Super-Linter
The super-linter finds issues and reports them to the console output. Fixes are suggested in the console output but not automatically fixed, and a status check will show up as failed on the pull request.
The design of the Super-Linter is currently to allow linting to occur in GitHub Actions as a part of continuous integration occurring on pull requests as the commits get pushed. It works best when commits are being pushed early and often to a branch with an open or draft pull request. There is some desire to move this closer to local development for faster feedback on linting errors but this is not yet supported.
The end goal of this tool:
- Prevent broken code from being uploaded to the default branch (Usually
masterormain) - Help establish coding best practices across multiple languages
- Build guidelines for code layout and format
- Automate the process to help streamline code reviews
How to use
To use this GitHub Action you will need to complete the following:
- Create a new file in your repository called
.github/workflows/linter.yml - Copy the example workflow from below into that new file, no extra configuration required
- Commit that file to a new branch
- Open up a pull request and observe the action working
- Enjoy your more stable, and cleaner codebase
- Check out the Wiki for customization options
If you pass the Environment variable
GITHUB_TOKEN: ${\{ secrets.GITHUB_TOKEN }}in your workflow, then the GitHub Super-Linter will mark the status of each individual linter run in the Checks section of a pull request. Without this you will only see the overall status of the full run. There is no need to set the GitHub Secret as it is automatically set by GitHub, it only needs to be passed to the action.
Example connecting GitHub Action Workflow
In your repository you should have a .github/workflows folder with GitHub Action similar to below:
.github/workflows/linter.yml
This file should have the following code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
---
name: Lint Code Base
on:
push:
branches-ignore: [master, main]
pull_request:
branches: [master, main]
jobs:
build:
name: Lint Code Base
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
statuses: write
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Lint Code Base
uses: super-linter/super-linter@v5
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${\{ secrets.GITHUB_TOKEN }}
After you copy this action remove
\symbols from secrets.
Use locally
1. Install and run Docker on your local machine.
2. Run the script that detects the user’s shell and sets up a linting alias:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Detect the current shell
SHELL_TYPE="$(basename "$SHELL")"
# Set the lint alias based on the detected shell
if [ "$SHELL_TYPE" = "bash" ]; then
echo "alias lint='echo \"Linting \$(basename \"\$(pwd)\") repository\" \
&& docker run --rm --name Linterdocker \
-e LOG_FILE=super-linter.log \
-e CREATE_LOG_FILE=true \
-e RUN_LOCAL=true \
-e DEFAULT_WORKSPACE=/tmp/lint \
-v \$(pwd):/tmp/lint github/super-linter'" >> ~/.bashrc
source ~/.bashrc
elif [ "$SHELL_TYPE" = "zsh" ]; then
echo "alias lint='echo \"Linting \$(basename \"\$(pwd)\") repository\" \
&& docker run --rm --name Linterdocker \
-e LOG_FILE=super-linter.log \
-e CREATE_LOG_FILE=true \
-e RUN_LOCAL=true \
-e DEFAULT_WORKSPACE=/tmp/lint \
-v \$(pwd):/tmp/lint github/super-linter'" >> ~/.zshrc
source ~/.zshrc
else
echo "Unsupported shell: $SHELL_TYPE"
fi
3. To perform linting on a GitHub Repository directory, you need to run the lint command inside that directory.
4. To review the outcomes of Super-Linter, you can access the super-linter.log file.
Environment variables
The super-linter allows you to pass the following ENV variables to be able to trigger different functionality.
Note: All the VALIDATE_[LANGUAGE] variables behave in a very specific way:
- If none of them are passed, then they all default to true.
- If any one of the variables are set to true, we default to leaving any unset variable to false (only validate those languages).
- If any one of the variables are set to false, we default to leaving any unset variable to true (only exclude those languages).
- If there are
VALIDATE_[LANGUAGE]variables set to both true and false. It will fail.
This means that if you run the linter “out of the box”, all languages will be checked. But if you wish to select or exclude specific linters, we give you full control to choose which linters are run, and won’t run anything unexpected.
