Skip to content

Environment variables security

Secured env variables

MegaLinter runs on a docker image and calls the linters via command line to gather their results.

If you run it from your CI/CD pipelines, the docker image may have access to your environment variables, that can contain secrets defined in CI/CD variables.

As it can be complicated to trust the authors of all the open-source linters, MegaLinter removes variables from the environment used to call linters.

Thanks to this feature, you only need to trust MegaLinter and its internal python dependencies, but there is no need to trust all the linters that are used !

You can add secured variables to the default list using configuration property SECURED_ENV_VARIABLES in .mega-linter.yml or in an environment variable (priority is given to ENV variables above .mega-linter.yml property).

Values can be:

  • String (ex: MY_SECRET_VAR)
  • Regular Expression (ex: (MY.*VAR))

Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for PRE_COMMANDS , ONLY if you define secured_env: false in the command.

Secured configuration examples

  • Example of adding extra secured variables .mega-linter.yml:
SECURED_ENV_VARIABLES:
  - MY_SECRET_TOKEN
  - ANOTHER_VAR_CONTAINING_SENSITIVE_DATA
  - OX_API_KEY
  - (MY.*VAR)  # Regex format
  • Example of adding extra secured variables in CI variables, so they can not be overridden in .mega-linter.yml:
SECURED_ENV_VARIABLES=MY_SECRET_TOKEN,ANOTHER_VAR_CONTAINING_SENSITIVE_DATA,OX_API_KEY

Default secured variables

If you override SECURED_ENV_VARIABLES_DEFAULT, it replaces the default list, so it's better to only define SECURED_ENV_VARIABLES to add them to the default list !

SECURED_ENV_VARIABLES_DEFAULT contains:

  • GITHUB_TOKEN
  • PAT
  • SYSTEM_ACCESSTOKEN
  • GIT_AUTHORIZATION_BEARER
  • CI_JOB_TOKEN
  • GITLAB_ACCESS_TOKEN_MEGALINTER
  • GITLAB_CUSTOM_CERTIFICATE
  • WEBHOOK_REPORTER_BEARER_TOKEN
  • NODE_TOKEN
  • NPM_TOKEN
  • DOCKER_USERNAME
  • DOCKER_PASSWORD
  • CODECOV_TOKEN
  • GCR_USERNAME
  • GCR_PASSWORD
  • SMTP_PASSWORD
  • CI_SFDX_HARDIS_GITLAB_TOKEN
  • (SFDX_CLIENT_ID_.*)
  • (SFDX_CLIENT_KEY_.*)

Unhide variables for linters

You can configure exceptions for a specific linter by defining (linter-key)_UNSECURED_ENV_VARIABLES.

Variable names in this list won't be hidden to the linter commands.

TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN # Can contain string only, not regex