chore(deps): bump oxsecurity/megalinter from 8 to 9

[dependabot]

Bumps oxsecurity/megalinter from 8 to 9.

Release notes

Sourced from oxsecurity/megalinter's releases.

v9.0.0

What's Changed

• Core

  • Create your own Megalinter Custom Flavors to dramatically improve your performances
    • See documentation for usage
    • Use npx mega-linter-runner@beta --custom-flavor-setup to initialize repo
    • Suggest new flavors in reporters with a mega-linter-runner including the list of linters
  • New LLM Advisor: call external LLMs to get hints to solve linter errors, available in:
    • Console Reporter
    • Text Reporter
    • Git platforms PR/MR comments Reporter
  • Use ghcr.io docker images by default because of rate limits on docker.io
  • Use uv to create the venv folder for pip-installed linters
  • Add copilot instructions for GitHub Copilot
  • Update base image to python:3.13-alpine3.21 (also embeds go 1.24)

• Disabled linters

  • puppet-lint: Disabled Until fix is provided for puppetlabs/puppet-lint#251
  • checkov: Disabled until fix is provided for bridgecrewio/checkov#7263

• Removed linters

  • markdown-link-check has been removed because lychee can be used instead, and has much better performances

• Linters enhancements

  • PHP-CS-Fixer is able to run on PHP 8.4 without error (change default configuration) by @​llaville
  • cspell: Filter output lines that do not contain found issues
  • hadolint: Extend DOCKERFILE_HADOLINT_FILE_NAMES_REGEX to include the purpose.Dockerfile convention eg service.Dockerfile.
  • sqlfluff: Handle fixing of issues

• Fixes

  • When linter is docker based, force --platform=linux/amd64 so it works when running locally on Mac
  • Added checking of *.pyi and *.ipynb files to the ruff and ruff-format linters

• Reporters

  • New default display for Pull Request comments, with expandable sections containing the first 1000 lines of the output log. Former display remains available by defining REPORTERS_MARKDOWN_SUMMARY_TYPE=table
  • Markdown summary reporter:
    • Write a file for Github integration if GITHUB_STEP_SUMMARY is set
    • Truncate less linter output lines
  • Text reporter: Change the output file names to put the linter name first, then the status
  • Enhance display of markdown summary

• Doc

  • Update documentation in all megalinter descriptor files to improve accuracy and consistency
  • Fix incorrect information in linters documentation and descriptors
  • Remove dead links
  • Add linter description (linter_text) in all linter descriptor, to generate a more exhaustive documentation.
  • Update contributing guide to explain how to manage python dependencies in the codebase

• Flavors

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

[v8.4.1] - 2025-01-28

• Quick fix about PRE_COMMANDS crash (see oxsecurity/megalinter#4591)

• Linter versions upgrades (2)

  • checkstyle from 10.21.1 to 10.21.2
  • stylelint from 16.14.0 to 16.14.1

[v8.4.0] - 2025-01-26

• Core

  • PHP Linters use now the bartlett/sarif-php-converters first official release 1.0.0 to generate SARIF reports, by @​llaville in oxsecurity/megalinter#4357
  • Upgrade PHP engine from 8.3 to 8.4 and allow Psalm 5.26 to run on this context (by @​llaville)
  • Linters can specify in the pre/post commands with a run_before_linters / run_after_linters parameter whether the command is to be executed before/after the execution of the linters themselves (by @​bdovaz in #4482)
  • Bump python version to 3.12.8, by @​echoix in oxsecurity/megalinter#4372
  • Update to .NET 9, by @​bdovaz in oxsecurity/megalinter#4488
  • Upgrade PHP engine from 8.3 to 8.4, by @​llaville in oxsecurity/megalinter#4524

• New linters

  • Reactivate clj-style (Clojure formatter) since its bug is fixed, by @​nvuillam in oxsecurity/megalinter#4369
  • New python formatter: PYTHON_RUFF_FORMAT, by @​nvuillam in oxsecurity/megalinter#4329

