megalinter customize config; local run ~7min...

```console $ npx mega-linter-runner -r v8 -f cupcake +----SUMMARY----+--------------------------+---------------+-------+-------+--------+----------+--------------+ | Descriptor | Linter | Mode | Files | Fixed | Errors | Warnings | Elapsed time | +---------------+--------------------------+---------------+-------+-------+--------+----------+--------------+ | ✅ ACTION | actionlint | list_of_files | 4 | | 0 | 0 | 3.25s | | ✅ BASH | bash-exec | file | 1 | | 0 | 0 | 2.77s | | ✅ BASH | shellcheck | list_of_files | 1 | | 0 | 0 | 1.16s | | ✅ BASH | shfmt | list_of_files | 1 | 0 | 0 | 0 | 0.6s | | ⚠️ COPYPASTE | jscpd | project | n/a | | 8 | 0 | 24.82s | | ⚠️ DOCKERFILE | hadolint | list_of_files | 1 | | 4 | 0 | 6.74s | | ⚠️ JAVASCRIPT | eslint | list_of_files | 15 | 0 | 1 | 0 | 11.04s | | ✅ JSON | jsonlint | list_of_files | 7 | | 0 | 0 | 4.76s | | ✅ JSON | npm-package-json-lint | project | n/a | | 0 | 0 | 3.26s | | ✅ JSON | prettier | list_of_files | 7 | 0 | 0 | 0 | 5.08s | | ✅ JSON | v8r | list_of_files | 7 | | 0 | 0 | 47.96s | | ✅ MARKDOWN | markdownlint | list_of_files | 2 | 0 | 0 | 0 | 12.16s | | ✅ MARKDOWN | markdown-table-formatter | list_of_files | 2 | 0 | 0 | 0 | 4.15s | | ⚠️ REPOSITORY | checkov | project | n/a | | 3 | 0 | 112.11s | | ✅ REPOSITORY | gitleaks | project | n/a | | 0 | 0 | 3.09s | | ✅ REPOSITORY | git_diff | project | n/a | | 0 | 0 | 1.22s | | ✅ REPOSITORY | grype | project | n/a | | 0 | 0 | 159.7s | | ⚠️ REPOSITORY | kics | project | n/a | | 24 | 0 | 14.82s | | ✅ REPOSITORY | secretlint | project | n/a | | 0 | 0 | 7.24s | | ✅ REPOSITORY | syft | project | n/a | | 0 | 0 | 7.83s | | ⚠️ REPOSITORY | trivy | project | n/a | | 2 | 0 | 28.16s | | ✅ REPOSITORY | trufflehog | project | n/a | | 0 | 0 | 26.51s | | ⚠️ SPELL | cspell | list_of_files | 40 | | 224 | 0 | 82.25s | | ⚠️ SPELL | lychee | list_of_files | 17 | | 9 | 0 | 10.28s | | ✅ YAML | prettier | list_of_files | 8 | 1 | 0 | 0 | 9.12s | | ✅ YAML | v8r | list_of_files | 8 | | 0 | 0 | 39.07s | | ✅ YAML | yamllint | list_of_files | 8 | | 0 | 0 | 5.39s | +---------------+--------------------------+---------------+-------+-------+--------+----------+--------------+ ```
2025-05-24 19:41:20 +02:00 · 2025-05-24 19:41:20 +02:00 · 056494c9dc
commit 056494c9dc
parent 76af81de56
10 changed files with 73 additions and 24 deletions
--- a/.mega-linter.yml
+++ b/.mega-linter.yml
@ -3,6 +3,14 @@
 # See all available variables at https://megalinter.io/latest/config-file/ and in
 # linters documentation

+# See .github/workflows/mega-linter.yml for GitHub config.
