Jenkins
Add the following stage to your Jenkinsfile.
You may activate the File.io reporter or Email reporter to access detailed logs and fixed sources.
// Lint with MegaLinter: https://megalinter.io/
stage('MegaLinter') {
agent {
docker {
image 'ghcr.io/oxsecurity/megalinter:v9'
args "-u root -e VALIDATE_ALL_CODEBASE=true -v ${WORKSPACE}:/tmp/lint --entrypoint=''"
reuseNode true
}
}
steps {
sh '/entrypoint.sh'
}
post {
always {
archiveArtifacts allowEmptyArchive: true, artifacts: 'mega-linter.log,megalinter-reports/**/*', defaultExcludes: false, followSymlinks: false
}
}
}
CloudBees has a helpful tutorial about how to use MegaLinter with Jenkins!
PR Comment Reporting from Jenkins
When MegaLinter runs from a Jenkins Multibranch Pipeline, it can automatically post results as comments on pull requests / merge requests hosted on GitHub, GitLab, Azure DevOps, or Bitbucket.
MegaLinter auto-detects the git hosting platform by inspecting the GIT_URL environment variable (provided by Jenkins Git plugin). It then maps Jenkins environment variables (CHANGE_ID, GIT_COMMIT, BUILD_URL, etc.) to the native CI variables each comment reporter expects.
Requirements
- Jenkins Multibranch Pipeline with the appropriate Branch Source plugin (GitHub Branch Source, GitLab Branch Source, or Bitbucket Branch Source)
- The pipeline must be triggered by a pull request / merge request (so
CHANGE_IDis set by Jenkins) - An authentication token for the target platform, stored as a Jenkins credential
Platform Configuration
| Platform | Required Token Variable | Notes |
|---|---|---|
| GitHub | GITHUB_TOKEN (recommended) — PAT only if strictly required |
Prefer GITHUB_TOKEN. Personal Access Tokens (PAT) are not recommended due to recent supply-chain attacks on open-source projects; a leaked PAT can give attackers broad write access to your repository. Token needs repo scope (or issues:write + pull-requests:write for fine-grained tokens). |
| GitLab | GITLAB_ACCESS_TOKEN_MEGALINTER |
Personal access token with api scope |
| Azure DevOps | SYSTEM_ACCESSTOKEN |
Personal access token with Code (Read & Write) permission |
| Bitbucket | BITBUCKET_REPO_ACCESS_TOKEN |
Repository access token with Pull-requests: Write scope |
Jenkinsfile Example with GitHub PR Comments
// Lint with MegaLinter: https://megalinter.io/
stage('MegaLinter') {
agent {
docker {
image 'ghcr.io/oxsecurity/megalinter:v9'
args "-u root -e VALIDATE_ALL_CODEBASE=true -v ${WORKSPACE}:/tmp/lint --entrypoint=''"
reuseNode true
}
}
environment {
GITHUB_TOKEN = credentials('github-token')
}
steps {
sh '/entrypoint.sh'
}
post {
always {
archiveArtifacts allowEmptyArchive: true, artifacts: 'mega-linter.log,megalinter-reports/**/*', defaultExcludes: false, followSymlinks: false
}
}
}
Self-hosted / On-premise Platforms
MegaLinter detects the platform by looking for keywords in the GIT_URL hostname (e.g., gitlab.mycompany.com is detected as GitLab, github.internal.corp.com as GitHub).
If your self-hosted instance uses a hostname without the platform name (e.g., git.mycompany.com), set the JENKINS_REPO_PLATFORM environment variable to explicitly tell MegaLinter which platform to use:
environment {
JENKINS_REPO_PLATFORM = 'gitlab' // or 'github', 'azure', 'bitbucket'
GITLAB_ACCESS_TOKEN_MEGALINTER = credentials('gitlab-token')
}
Additional Variables
For most setups, MegaLinter derives all needed variables automatically. In rare cases, you may need to set additional platform-specific variables:
- GitLab: Set
CI_PROJECT_IDif the project path cannot be parsed fromGIT_URL - Azure DevOps: Set
SYSTEM_ACCESSTOKENas a Jenkins credential