| ENV VAR | Default Value | Notes |
|---|---|---|
| ACTIONS_RUNNER_DEBUG | false | Flag to enable additional information about the linter, versions, and additional output. |
| ANSIBLE_CONFIG_FILE | .ansible-lint.yml | Filename for Ansible-lint configuration (ex: .ansible-lint, .ansible-lint.yml) |
| ANSIBLE_DIRECTORY | /ansible | Flag to set the root directory for Ansible file location(s), relative to DEFAULT_WORKSPACE. Set to . to use the top-level of the DEFAULT_WORKSPACE. |
| BASH_SEVERITY | style | Specify the minimum severity of errors to consider in shellcheck. Valid values in order of severity are error, warning, info and style. |
| CREATE_LOG_FILE | false | If set to true, it creates the log file. You can set the log filename using the LOG_FILE environment variable. |
| CSS_FILE_NAME | .stylelintrc.json | Filename for Stylelint configuration (ex: .stylelintrc.yml, .stylelintrc.yaml) |
| DEFAULT_BRANCH | master | The name of the repository default branch. |
| DEFAULT_WORKSPACE | /tmp/lint | The location containing files to lint if you are running locally. |
| DISABLE_ERRORS | false | Flag to have the linter complete with exit code 0 even if errors were detected. |
| DOCKERFILE_HADOLINT_FILE_NAME | .hadolint.yaml | Filename for hadolint configuration (ex: .hadolintlintrc.yaml) |
| EDITORCONFIG_FILE_NAME | .ecrc | Filename for editorconfig-checker configuration |
| ERROR_ON_MISSING_EXEC_BIT | false | If set to false, the bash-exec linter will report a warning if a shell script is not executable. If set to true, the bash-exec linter will report an error instead. |
| EXPERIMENTAL_BATCH_WORKER | false | Flag to enable experimental parallel and batched worker. As of current only eslint and cfn-lint are supported, if there is no support, original version is used as fallback |
| FILTER_REGEX_EXCLUDE | none | Regular expression defining which files will be excluded from linting (ex: .*src/test.*) |
| FILTER_REGEX_INCLUDE | all | Regular expression defining which files will be processed by linters (ex: .*src/.*) |
| GITHUB_ACTIONS_CONFIG_FILE | actionlint.yml | Filename for Actionlint configuration (ex: actionlint.yml) |
| GITHUB_ACTIONS_COMMAND_ARGS | null | Additional arguments passed to actionlint command. Useful to ignore some errors |
| GITHUB_CUSTOM_API_URL | https://api.github.com | Specify a custom GitHub API URL in case GitHub Enterprise is used: e.g. https://github.myenterprise.com/api/v3 |
| GITHUB_DOMAIN | github.com | Specify a custom GitHub domain in case GitHub Enterprise is used: e.g. github.myenterprise.com |
| GITLEAKS_CONFIG_FILE | .gitleaks.toml | Filename for GitLeaks configuration (ex: .gitleaks.toml) |
| IGNORE_GENERATED_FILES | false | If set to true, super-linter will ignore all the files with @generated marker but without @not-generated marker. |
| IGNORE_GITIGNORED_FILES | false | If set to true, super-linter will ignore all the files that are ignored by Git. |
| JAVA_FILE_NAME | sun_checks.xml | Filename for Checkstyle configuration (ex: checkstyle.xml) |
| JAVASCRIPT_DEFAULT_STYLE | standard | Flag to set the default style of JavaScript. Available options: standard/prettier |
| JAVASCRIPT_ES_CONFIG_FILE | .eslintrc.yml | Filename for ESLint configuration (ex: .eslintrc.yml, .eslintrc.json) |
| JSCPD_CONFIG_FILE | .jscpd.json | Filename for JSCPD configuration |
| KUBERNETES_KUBECONFORM_OPTIONS | null | Additional arguments to pass to the command-line when running Kubernetes Kubeconform (Example: –ignore-missing-schemas) |
| LINTER_RULES_PATH | .github/linters | Directory for all linter configuration rules. |
| LOG_FILE | super-linter.log | The filename for outputting logs. All output is sent to the log file regardless of LOG_LEVEL. |
| LOG_LEVEL | VERBOSE | How much output the script will generate to the console. One of ERROR, WARN, NOTICE, VERBOSE, DEBUG or TRACE. |
| MARKDOWN_CONFIG_FILE | .markdown-lint.yml | Filename for Markdownlint configuration (ex: .markdown-lint.yml, .markdownlint.json, .markdownlint.yaml) |
| MARKDOWN_CUSTOM_RULE_GLOBS | .markdown-lint/rules,rules/** | Comma-separated list of file globs matching custom Markdownlint rule files. |
| MULTI_STATUS | true | A status API is made for each language that is linted to make visual parsing easier. |