• Disabled linters

  • Snakemake has been disabled, because its dependency datrie not maintained, and issue open in snakemake repo since july is still pending

• Linters enhancements

  • Add support to phpstan/extension-installer Composer plugin for automatic installation of PHPStan extensions, by @​llaville in oxsecurity/megalinter#4337
    • Learn more about context on GH-4328
  • Allow Terrascan to lint in file lint mode, by @​bdovaz in oxsecurity/megalinter#4498
  • Add sarif output to golangci-lint, by @​bdovaz in oxsecurity/megalinter#4557

• Plugins

  • Add prettier for markdown, by Qin Li

• Fixes

  • swiftlint Fix swiftlint error where linter is unable to find lintable files. Fixes #440, by @​Noraldeno in oxsecurity/megalinter#4427
  • jscpd url fixes, by @​alexanderbazhenoff in oxsecurity/megalinter#4352
  • Don't call get_pr_data if GitLeaks linter is not active, by @​bdovaz in oxsecurity/megalinter#4469
  • Fix linter disabled reason usage, by @​bdovaz in oxsecurity/megalinter#4466

• Doc

  • Add contributing docs on venv, by @​bdovaz in oxsecurity/megalinter#4479
  • Add disabled linter badge, by @​bdovaz in oxsecurity/megalinter#4477
  • Add AzureCommentReporter instructions, by @​bdovaz in oxsecurity/megalinter#4480

• CI

  • Fix up gitpod config and workflow to support uv 0.5.0+ by @​echoix in #4373
  • Use uv.lock file to build docker images, by @​echoix in oxsecurity/megalinter#4374
  • Update Renovate schedules for uv and sfdx-hardis, by @​echoix in oxsecurity/megalinter#4568
  • Variabilize version and use renovate for updates for the following linters:

... (truncated)

Commits

• 0dcbedd Release MegaLinter v9.0.1
• 9f48fcd Fix v9 release issue (#6197)
• 139ebb5 chore(deps): update dependency uvicorn to v0.36.0 (#6189)
• b23f125 [automation] Auto-update linters version, help and documentation (#6194)
• 0214a3a Update README with v9 announcement (#6193)
• e552e5c chore(deps): update tflint plugin terraform-linters/tflint-ruleset-aws to v0....
• ecfbd88 chore(deps): update dependency sfdx-hardis to v6.5.1 (#6188)
• 60af444 chore(deps): update dependency mega-linter-runner to v9 (#6191)
• ff177bf Release MegaLinter v9.0.0
• a6b6815 release changelog
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	1		0	0	0.24s
❌ COPYPASTE	jscpd	yes		36	no	6.09s
✅ EDITORCONFIG	editorconfig-checker	1		0	0	0.24s
❌ REPOSITORY	gitleaks	yes		1	no	1.2s
✅ REPOSITORY	git_diff	yes		no	no	0.03s
✅ REPOSITORY	grype	yes		no	no	25.6s
❌ REPOSITORY	kics	yes		109	no	22.04s
✅ REPOSITORY	secretlint	yes		no	no	1.04s
✅ REPOSITORY	syft	yes		no	no	0.92s
❌ REPOSITORY	trivy	yes		1	no	45.19s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.14s
✅ REPOSITORY	trufflehog	yes		no	no	2.79s
❌ SPELL	cspell	2		1	0	3.57s
✅ SPELL	lychee	1		0	0	0.35s
✅ YAML	prettier	1	0	0	0	0.48s
✅ YAML	v8r	1		0	0	2.83s
✅ YAML	yamllint	1		0	0	0.46s

Detailed Issues

❌ SPELL / cspell - 1 error

.github/workflows/mega-linter.yml:175:15    - Unknown word (stefanzweifel) -- uses: stefanzweifel/git-auto-commit-action
	 Suggestions: []
CSpell: Files checked: 2, Issues found: 1 in 1 file.


You can skip this misspellings by defining the following .cspell.json file at the root of your repository
Of course, please correct real typos before :)

{
    "version": "0.2",
    "language": "en",
    "ignorePaths": [
        "**/node_modules/**",
        "**/vscode-extension/**",
        "**/.git/**",
        "**/.pnpm-lock.json",
        ".vscode",
        "package-lock.json",
        "megalinter-reports"
    ],
    "words": [
        "stefanzweifel"
    ]
}


You can also copy-paste megalinter-reports/.cspell.json at the root of your repository

❌ REPOSITORY / gitleaks - 1 error

○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

Finding:     s3_key_prefix  = REDACTED
Secret:      REDACTED
RuleID:      generic-api-key
Entropy:     3.734522
File:        modules/aws-cloudtrail/main.tf
Line:        286
Commit:      HIDDEN_BY_MEGALINTERAuthor:      ulises-jeremias
Email:       ulisescf.24@gmail.com
Date:        2025-09-29T05:27:04Z
Fingerprint: 233e0157c447f2fb342f186eefafafb048485833:modules/aws-cloudtrail/main.tf:generic-api-key:286
Link:        https://github.com/nanlabs/terraform-aws-modules/blob/233e0157c447f2fb342f186eefafafb048485833/modules/aws-cloudtrail/main.tf#L286

12:27PM INF 89 commits scanned.
12:27PM INF scanned ~2405334 bytes (2.41 MB) in 1.15s
12:27PM WRN leaks found: 1

❌ COPYPASTE / jscpd - 36 errors

Clone found (markdown):
 - modules/aws-data-lake-encryption/examples/with-cloudtrail/docs/MODULE.md [3:1 - 21:28] (18 lines, 131 tokens)
   modules/aws-data-lake-infrastructure/examples/with-encryption/docs/MODULE.md [3:1 - 21:32]

Clone found (markdown):
 - modules/aws-transit-gateway-spoke/docs/MODULE.md [1:1 - 17:3] (16 lines, 107 tokens)
   modules/aws-github-oidc-provider/examples/multi-repository/docs/MODULE.md [3:1 - 19:2]

Clone found (markdown):
 - modules/aws-rds-aurora/docs/MODULE.md [1:1 - 19:10] (18 lines, 131 tokens)
   modules/aws-vpc/docs/MODULE.md [1:1 - 19:26]

Clone found (markdown):
 - modules/aws-rds/docs/MODULE.md [1:1 - 19:30] (18 lines, 142 tokens)
   modules/aws-vpc/docs/MODULE.md [1:1 - 19:37]

Clone found (markdown):
 - modules/aws-rds/docs/MODULE.md [50:2 - 56:28] (6 lines, 345 tokens)
   modules/aws-rds-aurora/docs/MODULE.md [55:2 - 61:33]

Clone found (markdown):
 - modules/aws-iam-role/docs/MODULE.md [1:1 - 13:3] (12 lines, 100 tokens)
   modules/aws-vpc/docs/MODULE.md [1:1 - 13:6]

Clone found (markdown):
 - modules/aws-glue-jobs/docs/MODULE.md [1:1 - 13:7] (12 lines, 100 tokens)
   modules/aws-glue-workflow/docs/MODULE.md [1:1 - 13:7]

Clone found (markdown):
 - modules/aws-glue-jobs/docs/MODULE.md [6:2 - 19:27] (13 lines, 92 tokens)
   modules/aws-github-oidc-provider/examples/multi-repository/docs/MODULE.md [8:2 - 21:25]

Clone found (markdown):
 - modules/aws-glue-data-lake-catalog/docs/MODULE.md [1:1 - 13:3] (12 lines, 100 tokens)
   modules/aws-transit-gateway/docs/MODULE.md [1:1 - 13:7]

Clone found (markdown):
 - modules/aws-glue-code-registry/docs/MODULE.md [1:1 - 19:29] (18 lines, 131 tokens)
   modules/aws-glue-workflow/docs/MODULE.md [1:1 - 21:25]

Clone found (markdown):
 - modules/aws-github-oidc-provider/docs/MODULE.md [1:1 - 23:4] (22 lines, 132 tokens)
   modules/aws-transit-gateway/docs/MODULE.md [1:1 - 23:5]

