Update oxsecurity/megalinter action to v9

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
oxsecurity/megalinter	action	major	v7 -> v9

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

oxsecurity/megalinter (oxsecurity/megalinter)

v9

Compare Source

• New linters

  • Add Robocop linter, by @​bdovaz in #​6232

• Linters enhancements

  • Python Linting: Added more file type supports for various linters. Full description here

• Doc

  • Add OLLAMA_BASE_URL is MegaLinter config Json schema

• Flavors

  • Custom flavors: Add workflow to automate detection of new MegaLinter versions and generation of new Custom Flavor

• CI

  • Fix v9 release issue + mark hardcoded versions to upgrade at each new major release.

• Linter versions upgrades (22)

  • ansible-lint from 25.9.0 to 25.9.1
  • bicep_linter from 0.37.4 to 0.38.33
  • cfn-lint from 1.39.1 to 1.40.0
  • checkstyle from 11.0.1 to 11.1.0
  • clj-kondo from 2025.09.19 to 2025.09.22
  • golangci-lint from 2.4.0 to 2.5.0
  • hadolint from 2.13.1 to 2.14.0
  • isort from 6.0.1 to 6.1.0
  • kics from 2.1.13 to 2.1.14
  • npm-groovy-lint from 15.2.1 to 15.2.2
  • php-cs-fixer from 3.87.2 to 3.88.2
  • phpstan from 2.1.28 to 2.1.30
  • pylint from 3.3.8 to 3.3.9
  • pyright from 1.1.405 to 1.1.406
  • robocop from 6.7.0 to 6.7.2
  • rubocop from 1.80.2 to 1.81.1
  • ruff-format from 0.13.1 to 0.13.3
  • ruff from 0.13.1 to 0.13.3
  • snakemake from 9.11.4 to 9.11.9
  • terraform-fmt from 1.13.2 to 1.13.3
  • terragrunt from 0.87.2 to 0.88.1
  • trivy from 0.66.0 to 0.67.0

v8

Compare Source

• Core

  • Retrieve SARIF errors and warnings correctly, by @​bdovaz in #​4837

• Linters enhancements

  • More config file name checks for ansible-lint activation, by @​nvuillam in #​5590

• Fixes

  • Fix crash when the markdown table summary is empty, by @​nvuillam in #​5363
  • Downgrade click to make rstcheck work again, by @​nvuillam in #​5387

• Doc

  • Display hash as plain text in markdown, by @​johndutchover in #​5420

• Flavors

  • Add Gherkin descriptor in java flavor, by @​nvuillam in #​5592

• CI

  • Fix rust setup & disable codecov-cli, by @​nvuillam in #​5579

• Linter versions upgrades (50)

  • ansible-lint from 25.4.0 to 25.5.0
  • bicep_linter from 0.35.1 to 0.36.1
  • cfn-lint from 1.34.2 to 1.36.0
  • checkstyle from 10.23.1 to 10.25.0
  • clippy from 0.1.86 to 0.1.87
  • clj-kondo from 2025.04.07 to 2025.06.05
  • csharpier from 1.0.1 to 1.0.2
  • cspell from 8.19.4 to 9.1.1
  • dartanalyzer from 3.7.3 to 3.8.1
  • devskim from 1.0.56 to 1.0.59
  • dotnet-format from 9.0.105 to 9.0.106
  • editorconfig-checker from 3.2.1 to 3.3.0
  • gitleaks from 8.25.1 to 8.27.2
  • golangci-lint from 2.1.5 to 2.1.6
  • grype from 0.91.2 to 0.94.0
  • htmlhint from 1.1.4 to 1.5.1
  • kics from 2.1.7 to 2.1.10
  • ktlint from 1.5.0 to 1.6.0
  • kubeconform from 0.6.7 to 0.7.0
  • lightning-flow-scanner from 3.8.0 to 3.23.0
  • ls-lint from 2.3.0 to 2.3.1
  • markdownlint from 0.44.0 to 0.45.0
  • mypy from 1.15.0 to 1.16.0
  • npm-groovy-lint from 15.1.0 to 15.2.0
  • phpcs from 3.12.2 to 3.13.1
  • phpstan from 2.1.14 to 2.1.17
  • pmd from 7.13.0 to 7.14.0
  • protolint from 0.54.1 to 0.55.6
  • psalm from Psalm.6.10.2@​ to Psalm.6.12.0@​
  • pylint from 3.3.6 to 3.3.7
  • pyright from 1.1.400 to 1.1.402
  • revive from 1.9.0 to 1.10.0
  • rstcheck from 6.2.4 to 6.2.5
  • rubocop from 1.75.4 to 1.76.1
  • ruff from 0.11.8 to 0.11.13
  • ruff-format from 0.11.8 to 0.11.13
  • scalafix from 0.14.2 to 0.14.3
  • secretlint from 9.3.2 to 10.1.0
  • semgrep from 3.12 to 3.13
  • sfdx-scanner-apex from 4.11.0 to 4.12.0
  • sfdx-scanner-aura from 4.11.0 to 4.12.0
  • sfdx-scanner-lwc from 4.11.0 to 4.12.0
  • snakemake from 8.27.1 to 9.5.1
  • sqlfluff from 3.4.0 to 3.4.1
  • stylelint from 16.19.1 to 16.20.0
  • syft from 1.23.1 to 1.27.1
  • terraform-fmt from 1.11.4 to 1.12.2
  • terragrunt from 0.78.0 to 0.81.6
  • tflint from 0.57.0 to 0.58.0
  • trivy from 0.62.0 to 0.63.0
  • trivy-sbom from 0.62.0 to 0.63.0
  • trufflehog from 3.88.27 to 3.89.1
  • v8r from 4.4.0 to 5.0.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
❌ ACTION	actionlint	1		1	0	0.23s
✅ EDITORCONFIG	editorconfig-checker	1		0	0	0.21s
✅ REPOSITORY	gitleaks	yes		no	no	0.08s
✅ REPOSITORY	git_diff	yes		no	no	0.22s
✅ REPOSITORY	grype	yes		no	no	24.7s
❌ REPOSITORY	kics	yes		4	no	1.38s
✅ REPOSITORY	secretlint	yes		no	no	0.43s
✅ REPOSITORY	syft	yes		no	no	1.03s
✅ REPOSITORY	trivy	yes		no	no	4.73s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.1s
✅ REPOSITORY	trufflehog	yes		no	no	2.16s
✅ YAML	prettier	1	0	0	0	0.35s
✅ YAML	v8r	1		0	0	1.65s
✅ YAML	yamllint	1		0	0	0.28s