| NATURAL_LANGUAGE_CONFIG_FILE | .textlintrc | Filename for textlint configuration (ex: .textlintrc) |
| PERL_PERLCRITIC_OPTIONS | null | Additional arguments to pass to the command-line when running perlcritic (Example: –theme community) |
| PHP_CONFIG_FILE | php.ini | Filename for PHP Configuration (ex: php.ini) |
| PROTOBUF_CONFIG_FILE | .protolintrc.yml | Filename for protolint configuration (ex: .protolintrc.yml) |
| PYTHON_BLACK_CONFIG_FILE | .python-black | Filename for black configuration (ex: .isort.cfg, pyproject.toml) |
| PYTHON_FLAKE8_CONFIG_FILE | .flake8 | Filename for flake8 configuration (ex: .flake8, tox.ini) |
| PYTHON_ISORT_CONFIG_FILE | .isort.cfg | Filename for isort configuration (ex: .isort.cfg, pyproject.toml) |
| PYTHON_MYPY_CONFIG_FILE | .mypy.ini | Filename for mypy configuration (ex: .mypy.ini, setup.config) |
| PYTHON_PYLINT_CONFIG_FILE | .python-lint | Filename for pylint configuration (ex: .python-lint, .pylintrc) |
| RENOVATE_SHAREABLE_CONFIG_PRESET_FILE_NAMES | `` | Comma-separated filenames for renovate shareable config preset (ex: default.json) |
| RUBY_CONFIG_FILE | .ruby-lint.yml | Filename for rubocop configuration (ex: .ruby-lint.yml, .rubocop.yml) |
| SCALAFMT_CONFIG_FILE | .scalafmt.conf | Filename for scalafmt configuration (ex: .scalafmt.conf) |
| SNAKEMAKE_SNAKEFMT_CONFIG_FILE | .snakefmt.toml | Filename for Snakemake configuration (ex: pyproject.toml, .snakefmt.toml) |
| SSL_CERT_SECRET | none | SSL cert to add to the Super-Linter trust store. This is needed for users on self-hosted runners or need to inject the cert for security standards (ex. $) |
| SSH_KEY | none | SSH key that has access to your private repositories |
| SSH_SETUP_GITHUB | false | If set to true, adds the github.com SSH key to known_hosts. This is ignored if SSH_KEY is provided - i.e. the github.com SSH key is always added if SSH_KEY is provided |
| SSH_INSECURE_NO_VERIFY_GITHUB_KEY | false | INSECURE - If set to true, does not verify the fingerprint of the github.com SSH key before adding this. This is not recommended! |
| SQL_CONFIG_FILE | .sql-config.json | Filename for SQL-Lint configuration (ex: sql-config.json , .config.json) |
| SQLFLUFF_CONFIG_FILE | /.sqlfluff | Filename for SQLFLUFF configuration (ex: /.sqlfluff, pyproject.toml) |
| SUPPRESS_FILE_TYPE_WARN | false | If set to true, will hide warning messages about files without their proper extensions. Default is false |
| SUPPRESS_POSSUM | false | If set to true, will hide the ASCII possum at top of log output. Default is false |
| TERRAFORM_TERRASCAN_CONFIG_FILE | terrascan.toml | Filename for terrascan configuration (ex: terrascan.toml) |
| TERRAFORM_TFLINT_CONFIG_FILE | .tflint.hcl | Filename for tfLint configuration (ex: .tflint.hcl) |
| TYPESCRIPT_DEFAULT_STYLE | ts-standard | Flag to set the default style of TypeScript. Available options: ts-standard/prettier |
| TYPESCRIPT_ES_CONFIG_FILE | .eslintrc.yml | Filename for ESLint configuration (ex: .eslintrc.yml, .eslintrc.json) |
| TYPESCRIPT_STANDARD_TSCONFIG_FILE | tsconfig.json | Filename for TypeScript configuration in ts-standard (ex: tsconfig.json, tsconfig.eslint.json) |
| USE_FIND_ALGORITHM | false | By default, we use git diff to find all files in the workspace and what has been updated, this would enable the Linux find method instead to find all files to lint |
| VALIDATE_ALL_CODEBASE | true | Will parse the entire repository and find all files to validate across all types. NOTE: When set to false, only new or edited files will be parsed for validation. |
| VALIDATE_JSCPD_ALL_CODEBASE | false | If set to true, will lint the whole codebase with JSCPD. If set to false, JSCPD will only lint files one by one. |
| VALIDATE_ANSIBLE | true | Flag to enable or disable the linting process of the Ansible language. |
| VALIDATE_ARM | true | Flag to enable or disable the linting process of the ARM language. |
| VALIDATE_BASH | true | Flag to enable or disable the linting process of the Bash language. |
| VALIDATE_BASH_EXEC | true | Flag to enable or disable the linting process of the Bash language to validate if file is stored as executable. |
| VALIDATE_CPP | true | Flag to enable or disable the linting process of the C++ language. |
