Update oxsecurity/megalinter action to v9

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
oxsecurity/megalinter	action	major	v8 → v9

---

Release Notes

oxsecurity/megalinter (oxsecurity/megalinter)

v9

Compare Source

• Core

  • Improve files browsing performances (2 PRs)
  • Optimize parallel linter processing and improve grouping logic
  • Improve performance of listing .gitignored files by sending excluded directories to git ls-files
  • If there are more than 500 .gitignored files, advise to add more excluded directories using variable ADDITIONAL_EXCLUDED_DIRECTORIES, to improve performances
  • Reduce redundant config lookups, environment copies, and dict rebuilds across config, linter, and utils modules
  • Cache subprocess environment per linter run and excluded directories per request
  • Optimize parallel linter result update from O(n²) to O(n)
  • Add support in the build of Docker images for linux/arm64 in compatible linters

• New linters

  • Add PYTHON_NBQA_MYPY for type-checking Jupyter notebooks using nbqa + mypy

• Disabled linters

  • LUA_SELENE: Kampfkarren/selene#662

• Linters enhancements

  • Use the official checkmake image by @​bdovaz
  • Spectral: Add sarif support to spectral by @​bdovaz
  • Spectral: Change cli_lint_mode to list_of_files to improve performances

• Fixes

  • Add support for SSH remote origins when building custom flavors (fixes: #​6511)
  • Fix issue with plugins ignored when FLAVOR_SUGGESTIONS=false
  • Fix wrong tagging apply_fixes=True when linter has no fix options configured
  • Python mypy: Remove .ipynb from file extensions (mypy doesn't support notebooks directly) - fixes #​6904
  • Fix operator precedence bug in pre_post_factory pre/post command logic
  • Fix file handle leak in GitleaksLinter
  • Fix variable name bug in utils.get_git_context_info
  • Minor fixes in logger, SqlFluffLinter, PowershellLinter, TrivyLinter

• Reporters

  • Add a link inviting to star MegaLinter
  • Display in the console reporter the working directory from which the commands are executed by @​bdovaz
  • Update WebHook reporter so it can send more events for a better integration with UI
  • When truncating long comments in markdown reports, keep the end of the text instead of the beginning (which usually contains less useful information)
  • In case GitHub Api returns 500, do not make the whole MegaLinter fail, display a warning instead
  • Azure Reporter: Use Azure DevOps Services REST API instead of unmaintained python wrapper lib

• Flavors

  • Custom flavor builder:
    • Add support for SSH remotes
    • Allow selection of platforms to build the custom flavor on (ex: linux/amd64, linux/arm64) and build compatible linters on these platforms
    • Build & release custom flavor builder image for linux/arm64

• Doc

  • JSON Schema: Add default values for file extensions and file names variables + improve descriptions
  • Update default secured env variables documentation
  • Fix banner img in json_prettier and yaml_prettier docs
  • Explain better how to run tests locally
  • Vale: Mention community style packages in linter description

• CI

  • Free more space on GitHub Actions runners to avoid build failures
  • Ignore .isorted files in secretlint to avoid scanning transient files created by other linters
  • Avoid duplicate jobs "Mirror docker image"
  • Allow to skip linters build using skip linters in latest commit text
  • Allow to disable build & push of standalone linters docker images using variable BETA_LINTERS_ENABLED=false
  • Improve performances of formatting markdown tables during build
  • Improve test classes performances and fix race conditions
  • Fix plugin test to work with forks and feature branches
  • Update .devcontainer image to trixie

• mega-linter-runner

  • If variables are defined in a local .env file, send their values to docker/podman run command (can be useful for secret variables)
  • Never send .env file to the docker run for security reasons, instead create an empty one if needed
  • Use npm trusted publishers (OIDC) to publish mega-linter-runner

• Linter versions upgrades (59)