Clone found (markdown):
 - modules/aws-eks/docs/MODULE.md [1:1 - 17:2] (16 lines, 109 tokens)
   modules/aws-vpc/docs/MODULE.md [1:1 - 17:3]

Clone found (markdown):
 - modules/aws-eks/docs/MODULE.md [63:2 - 69:5] (6 lines, 107 tokens)
   modules/aws-msk/docs/MODULE.md [75:2 - 78:2]

Clone found (markdown):
 - modules/aws-data-lake-infrastructure/docs/MODULE.md [1:1 - 17:3] (16 lines, 107 tokens)
   modules/aws-transit-gateway/docs/MODULE.md [1:1 - 17:2]

Clone found (markdown):
 - modules/aws-data-lake-encryption/docs/MODULE.md [1:1 - 23:15] (22 lines, 130 tokens)
   modules/aws-transit-gateway/docs/MODULE.md [1:1 - 23:3]

Clone found (markdown):
 - modules/aws-data-lake-encryption/docs/MODULE.md [44:2 - 51:32] (7 lines, 88 tokens)
   modules/aws-data-lake-infrastructure/docs/MODULE.md [52:2 - 59:28]

Clone found (markdown):
 - modules/aws-config/docs/MODULE.md [1:1 - 13:3] (12 lines, 100 tokens)
   modules/aws-shared-networking/docs/MODULE.md [1:1 - 13:7]

Clone found (markdown):
 - modules/aws-cloudtrail/docs/MODULE.md [1:1 - 24:7] (23 lines, 130 tokens)
   modules/aws-shared-networking/docs/MODULE.md [1:1 - 23:4]

Clone found (markdown):
 - modules/aws-amplify-app/docs/MODULE.md [1:1 - 19:19] (18 lines, 133 tokens)
   modules/aws-vpc/docs/MODULE.md [1:1 - 19:19]

Clone found (markdown):
 - modules/__template__/docs/MODULE.md [1:1 - 23:3] (22 lines, 132 tokens)
   modules/aws-vpc/docs/MODULE.md [1:1 - 23:4]

Clone found (bash):
 - examples/hub-and-spoke-networking-architecture/scripts/hub-bastion-userdata.sh [9:1 - 34:21] (25 lines, 119 tokens)
   examples/hub-and-spoke-networking-architecture/scripts/staging-bastion-userdata.sh [9:1 - 34:37]

Clone found (bash):
 - examples/analytics-platform-with-document-store/scripts/bastion-userdata.sh [9:1 - 35:40] (26 lines, 123 tokens)
   examples/data-processing-pipeline/scripts/bastion-userdata.sh [9:1 - 35:22]

Clone found (bash):
 - scripts/easy-options/example.sh [1:1 - 34:5] (33 lines, 146 tokens)
   modules/aws-bastion/scripts/easy-options/example.sh [1:1 - 34:5]

Clone found (bash):
 - scripts/easy-options/easyoptions.sh [1:1 - 218:2] (217 lines, 1492 tokens)
   modules/aws-bastion/scripts/easy-options/easyoptions.sh [1:1 - 218:2]

Clone found (markdown):
 - scripts/easy-options/README.md [3:1 - 61:4] (58 lines, 843 tokens)
   modules/aws-bastion/scripts/easy-options/README.md [3:1 - 61:4]

Clone found (markdown):
 - modules/aws-vpc/README.md [88:1 - 101:2] (13 lines, 105 tokens)
   modules/aws-transit-gateway/docs/MODULE.md [4:1 - 17:3]

Clone found (markdown):
 - modules/aws-rds-aurora/README.md [121:1 - 134:2] (13 lines, 105 tokens)
   modules/aws-shared-networking/docs/MODULE.md [4:1 - 17:3]

Clone found (markdown):
 - modules/aws-rds/README.md [107:1 - 122:10] (15 lines, 129 tokens)
   modules/aws-shared-networking/docs/MODULE.md [4:1 - 136:14]

Clone found (markdown):
 - modules/aws-msk/README.md [50:1 - 70:13] (20 lines, 136 tokens)
   modules/aws-rds-aurora/README.md [116:1 - 136:14]

Clone found (markdown):
 - modules/aws-iam-role/README.md [69:1 - 87:5] (18 lines, 118 tokens)
   modules/aws-rds-aurora/README.md [116:1 - 134:7]

Clone found (markdown):
 - modules/aws-docdb/README.md [105:1 - 125:6] (20 lines, 128 tokens)
   modules/aws-rds-aurora/README.md [116:1 - 89:4]

Clone found (markdown):
 - modules/aws-data-lake-encryption/README.md [226:1 - 262:2] (36 lines, 336 tokens)
   modules/aws-data-lake-encryption/README.md [157:1 - 193:4]

Clone found (markdown):
 - modules/aws-bastion/README.md [290:1 - 305:15] (15 lines, 129 tokens)
   modules/aws-shared-networking/docs/MODULE.md [4:1 - 136:14]

Clone found (markdown):
 - modules/aws-amplify-app/README.md [142:3 - 163:19] (21 lines, 138 tokens)
   modules/aws-msk/README.md [49:3 - 136:14]

Clone found (markdown):
 - docs/MODULE_DEVELOPMENT_PATTERN.md [187:1 - 225:2] (38 lines, 191 tokens)
   modules/aws-vpc/README.md [29:1 - 67:35]

Clone found (markdown):
 - docs/DEV_SETUP.md [7:1 - 34:9] (27 lines, 211 tokens)
   docs/USAGE.md [101:1 - 128:9]

┌──────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format   │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ markdown │ 81             │ 10726       │ 136653       │ 32           │ 601 (5.6%)       │ 5116 (3.74%)      │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ bash     │ 13             │ 2611        │ 8732         │ 4            │ 301 (11.53%)     │ 1880 (21.53%)     │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ smarty   │ 2              │ 67          │ 487          │ 0            │ 0 (0%)           │ 0 (0%)            │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ json     │ 4              │ 80          │ 589          │ 0            │ 0 (0%)           │ 0 (0%)            │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ yaml     │ 1              │ 25          │ 54           │ 0            │ 0 (0%)           │ 0 (0%)            │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:   │ 101            │ 13509       │ 146515       │ 36           │ 902 (6.68%)      │ 6996 (4.77%)      │
└──────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 36 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (6.68%) over threshold (0%)
Error: ERROR: jscpd found too many duplicates (6.68%) over threshold (0%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:612:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:110:18
    a

(Truncated to 8000 characters out of 8158)

❌ REPOSITORY / kics - 109 errors

MLLLLLM             MLLLLLLLLL   LLLLLLL             KLLLLLLLLLLLLLLLL       LLLLLLLLLLLLLLLLLLLLLLL 
   MMMMMMM           MMMMMMMMMML    MMMMMMMK       LMMMMMMMMMMMMMMMMMMMML   KLMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM         MMMMMMMMML       MMMMMMMK     LMMMMMMMMMMMMMMMMMMMMMML  LMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM      MMMMMMMMMML         MMMMMMMK   LMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM    LMMMMMMMMML           MMMMMMMK  LMMMMMMMMMLLMLLLLLLLLLLLLLL LMMMMMMMLLLLLLLLLLLLLLLLLLLLM 
   MMMMMMM  MMMMMMMMMLM             MMMMMMMK LMMMMMMMM                    LMMMMMML                      
   MMMMMMMLMMMMMMMML                MMMMMMMK MMMMMMML                     LMMMMMMMMLLLLLLLLLLLLLMLL     
   MMMMMMMMMMMMMMMM                 MMMMMMMK MMMMMML                       LMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMMMMMMMMMMMMM               MMMMMMMK MMMMMMM                         LMMMMMMMMMMMMMMMMMMMMMMMML 
   MMMMMMM KLMMMMMMMMML             MMMMMMMK LMMMMMMM                                          MMMMMMMML
   MMMMMMM    LMMMMMMMMMM           MMMMMMMK LMMMMMMMMLL                                        MMMMMMML
   MMMMMMM      LMMMMMMMMMLL        MMMMMMMK  LMMMMMMMMMMMMMMMMMMMMMMMMML LLLLLLLLLLLLLLLLLLLLMMMMMMMMMM
   MMMMMMM        MMMMMMMMMMML      MMMMMMMK   MMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM          LLMMMMMMMMML    MMMMMMMK     LLMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMM             MMMMMMMMMML  MMMMMMMK         KLMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMLK    
                                                                                                            
                                                                                                                                                                                                                                                                                                                        


Scanning with Keeping Infrastructure as Code Secure v2.1.13





Security Group Without Description, Severity: INFO, Results: 4
Description: It's considered a best practice for AWS Security Group to have a description
Platform: Terraform
CWE: 710
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c

	[1]: modules/aws-rds-aurora/examples/complete/main.tf:34

		033: # Security group for Aurora
		034: resource "aws_security_group" "aurora" {
		035:   name_prefix = "${local.name}-aurora-"


	[2]: examples/complete-enterprise-setup/main.tf:235

		234: # Security Groups
		235: resource "aws_security_group" "aurora" {
		236:   name_prefix = "${local.cluster_name}-aurora-"


	[3]: examples/medium-complexity-infrastructure/main.tf:147

		146: # Security Groups
		147: resource "aws_security_group" "rds" {
		148:   name_prefix = "${local.cluster_name}-rds-"


	[4]: examples/analytics-platform-with-document-store/main.tf:322

		321: # Security group for Glue jobs
		322: resource "aws_security_group" "glue_jobs" {
		323:   name_prefix = "${local.name}-glue-jobs-"


Security Group Rule Without Description, Severity: INFO, Results: 4
Description: It's considered a best practice for all rules in AWS Security Group to have a description
Platform: Terraform
CWE: 710
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e

	[1]: examples/complete-enterprise-setup/main.tf:239

		238: 
		239:   ingress {
		240:     from_port       = 5432


	[2]: examples/medium-complexity-infrastructure/main.tf:151

		150: 
		151:   ingress {
		152:     from_port       = 5432


	[3]: examples/complete-enterprise-setup/main.tf:246

		245: 
		246:   egress {
		247:     from_port   = 0


	[4]: examples/medium-complexity-infrastructure/main.tf:169

		168: 
		169:   egress {
		170:     from_port   = 0


Security Group Not Used, Severity: INFO, Results: 1
Description: Security group must be used or not declared
Platform: Terraform
CWE: 284
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24

	[1]: examples/hub-and-spoke-networking-architecture/bastion-hosts.tf:115

		114: # Additional security group for database access from bastions
		115: resource "aws_security_group" "bastion_database_access" {
		116:   name_prefix = "${local.resource_prefix}-bastion-db-access"


Output Without Description, Severity: INFO, Results: 3
Description: All outputs should contain a valid description.
Platform: Terraform
CWE: 710
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/59312e8a-a64e-41e7-a252-618533dd1ea8

	[1]: modules/aws-eks/outputs.tf:20

		019: 
		020: output "eks_cluster_identity_oidc_issuer_arn" {
		021:   value = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn


	[2]: modules/aws-eks/outputs.tf:16

		015: 
		016: output "eks_cluster_managed_security_group_id" {
		017:   value = module.eks_cluster.eks_cluster_managed_security_group_id


	[3]: modules/aws-eks/outputs.tf:24

		023: 
		024: output "eks_cluster_identity_oidc_issuer" {
		025:   value = module.eks_cluster.eks_cluster_identity_oidc_issuer


Unpinned Actions Full Length Commit SHA, Severity: LOW, Results: 7
Description: Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Platform: CICD
CWE: 829
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9