Detailed Issues

❌ ACTION / actionlint - 1 error

.github/workflows/lint.yaml:57:15: the runner of "peter-evans/create-pull-request@v5" action is too old to run on GitHub Actions. update the action's version to fix this issue [action]
   |
57 |         uses: peter-evans/create-pull-request@v5
   |               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

❌ REPOSITORY / kics - 4 errors

MLLLLLM             MLLLLLLLLL   LLLLLLL             KLLLLLLLLLLLLLLLL       LLLLLLLLLLLLLLLLLLLLLLL 
   MMMMMMM           MMMMMMMMMML    MMMMMMMK       LMMMMMMMMMMMMMMMMMMMML   KLMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM         MMMMMMMMML       MMMMMMMK     LMMMMMMMMMMMMMMMMMMMMMML  LMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM      MMMMMMMMMML         MMMMMMMK   LMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM    LMMMMMMMMML           MMMMMMMK  LMMMMMMMMMLLMLLLLLLLLLLLLLL LMMMMMMMLLLLLLLLLLLLLLLLLLLLM 
   MMMMMMM  MMMMMMMMMLM             MMMMMMMK LMMMMMMMM                    LMMMMMML                      
   MMMMMMMLMMMMMMMML                MMMMMMMK MMMMMMML                     LMMMMMMMMLLLLLLLLLLLLLMLL     
   MMMMMMMMMMMMMMMM                 MMMMMMMK MMMMMML                       LMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMMMMMMMMMMMMM               MMMMMMMK MMMMMMM                         LMMMMMMMMMMMMMMMMMMMMMMMML 
   MMMMMMM KLMMMMMMMMML             MMMMMMMK LMMMMMMM                                          MMMMMMMML
   MMMMMMM    LMMMMMMMMMM           MMMMMMMK LMMMMMMMMLL                                        MMMMMMML
   MMMMMMM      LMMMMMMMMMLL        MMMMMMMK  LMMMMMMMMMMMMMMMMMMMMMMMMML LLLLLLLLLLLLLLLLLLLLMMMMMMMMMM
   MMMMMMM        MMMMMMMMMMML      MMMMMMMK   MMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM          LLMMMMMMMMML    MMMMMMMK     LLMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMM             MMMMMMMMMML  MMMMMMMK         KLMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMLK    
                                                                                                            
                                                                                                                                                                                                                                                                                                                        


Scanning with Keeping Infrastructure as Code Secure v2.1.13





Unpinned Actions Full Length Commit SHA, Severity: LOW, Results: 4
Description: Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Platform: CICD
CWE: 829
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9

	[1]: .github/workflows/lint.yaml:45

		044:         # More info at https://megalinter.io/flavors/
		045:         uses: oxsecurity/megalinter/flavors/cupcake@v9
		046:         env:


	[2]: .github/workflows/lint.yaml:57

		056:         if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_n
		057:         uses: peter-evans/create-pull-request@v5
		058:         with:


	[3]: .github/workflows/lint.yaml:87

		086:         if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.
		087:         uses: stefanzweifel/git-auto-commit-action@v5
		088:         with:


	[4]: .github/workflows/update-formulae.yaml:42

		041:       - name: Update Homebrew formula
		042:         uses: nsheaps/action-homebrew-bump-formula@master
		043:         with:



Results Summary:
CRITICAL: 0
HIGH: 0
MEDIUM: 0
LOW: 4
INFO: 0
TOTAL: 4

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff