Skip to content

Environment variables security

Secured env variables

MegaLinter runs in a Docker image and calls the linters via the command line to gather their results.

If you run it from your CI/CD pipelines, the Docker image may have access to your environment variables, which can contain secrets defined in CI/CD variables.

As it can be complicated to fully trust the authors of all open-source linters, MegaLinter removes variables from the environment used to call linters.

Thanks to this feature, you only need to trust MegaLinter and its internal Python dependencies; there is no need to trust all the linters that are used.

You can add secured variables to the default list using the configuration property SECURED_ENV_VARIABLES in .mega-linter.yml or as an environment variable (priority is given to ENV variables over the .mega-linter.yml property).

Values can be:

  • String (ex: MY_SECRET_VAR)
  • Regular Expression (ex: (MY.*VAR))

Environment variables are secured for each command line called (linters, plugins, SARIF formatter, etc.) except for PRE_COMMANDS, and only if you define secured_env: false in the command.

Secured configuration examples

  • Example of adding extra secured variables in .mega-linter.yml:
SECURED_ENV_VARIABLES:
  - MY_SECRET_TOKEN
  - ANOTHER_VAR_CONTAINING_SENSITIVE_DATA
  - OX_API_KEY
  - (MY.*VAR)  # Regex format
  • Example of adding extra secured variables in CI variables, so they cannot be overridden in .mega-linter.yml:
SECURED_ENV_VARIABLES=MY_SECRET_TOKEN,ANOTHER_VAR_CONTAINING_SENSITIVE_DATA,OX_API_KEY

Default secured variables

If you override SECURED_ENV_VARIABLES_DEFAULT, it replaces the default list, so it's better to only define SECURED_ENV_VARIABLES to add items to the default list.

SECURED_ENV_VARIABLES_DEFAULT contains:

  • GITHUB_TOKEN
  • PAT
  • SYSTEM_ACCESSTOKEN
  • GIT_AUTHORIZATION_BEARER
  • CI_JOB_TOKEN
  • GITLAB_ACCESS_TOKEN_MEGALINTER
  • GITLAB_CUSTOM_CERTIFICATE
  • WEBHOOK_REPORTER_BEARER_TOKEN
  • NODE_TOKEN
  • NPM_TOKEN
  • DOCKER_USERNAME
  • DOCKER_PASSWORD
  • CODECOV_TOKEN
  • GCR_USERNAME
  • GCR_PASSWORD
  • SMTP_PASSWORD
  • CI_SFDX_HARDIS_GITLAB_TOKEN
  • (SFDX_CLIENT_ID_.*)
  • (SFDX_CLIENT_KEY_.*)

Unhide variables for linters

You can configure exceptions for a specific linter by defining (linter-key)_UNSECURED_ENV_VARIABLES.

Variable names in this list won't be hidden from the linter commands.

TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN # Can contain string only, not regex