	[1]: .github/workflows/mega-linter.yml:69

		068:         # More info at https://megalinter.io/latest/flavors/
		069:         uses: oxsecurity/megalinter/flavors/terraform@v9
		070: 


	[2]: .github/workflows/mega-linter.yml:175

		174:       - name: Commit and push applied linter fixes
		175:         uses: stefanzweifel/git-auto-commit-action@v5
		176:         if: >-


	[3]: .github/workflows/mega-linter.yml:119

		118:       - name: Create Pull Request with applied fixes
		119:         uses: peter-evans/create-pull-request@v6
		120:         id: cpr


	[4]: .github/workflows/tf-docs.yml:29

		028:       - name: Render terraform docs inside modules
		029:         uses: terraform-docs/gh-actions@v1.2.0
		030:         with:


	[5]: .github/workflows/terraform-validation.yml:102

		101:       - name: Setup Terraform
		102:         uses: hashicorp/setup-terraform@v3
		103:         with:


	[6]: .github/workflows/terraform-validation.yml:200

		199:       - name: Setup Terraform
		200:         uses: hashicorp/setup-terraform@v3
		201:         with:


	[7]: .github/workflows/terraform-validation.yml:131

		130:       - name: Setup Terraform
		131:         uses: hashicorp/setup-terraform@v3
		132:         with:


S3 Bucket Without Enabled MFA Delete, Severity: LOW, Results: 2
Description: S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=<BUCKET_NAME> --mfa=<MFA_SERIAL_NUMBER>'. Please, also notice that MFA delete can not be used with lifecycle configurations
Platform: Terraform
CWE: 710
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/c5b31ab9-0f26-4a49-b8aa-4cc064392f4d

	[1]: examples/secure-multi-environment-data-platform/main.tf:404

		403: 
		404:   versioning_configuration {
		405:    

(Truncated to 8000 characters out of 33566)

