MegaLinter Azure DevOps Extension

Note: This is not an official MegaLinter extension. However, it has been reviewed and approved by the MegaLinter project.

Run Ox Security MegaLinter in your Azure DevOps pipelines. Analyze 50+ languages, apply auto-fixes, and get PR comments—all with a simple task configuration.

Installation

Install from the Visual Studio Marketplace
Add the task to your pipeline

Quick Start

- task: MegaLinter@1
  displayName: Run MegaLinter
  inputs:
    flavor: all
    fix: true
    createFixPR: true
  env:
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Visual Configuration

Configure MegaLinter using the Azure DevOps task assistant:

Task Configuration

Task Inputs

Input	Description	Default
`flavor`	MegaLinter flavor (all, javascript, python, security, etc.)	`all`
`release`	Docker image tag (v9, latest, etc.)	`v9`
`fix`	Auto-fix issues	`false`
`enablePRComments`	Post results as PR comments (auto-enabled for PR builds)	`false`
`createFixPR`	Create PR with fixes (when fix=true)	`true`
`path`	Directory to lint	Pipeline workspace
`configFile`	Path to .mega-linter.yml	Auto-detected
`reportsPath`	Reports output directory	`megalinter-reports`
`disableLinters`	Comma-separated linters to disable	-
`lintChangedFilesOnly`	Only lint files changed in PR/commit	`false`

See all available inputs for the complete list.

Flavors

Flavor	Languages
`all`	Everything (largest image)
`javascript`	JS, TS, JSON, CSS, HTML
`python`	Python, YAML, JSON
`dotnet`	C#, VB.NET, PowerShell
`security`	Security-focused linters only
`terraform`	Terraform, HCL

View all flavors

Full Pipeline Example

This example shows all available options:

# .azuredevops/megalinter.yml
trigger: none
pr: none

pool:
  vmImage: ubuntu-latest

variables:
  MEGALINTER_IMAGE: oxsecurity/megalinter-security:v9

stages:
  - stage: Lint
    jobs:
      - job: MegaLinter
        steps:
          - checkout: self
            fetchDepth: 0

          # Run MegaLinter
          - task: MegaLinter@1
            displayName: Run MegaLinter
            inputs:
              path: $(Build.SourcesDirectory)
              flavor: security
              release: v9
              fix: true
              removeContainer: true
              enablePRComments: true
              createFixPR: true
            env:
              SYSTEM_ACCESSTOKEN: $(System.AccessToken)

          # Publish reports
          - task: PublishBuildArtifacts@1
            displayName: Publish MegaLinter Reports
            condition: succeededOrFailed()
            inputs:
              pathToPublish: $(Build.SourcesDirectory)/megalinter-reports
              artifactName: megalinter-reports

Permissions

For PR comments and auto-fix PRs, grant the build service:

Contribute to pull requests - For PR comments
Create branch - For auto-fix PR creation

Configuration

Create a .mega-linter.yml in your repository root:

APPLY_FIXES: all
DISABLE_LINTERS:
  - SPELL_CSPELL
SHOW_ELAPSED_TIME: true

Full configuration options

Resources

Development

Prerequisites

Node.js >= 20.0.0
npm >= 10.0.0

Setup

npm install
cd megalinter && npm install

Build & Test

# Build the Azure DevOps task (TypeScript → JavaScript)
cd megalinter
npm run build

# Run the Cucumber BDD tests and linting from the repo root
cd ..
npx cucumber-js
npm run lint

Contributing

See CONTRIBUTING.md for guidelines.

CI/CD Workflows

This repository includes the following GitHub Actions workflows:

PR Code Validation

The PR Code Validation and Publish Private Extension workflow (.github/workflows/pr-code-validation.yml) runs automatically on pull requests to the main or dev branches. It ensures code quality by:

Building and testing the code:
- Checking out the repository
- Setting up Node.js runtime
- Installing dependencies
- Running linters (npm run lint)
- Executing Cucumber BDD tests (npx --no-install cucumber-js, instead of npm test to avoid the posttest coverage loop in CI)
- Building the TypeScript code (npm run build)
Publishing a private extension:
- Checking PR mergeability
- Installing GitVersion for semantic versioning
- Replacing tokens in configuration files
- Installing tfx-cli for Azure DevOps extension management
- Authenticating with Azure DevOps
- Packaging and publishing the private extension to your organization

Required Secrets:

To use this workflow, configure the following GitHub secrets in your repository settings:

AZURE_DEVOPS_EXT_PAT - Azure DevOps Personal Access Token (PAT) with marketplace publish permissions
AZURE_DEVOPS_ORGS - Comma-separated list of Azure DevOps organizations to share the private extension with
TASK_AUTHOR, TASK_DESCRIPTION, TASK_FRIENDLYNAME, TASK_HELPMARKDOWN, TASK_NAME, TASK_ID - Task metadata
PRIVATE_EXTENSIONID, PRIVATE_EXTENSIONNAME, PUBLISHERID - Extension metadata

Branch Protection:

To enforce this workflow as a required check before merging:

Go to Settings → Branches in your GitHub repository
Add or edit a branch protection rule for main and/or dev
Enable Require status checks to pass before merging
Select Build and Test as a required status check

License

GPL-3.0

MegaLinter for Azure DevOps

Down At The Bottom Of The Mole Hole