+
+# Run this locally via Docker:
+# npx mega-linter-runner -r v8 -f cupcake # run as configured here
+# npx mega-linter-runner -r v8 -f cupcake -e "'ENABLE=MARKDOWN,YAML'" -e "APPLY_FIXES=none" # only enable certain groups and disable automatic fixes (note that the '' are required for multiple values)
+# npx mega-linter-runner -r v8 -f cupcake -e "ENABLE_LINTERS=MARKDOWN_MARKDOWN_LINK_CHECK" # run a specific linter
+# https://github.com/oxsecurity/megalinter#cli-lint-mode most linters will respect .gitignore, but the ones running in 'project' mode will not and may take forever if not configured right
+
 # all, none, or list of linter keys
 APPLY_FIXES: all

@ -26,17 +34,51 @@ SHOW_ELAPSED_TIME: true
 # ---
 # Custom config:

-# PRINT_ALPACA: false
+PRINT_ALPACA: false
+
+JAVASCRIPT_DEFAULT_STYLE: prettier # disables JAVASCRIPT_STANDARD in favor of JAVASCRIPT_PRETTIER - disabled below since I prefer my local eslint
+
+# DISABLE: # groups of linters/formatters
+#   - REPOSITORY # ignore this for now (at least locally) since all project-based and need extra config like .gitignore

 # npx mega-linter-runner -r v8 -f cupcake -e "ENABLE_LINTERS=MARKDOWN_MARKDOWN_LINK_CHECK" # run a specific linter locally
-DISABLE_LINTERS:
-  - MARKDOWN_MARKDOWN_LINK_CHECK # took 32s and only reported 0 (e.g. for localhost) or 403 (forbidden) for working links to settings or due to DDoS/bot protections
+DISABLE_LINTERS: # times are for running locally with 30GB swap, 65% pressure and several GB in data/ (relevant for project-mode linters that don't respect .gitignore)
+  - MARKDOWN_MARKDOWN_LINK_CHECK # 30s, only reported 0 (e.g. for localhost) or 403 (forbidden) for working links to settings or due to DDoS/bot protections
+  - JAVASCRIPT_STANDARD # don't like standard format
+  - JAVASCRIPT_PRETTIER # prefer my local eslint config
+  - REPOSITORY_TRIVY_SBOM # 11s, don't need SBOM

-# DISABLE_ERRORS_LINTERS: # error -> warning
-#   - MARKDOWN_MARKDOWN_LINK_CHECK
+DISABLE_ERRORS_LINTERS: # error -> warning
+  - DOCKERFILE_HADOLINT # mostly wants to pin versions for apt and pip installs and merge consecutive RUN instructions
+  - COPYPASTE_JSCPD # default threshold is 0% duplicates -> can make this error once sep. scripts are refactored
+  - SPELL_CSPELL # needs config in .cspell.json, but looks annoying since it also flags apt packages
+  - SPELL_LYCHEE # dead link checking, 9/332 errors all false positives (Forbidden etc.)
+  - JAVASCRIPT_ES # this uses old eslint 8.57.1 instead of local 9.26.0 and complains about stuff that newer version has no problem with
+  - REPOSITORY_CHECKOV # docker healthcheck not needed for CLI
+  - REPOSITORY_KICS # wants to pin GitHub Actions to commit sha etc.
+  - REPOSITORY_TRIVY # docker healthcheck not needed for CLI

-# DISABLE_LINTERS: JAVASCRIPT_STANDARD
+# Customizations via CLI arguments:
+
+# https://github.com/prantlf/jsonlint#command-line-interface
+JSON_JSONLINT_ARGUMENTS: --comments --trailing-commas --no-duplicate-keys
+
+# https://prettier.io/docs/options#trailing-commas
+# JSON_PRETTIER_ARGUMENTS: --trailing-comma all --parser jsonc # need to change parser too since the default json parser still strips trailing commas
+# -> let prettier remove trailing commas since e.g. npm will fail to JSON.parse package.json otherwise...
+
+# megalinter still expects the old .eslintrc file... https://github.com/oxsecurity/megalinter/issues/3570#issuecomment-2138193684
+JAVASCRIPT_ES_CONFIG_FILE: eslint.config.js
+JAVASCRIPT_ES_COMMAND_REMOVE_ARGUMENTS: ["--no-eslintrc"] # not a valid option for eslint with flat config
+# worked, but behaved differently than local `npm run lint` and complained about while(true) with break - probably due old version 8.57.1 (same with -r beta) instead of my local 9.26.0
+
+# https://github.com/oxsecurity/megalinter#cli-lint-mode
+REPOSITORY_SECRETLINT_ARGUMENTS: --secretlintignore .gitignore
+
+# https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html
+REPOSITORY_CHECKOV_ARGUMENTS: --skip-path node_modules --skip-path data

 # CI will comment on PRs etc., but for running locally (or downloading the results), we want more than the default megalinter-reports/megalinter.log as an overview:
 JSON_REPORTER: true # mega-linter-report.json
 MARKDOWN_SUMMARY_REPORTER: true # megalinter-report.md
+SARIF_REPORTER: true # mega-linter-report.sarif - results for supported lintes should be shown in GitHub Security tab - https://megalinter.io/latest/reporters/SarifReporter/