301    warning  line too long (330 > 300 characters)  (line-length)
  86:301    warning  line too long (391 > 300 characters)  (line-length)
  142:301   warning  line too long (346 > 300 characters)  (line-length)
  199:301   warning  line too long (328 > 300 characters)  (line-length)

megalinter/descriptors/typescript.megalinter-descriptor.yml
  225:301   warning  line too long (314 > 300 characters)  (line-length)

mkdocs.yml
  8:301     warning  line too long (552 > 300 characters)  (line-length)
  66:5      warning  wrong indentation: expected 6 but found 4  (indentation)
  78:5      warning  wrong indentation: expected 6 but found 4  (indentation)

✅ Linters with no issues

black, checkov, cspell, flake8, git_diff, hadolint, isort, jscpd, jsonlint, markdown-table-formatter, mypy, npm-groovy-lint, pylint, ruff, secretlint, shellcheck, shfmt, spectral, syft, trivy, trivy-sbom, trufflehog, v8r, v8r, xmllint

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository

cursor · 2026-02-12T21:40:51Z

megalinter/linters/CheckovLinter.py

+                self.cli_lint_extra_args_after.append("--directory")
+                self.cli_lint_extra_args_after.append(".")
+
+        return super().build_lint_command(file)


Mutating shared state causes argument accumulation across calls

Medium Severity

build_lint_command appends to self.cli_lint_extra_args_after (a persistent instance attribute) on every invocation. The code explicitly handles cli_lint_mode == "file", but in file mode the parent Linter.run() calls build_lint_command(file) once per file in a loop, causing "--file" (or "--directory" + ".") to be appended repeatedly. The second file's command would contain duplicate --file flags, the third would have three, etc., producing broken checkov invocations. Similarly, in the PR branch, --file plus all file paths would be re-appended on each call. Unlike CSpellLinter, which guards against duplicates, no idempotency check is present here.

@nvuillam does that make sense?

cursor · 2026-02-12T21:40:51Z

megalinter/linters/CheckovLinter.py

+            self.cli_lint_extra_args_after.append("--file")
+
+            for file_to_lint in self.files:
+                self.cli_lint_extra_args_after.append(file_to_lint)


PR file scanning broken: self.files always empty by default

High Severity

The checkov descriptor defines no file_extensions and no file_names_regex, so the filter_files utility rejects all files, leaving self.files always empty in the default configuration. When the PR-mode branch appends --file followed by iterating the empty self.files, the resulting command is checkov ... --file with no file arguments — an invalid invocation. The pre_test method masks this by explicitly setting REPOSITORY_CHECKOV_FILE_EXTENSIONS and REPOSITORY_CHECKOV_FILE_NAMES_REGEX, so tests pass, but in production the feature silently produces an error.

Additional Locations (1)

megalinter/linters/CheckovLinter.py#L29-L36

@nvuillam how can I fix this, which I guess makes sense?

bdovaz · 2026-02-12T21:55:10Z

/build

Command run output
Build command workflow started.
Installing dependencies
Running script ./build.sh
Build command workflow completed without updating files.

bdovaz · 2026-02-12T23:01:12Z

@nvuillam @echoix do you know why all the linters fail with the following error?

https://github.com/oxsecurity/megalinter/actions/runs/21965017245/job/63452459680?pr=7119

bdovaz · 2026-02-14T06:49:54Z

I see that this problem is not my PR's fault, it was driving me crazy: #7115

echoix · 2026-02-14T12:06:41Z

I see that this problem is not my PR's fault, it was driving me crazy: #7115

So it's the azure DevOps warning that finally becomes an
error (it's been a while)

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

cursor · 2026-02-17T13:25:05Z

megalinter/linters/CheckovLinter.py

+            self.cli_lint_extra_args_after.append("--file")
+
+            for file_to_lint in self.files:
+                self.cli_lint_extra_args_after.append(file_to_lint)


PR mode passes multiple files after single --file flag

High Severity

In PR mode, the code appends a single --file flag followed by all file paths as separate arguments, producing checkov ... --file file1 file2 file3. Checkov's CLI documentation defines --file as -f FILE, --file FILE (singular), meaning it accepts a single file path — not multiple space-separated files. This likely causes checkov to only scan the first file (or error), silently skipping all other PR-modified files. Each file likely needs its own --file prefix.

bdovaz added 2 commits February 12, 2026 21:01

Scan only the files modified in a PR with checkov

bea5304

wip

4f8ee50

bdovaz requested review from Kurt-von-Laven, echoix and nvuillam as code owners February 12, 2026 21:30

bdovaz temporarily deployed to dev February 12, 2026 21:31 — with GitHub Actions Inactive

bdovaz had a problem deploying to dev February 12, 2026 21:31 — with GitHub Actions Failure

cursor bot reviewed Feb 12, 2026

View reviewed changes

Merge branch 'main' into checkov-pr

0bba5e1

echoix temporarily deployed to dev February 17, 2026 13:14 — with GitHub Actions Inactive

cursor bot reviewed Feb 17, 2026

View reviewed changes

[MegaLinter] Apply linters fixes

ef95833

nvuillam temporarily deployed to dev February 17, 2026 13:34 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Scan only the files modified in a PR with checkov#7119

Scan only the files modified in a PR with checkov#7119
bdovaz wants to merge 4 commits intomainfrom
checkov-pr

bdovaz commented Feb 12, 2026 •

edited by cursor bot

Loading

Uh oh!

github-actions bot commented Feb 12, 2026 •

edited

Loading

Uh oh!

cursor bot Feb 12, 2026

Uh oh!

bdovaz Feb 12, 2026

Uh oh!

cursor bot Feb 12, 2026

Uh oh!

bdovaz Feb 12, 2026 •

edited

Loading

Uh oh!

bdovaz commented Feb 12, 2026 •

edited by github-actions bot

Loading

Uh oh!

bdovaz commented Feb 12, 2026

Uh oh!

bdovaz commented Feb 14, 2026

Uh oh!

echoix commented Feb 14, 2026

Uh oh!

cursor bot left a comment

Uh oh!

cursor bot Feb 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

bdovaz commented Feb 12, 2026 • edited by cursor bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅⚠️MegaLinter analysis: Success with warnings

✅ Linters with no issues

Uh oh!

cursor bot Feb 12, 2026

Choose a reason for hiding this comment

Mutating shared state causes argument accumulation across calls

Uh oh!

bdovaz Feb 12, 2026

Choose a reason for hiding this comment

Uh oh!

cursor bot Feb 12, 2026

Choose a reason for hiding this comment

PR file scanning broken: self.files always empty by default

Uh oh!

bdovaz Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

bdovaz commented Feb 12, 2026 • edited by github-actions bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bdovaz commented Feb 12, 2026

Uh oh!

bdovaz commented Feb 14, 2026

Uh oh!

echoix commented Feb 14, 2026

Uh oh!

cursor bot left a comment

Choose a reason for hiding this comment

Uh oh!

cursor bot Feb 17, 2026

Choose a reason for hiding this comment

PR mode passes multiple files after single --file flag

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

bdovaz commented Feb 12, 2026 •

edited by cursor bot

Loading

github-actions bot commented Feb 12, 2026 •

edited

Loading

PR file scanning broken: `self.files` always empty by default

bdovaz Feb 12, 2026 •

edited

Loading

bdovaz commented Feb 12, 2026 •

edited by github-actions bot

Loading

PR mode passes multiple files after single `--file` flag