| VALIDATE_CLANG_FORMAT | true | Flag to enable or disable the linting process of the C++/C language with clang-format. |
| VALIDATE_CLOJURE | true | Flag to enable or disable the linting process of the Clojure language. |
| VALIDATE_CLOUDFORMATION | true | Flag to enable or disable the linting process of the AWS Cloud Formation language. |
| VALIDATE_COFFEESCRIPT | true | Flag to enable or disable the linting process of the Coffeescript language. |
| VALIDATE_CSHARP | true | Flag to enable or disable the linting process of the C# language. |
| VALIDATE_CSS | true | Flag to enable or disable the linting process of the CSS language. |
| VALIDATE_DART | true | Flag to enable or disable the linting process of the Dart language. |
| VALIDATE_DOCKERFILE_HADOLINT | true | Flag to enable or disable the linting process of the Docker language. |
| VALIDATE_EDITORCONFIG | true | Flag to enable or disable the linting process with the EditorConfig. |
| VALIDATE_ENV | true | Flag to enable or disable the linting process of the ENV language. |
| VALIDATE_GHERKIN | true | Flag to enable or disable the linting process of the Gherkin language. |
| VALIDATE_GITHUB_ACTIONS | true | Flag to enable or disable the linting process of the GitHub Actions. |
| VALIDATE_GITLEAKS | true | Flag to enable or disable the linting process of the secrets. |
| VALIDATE_GO | true | Flag to enable or disable the linting process of the Golang language. |
| VALIDATE_GOOGLE_JAVA_FORMAT | true | Flag to enable or disable the linting process of the Java language. (Utilizing: google-java-format) |
| VALIDATE_GROOVY | true | Flag to enable or disable the linting process of the language. |
| VALIDATE_HTML | true | Flag to enable or disable the linting process of the HTML language. |
| VALIDATE_JAVA | true | Flag to enable or disable the linting process of the Java language. (Utilizing: checkstyle) |
| VALIDATE_JAVASCRIPT_ES | true | Flag to enable or disable the linting process of the JavaScript language. (Utilizing: ESLint) |
| VALIDATE_JAVASCRIPT_STANDARD | true | Flag to enable or disable the linting process of the JavaScript language. (Utilizing: standard) |
| VALIDATE_JSCPD | true | Flag to enable or disable the JSCPD. |
| VALIDATE_JSON | true | Flag to enable or disable the linting process of the JSON language. |
| VALIDATE_JSX | true | Flag to enable or disable the linting process for jsx files (Utilizing: ESLint) |
| VALIDATE_KOTLIN | true | Flag to enable or disable the linting process of the Kotlin language. |
| VALIDATE_KOTLIN_ANDROID | true | Flag to enable or disable the linting process of the Kotlin language. (Utilizing: ktlint --android) |
| VALIDATE_KUBERNETES_KUBECONFORM | true | Flag to enable or disable the linting process of Kubernetes descriptors with Kubeconform |
| VALIDATE_LATEX | true | Flag to enable or disable the linting process of the LaTeX language. |
| VALIDATE_LUA | true | Flag to enable or disable the linting process of the language. |
| VALIDATE_MARKDOWN | true | Flag to enable or disable the linting process of the Markdown language. |
| VALIDATE_NATURAL_LANGUAGE | true | Flag to enable or disable the linting process of the natural language. |
| VALIDATE_OPENAPI | true | Flag to enable or disable the linting process of the OpenAPI language. |
| VALIDATE_PERL | true | Flag to enable or disable the linting process of the Perl language. |
| VALIDATE_PHP | true | Flag to enable or disable the linting process of the PHP language. (Utilizing: PHP built-in linter) (keep for backward compatibility) |
| VALIDATE_PHP_BUILTIN | true | Flag to enable or disable the linting process of the PHP language. (Utilizing: PHP built-in linter) |
| VALIDATE_PHP_PHPCS | true | Flag to enable or disable the linting process of the PHP language. (Utilizing: PHP CodeSniffer) |
| VALIDATE_PHP_PHPSTAN | true | Flag to enable or disable the linting process of the PHP language. (Utilizing: PHPStan) |
| VALIDATE_PHP_PSALM | true | Flag to enable or disable the linting process of the PHP language. (Utilizing: PSalm) |
| VALIDATE_POWERSHELL | true | Flag to enable or disable the linting process of the Powershell language. |
| VALIDATE_PROTOBUF | true | Flag to enable or disable the linting process of the Protobuf language. |
