Skip to content

Environment variables security

MegaLinter runs on a docker image and calls the linters via command line to gather their results.

If you run it from your CI/CD pipelines, the docker image may have access to your environment variables, that can contain secrets defined in CI/CD variables.

As it can be complicated to trust the authors of all the open-source linters, MegaLinter removes variables from the environment used to call linters.

Thanks to this feature, you only need to trust MegaLinter and its internal python dependencies, but there is no need to trust all the linters that are used !

You can add secured variables to the default list using configuration property SECURED_ENV_VARIABLES in .mega-linter.yml or in an environment variable (priority is given to ENV variables above .mega-linter.yml property).

Values can be:

  • String (ex: MY_SECRET_VAR)
  • Regular Expression (ex: (MY.*VAR))

SECURED_ENV_VARIABLES_DEFAULT contains:

  • GITHUB_TOKEN
  • PAT
  • SYSTEM_ACCESSTOKEN
  • GIT_AUTHORIZATION_BEARER
  • CI_JOB_TOKEN
  • GITLAB_ACCESS_TOKEN_MEGALINTER
  • GITLAB_CUSTOM_CERTIFICATE
  • WEBHOOK_REPORTER_BEARER_TOKEN
  • NODE_TOKEN
  • NPM_TOKEN
  • DOCKER_USERNAME
  • DOCKER_PASSWORD
  • CODECOV_TOKEN
  • GCR_USERNAME
  • GCR_PASSWORD
  • SMTP_PASSWORD
  • CI_SFDX_HARDIS_GITLAB_TOKEN
  • (SFDX_CLIENT_ID_.*)
  • (SFDX_CLIENT_KEY_.*)

Example of adding extra secured variables .mega-linter.yml:

SECURED_ENV_VARIABLES:
  - MY_SECRET_TOKEN
  - ANOTHER_VAR_CONTAINING_SENSITIVE_DATA
  - OX_API_KEY
  - (MY.*VAR)  # Regex format

Example of adding extra secured variables in CI variables, so they can not be overridden in .mega-linter.yml:

SECURED_ENV_VARIABLES=MY_SECRET_TOKEN,ANOTHER_VAR_CONTAINING_SENSITIVE_DATA,OX_API_KEY

Notes:

  • If you override SECURED_ENV_VARIABLES_DEFAULT, it replaces the default list, so it's better to only define SECURED_ENV_VARIABLES to add them to the default list !
  • Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for PRE_COMMANDS , as you might need secured values within their code.