  • actionlint from 1.7.10 to 1.7.11
  • ansible-lint from 25.12.2 to 26.2.0
  • bandit from 1.9.2 to 1.9.4
  • bicep_linter from 0.39.26 to 0.41.2
  • black from 25.12.0 to 26.1.0
  • cfn-lint from 1.43.1 to 1.45.0
  • checkov from 3.2.497 to 3.2.506
  • clippy from 0.1.92 to 0.1.93
  • clj-kondo from 2025.12.23 to 2026.01.19
  • code-analyzer-apex from 5.7.1 to 5.10.0
  • code-analyzer-aura from 5.7.1 to 5.10.0
  • code-analyzer-lwc from 5.7.1 to 5.10.0
  • csharpier from 1.2.5 to 1.2.6
  • cspell from 9.4.0 to 9.7.0
  • dartanalyzer from 3.10.7 to 3.11.1
  • devskim from 1.0.67 to 1.0.70
  • dotnet-format from 9.0.112 to 9.0.114
  • editorconfig-checker from 3.6.0 to 3.6.1
  • golangci-lint from 2.7.2 to 2.10.1
  • grype from 0.104.3 to 0.109.0
  • htmlhint from 1.8.0 to 1.9.1
  • isort from 7.0.0 to 8.0.0
  • jscpd from 4.0.5 to 4.0.8
  • jsonlint from 16.0.0 to 17.0.1
  • kics from 2.1.18 to 2.1.19
  • kingfisher from 1.73.0 to 1.84.0
  • kubescape from 3.0.47 to 4.0.2
  • npm-groovy-lint from 16.1.1 to 16.2.0
  • php-cs-fixer from 3.92.4 to 3.94.2
  • phpstan from 2.1.33 to 2.1.40
  • pmd from 7.20.0 to 7.22.0
  • prettier from 3.7.4 to 3.8.1
  • psalm from Psalm.6.14.3@​ to Psalm.6.15.1@​
  • pylint from 4.0.4 to 4.0.5
  • pyright from 1.1.407 to 1.1.408
  • revive from 1.13.0 to 1.14.0
  • robocop from 7.2.0 to 8.2.2
  • rubocop from 1.82.1 to 1.85.0
  • ruff-format from 0.14.10 to 0.15.4
  • ruff from 0.14.10 to 0.15.4
  • rumdl from 0.0.208 to 0.1.32
  • scalafix from 0.14.5 to 0.14.6
  • secretlint from 11.2.5 to 11.3.1
  • semgrep from 1.151.0 to 1.153.1
  • snakefmt from 0.11.2 to 0.11.4
  • snakemake from 9.14.5 to 9.16.3
  • sqlfluff from 3.5.0 to 4.0.4
  • swiftlint from 0.63.0 to 0.63.2
  • syft from 1.39.0 to 1.42.1
  • terraform-fmt from 1.14.1 to 1.14.5
  • terragrunt from 0.93.13 to 0.99.4
  • tflint from 0.60.0 to 0.61.0
  • trivy-sbom from 0.68.2 to 0.69.1
  • trivy from 0.68.2 to 0.69.1
  • trufflehog from 3.92.4 to 3.93.6
  • v8r from 5.1.0 to 6.0.0
  • vale from 3.13.0 to 3.13.1
  • yamllint from 1.37.1 to 1.38.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.92%. Comparing base (ab831f2) to head (597cfcb).

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #31   +/-   ##
=======================================
  Coverage   69.92%   69.92%           
=======================================
  Files           2        2           
  Lines         256      256           
=======================================
  Hits          179      179           
  Misses         58       58           
  Partials       19       19           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	1		0	0	0.02s
✅ COPYPASTE	jscpd	yes		no	no	1.51s
✅ EDITORCONFIG	editorconfig-checker	22		0	0	0.03s
✅ GO	golangci-lint	yes		no	no	13.78s
✅ GO	revive	yes		no	no	7.21s
✅ JSON	jsonlint	1		0	0	0.19s
✅ JSON	prettier	1		0	0	1.39s
✅ JSON	v8r	1		0	0	2.54s
✅ MARKDOWN	markdownlint	2		0	0	0.84s
✅ MARKDOWN	markdown-table-formatter	2		0	0	0.35s
✅ REPOSITORY	gitleaks	yes		no	no	0.14s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
✅ REPOSITORY	grype	yes		no	no	34.17s
✅ REPOSITORY	secretlint	yes		no	no	1.16s
✅ REPOSITORY	syft	yes		no	no	2.17s
✅ REPOSITORY	trivy	yes		no	no	11.86s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.22s
✅ REPOSITORY	trufflehog	yes		no	no	4.68s
✅ YAML	prettier	4		0	0	0.44s
✅ YAML	v8r	4		0	0	5.69s
✅ YAML	yamllint	4		0	0	0.55s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.0.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,COPYPASTE_JSCPD,EDITORCONFIG_EDITORCONFIG_CHECKER,GO_GOLANGCI_LINT,GO_REVIVE,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R