| VALIDATE_PYTHON | true | Flag to enable or disable the linting process of the Python language. (Utilizing: pylint) (keep for backward compatibility) |
| VALIDATE_PYTHON_BLACK | true | Flag to enable or disable the linting process of the Python language. (Utilizing: black) |
| VALIDATE_PYTHON_FLAKE8 | true | Flag to enable or disable the linting process of the Python language. (Utilizing: flake8) |
| VALIDATE_PYTHON_ISORT | true | Flag to enable or disable the linting process of the Python language. (Utilizing: isort) |
| VALIDATE_PYTHON_MYPY | true | Flag to enable or disable the linting process of the Python language. (Utilizing: mypy) |
| VALIDATE_PYTHON_PYLINT | true | Flag to enable or disable the linting process of the Python language. (Utilizing: pylint) |
| VALIDATE_R | true | Flag to enable or disable the linting process of the R language. |
| VALIDATE_RAKU | true | Flag to enable or disable the linting process of the Raku language. |
| VALIDATE_RENOVATE | true | Flag to enable or disable the linting process of the Renovate configuration files. |
| VALIDATE_RUBY | true | Flag to enable or disable the linting process of the Ruby language. |
| VALIDATE_RUST_2015 | true | Flag to enable or disable the linting process of the Rust language. (edition: 2015) |
| VALIDATE_RUST_2018 | true | Flag to enable or disable the linting process of Rust language. (edition: 2018) |
| VALIDATE_RUST_2021 | true | Flag to enable or disable the linting process of Rust language. (edition: 2021) |
| VALIDATE_RUST_CLIPPY | true | Flag to enable or disable the clippy linting process of Rust language. |
| VALIDATE_SCALAFMT | true | Flag to enable or disable the linting process of Scala language. (Utilizing: scalafmt –test) |
| VALIDATE_SHELL_SHFMT | true | Flag to enable or disable the linting process of Shell scripts. (Utilizing: shfmt) |
| VALIDATE_SNAKEMAKE_LINT | true | Flag to enable or disable the linting process of Snakefiles. (Utilizing: snakemake –lint) |
| VALIDATE_SNAKEMAKE_SNAKEFMT | true | Flag to enable or disable the linting process of Snakefiles. (Utilizing: snakefmt) |
| VALIDATE_STATES | true | Flag to enable or disable the linting process for AWS States Language. |
| VALIDATE_SQL | true | Flag to enable or disable the linting process of the SQL language. |
| VALIDATE_SQLFLUFF | true | Flag to enable or disable the linting process of the SQL language. (Utilizing: sqlfuff) |
| VALIDATE_TEKTON | true | Flag to enable or disable the linting process of the Tekton language. |
| VALIDATE_TERRAFORM_FMT | true | Flag to enable or disable the formatting process of the Terraform files. |
| VALIDATE_TERRAFORM_TERRASCAN | true | Flag to enable or disable the linting process of the Terraform language for security related issues. |
| VALIDATE_TERRAFORM_TFLINT | true | Flag to enable or disable the linting process of the Terraform language. (Utilizing tflint) |
| VALIDATE_TERRAGRUNT | true | Flag to enable or disable the linting process for Terragrunt files. |
| VALIDATE_TSX | true | Flag to enable or disable the linting process for tsx files (Utilizing: ESLint) |
| VALIDATE_TYPESCRIPT_ES | true | Flag to enable or disable the linting process of the TypeScript language. (Utilizing: ESLint) |
| VALIDATE_TYPESCRIPT_STANDARD | true | Flag to enable or disable the linting process of the TypeScript language. (Utilizing: ts-standard) |
| VALIDATE_XML | true | Flag to enable or disable the linting process of the XML language. |
| VALIDATE_YAML | true | Flag to enable or disable the linting process of the YAML language. |
| YAML_CONFIG_FILE | .yaml-lint.yml | Filename for Yamllint configuration (ex: .yaml-lint.yml, .yamllint.yml) |
| YAML_ERROR_ON_WARNING | false | Flag to enable or disable the error on warning for Yamllint. |
Limitations
Below are a list of the known limitations for the GitHub Super-Linter:
- Due to being completely packaged at runtime, you will not be able to update dependencies or change versions of the enclosed linters and binaries
- Additional details from
package.jsonare not read by the GitHub Super-Linter - Downloading additional codebases as dependencies from private repositories will fail due to lack of permissions
Documentation
This post is licensed under CC BY 4.0 by the author.
Comments powered by Disqus.