❌ REPOSITORY / trivy - 1 error

2025-10-01T12:28:17Z	INFO	[vulndb] Need to update DB
2025-10-01T12:28:17Z	INFO	[vulndb] Downloading vulnerability DB...
2025-10-01T12:28:17Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
39.62 MiB / 71.72 MiB [--------------------------------->___________________________] 55.25% ? p/s ?71.72 MiB / 71.72 MiB [----------------------------------------------------------->] 100.00% ? p/s ?71.72 MiB / 71.72 MiB [----------------------------------------------------------->] 100.00% ? p/s ?71.72 MiB / 71.72 MiB [---------------------------------------------->] 100.00% 53.42 MiB p/s ETA 0s71.72 MiB / 71.72 MiB [---------------------------------------------->] 100.00% 53.42 MiB p/s ETA 0s71.72 MiB / 71.72 MiB [---------------------------------------------->] 100.00% 53.42 MiB p/s ETA 0s71.72 MiB / 71.72 MiB [---------------------------------------------->] 100.00% 49.97 MiB p/s ETA 0s71.72 MiB / 71.72 MiB [---------------------------------------------->] 100.00% 49.97 MiB p/s ETA 0s71.72 MiB / 71.72 MiB [---------------------------------------------->] 100.00% 49.97 MiB p/s ETA 0s71.72 MiB / 71.72 MiB [---------------------------------------------->] 100.00% 46.75 MiB p/s ETA 0s71.72 MiB / 71.72 MiB [---------------------------------------------->] 100.00% 46.75 MiB p/s ETA 0s71.72 MiB / 71.72 MiB [-------------------------------------------------] 100.00% 32.91 MiB p/s 2.4s2025-10-01T12:28:21Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-10-01T12:28:21Z	INFO	[vuln] Vulnerability scanning is enabled
2025-10-01T12:28:21Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-10-01T12:28:21Z	INFO	[misconfig] Need to update the checks bundle
2025-10-01T12:28:21Z	INFO	[misconfig] Downloading the checks bundle...
165.20 KiB / 165.20 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-10-01T12:28:24Z	INFO	[terraform scanner] Scanning root module	file_path="examples/analytics-platform-with-document-store"
2025-10-01T12:28:33Z	INFO	[terraform scanner] Scanning root module	file_path="examples/complete-enterprise-setup"
2025-10-01T12:28:40Z	INFO	[terraform scanner] Scanning root module	file_path="examples/data-processing-pipeline"
2025-10-01T12:28:43Z	INFO	[terraform scanner] Scanning root module	file_path="examples/hub-and-spoke-networking-architecture"
2025-10-01T12:28:46Z	INFO	[terraform scanner] Scanning root module	file_path="examples/medium-complexity-infrastructure"
2025-10-01T12:28:50Z	INFO	[terraform scanner] Scanning root module	file_path="examples/multi-account-data-platform"
2025-10-01T12:28:51Z	INFO	[terraform scanner] Scanning root module	file_path="examples/secure-multi-environment-data-platform"
2025-10-01T12:28:53Z	INFO	[terraform scanner] Scanning root module	file_path="examples/simple-web-app"
2025-10-01T12:28:55Z	INFO	[terraform scanner] Scanning root module	file_path="modules/__template__"
2025-10-01T12:28:55Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="bucket_name, name"
2025-10-01T12:28:55Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-bastion/examples/basic"
2025-10-01T12:28:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-cloudtrail"
2025-10-01T12:28:56Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="name"
2025-10-01T12:28:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-config"
2025-10-01T12:28:56Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="name, s3_bucket_name"
2025-10-01T12:28:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-data-lake-encryption/examples"
2025-10-01T12:28:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-data-lake-encryption/examples/basic"
2025-10-01T12:28:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-data-lake-encryption/examples/with-cloudtrail"
2025-10-01T12:28:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-data-lake-infrastructure/examples/basic"
2025-10-01T12:28:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-data-lake-infrastructure/examples/with-encryption"
2025-10-01T12:28:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-github-oidc-provider/examples/multi-repository"
2025-10-01T12:28:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-glue-code-registry"
2025-10-01T12:28:56Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="name"
2025-10-01T12:28:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-rds-aurora/examples/complete"
2025-10-01T12:28:57Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-shared-networking"
2025-10-01T12:28:57Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="egress_nat_gateway_ids, egress_vpc_cidr, egress_vpc_id, name_prefix, shared_services_private_route_table_ids, shared_services_private_subnets, shared_services_public_route_table_ids, shared_services_public_subnets, shared_services_vpc_cidr, shared_services_vpc_id, transit_gateway_id, transit_gateway_route_table_id"
2025-10-01T12:28:57Z	INFO	[terraform scanner] Scanning root module	file_path="modules/aws-tfstate-backend"
2025-10-01T12:28:58Z	INFO	[terraform scanner] Scanning root module	file_path="modules/mongodb-atlas-cluster/examples/basic"
2025-10-01T12:28:58Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="org_id"
2025-10-01T12:28:58Z	INFO	Number of language-specific files	num=0
2025-10-01T12:28:58Z	INFO	Detected config files	num=49

Report Summary

┌───────────────────────────────────────────────────────────────────────────────┬───────────┬─────────────────┬───────────────────┐
│                                    Target                                     │   Type    │ Vulnerabilities │ Misconfigurations │
├───────────────────────────────────────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ cloudposse/eks-cluster/aws/main.tf                                            │ terraform │        -        │         4         │
├───────────────────────────────────────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ cloudposse/msk-apache-kafka-cluster/aws/cloudposse/security-group/aws/main.tf │ terraform │        -        │         2         │
├───────────────────────────────────────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ examples/analytics-platform-with-document-store                               │ terraform │        -        │         0         │
├───────────────────────────────────────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ examples/analytics-platform-with-document-store/main.tf                       │ terraform │        -        │         3         │
├───────────────────────────────────────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ examples/complete-enterprise-setup                                            │ terraform │        -        │         0         │
├───────────────────────────────────────────────────────────────────────────────┼───────────┼─────────────────┼───────────────────┤
│ examples/complete-enterprise-setup/main.tf                                    │ terra

(Truncated to 8000 characters out of 183232)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff