MegaLinter Azure DevOps Extension

Note: This is not an official MegaLinter extension. However, it has been reviewed and approved by the MegaLinter project.

Run Ox Security MegaLinter in your Azure DevOps pipelines. Analyze 50+ languages, apply auto-fixes, and get PR comments—all with a simple task configuration.

Installation

1. Install from the Visual Studio Marketplace
2. Add the task to your pipeline

Quick Start

- task: MegaLinter@1
  displayName: Run MegaLinter
  inputs:
    flavor: all
    fix: true
    createFixPR: true
  env:
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Visual Configuration

Configure MegaLinter using the Azure DevOps task assistant:

Task Inputs

Input	Description	Default
flavor	MegaLinter flavor (all, javascript, python, security, etc.)	all
release	Docker image tag (v9, latest, etc.)	v9
fix	Auto-fix issues	false
enablePRComments	Post results as PR comments (auto-enabled for PR builds)	false
createFixPR	Create PR with fixes (when fix=true)	true
path	Directory to lint	Pipeline workspace
configFile	Path to .mega-linter.yml	Auto-detected
reportsPath	Reports output directory	megalinter-reports
disableLinters	Comma-separated linters to disable	-
lintChangedFilesOnly	Only lint files changed in PR/commit	false

See all available inputs for the complete list.

Flavors

Flavor	Languages
all	Everything (largest image)
javascript	JS, TS, JSON, CSS, HTML
python	Python, YAML, JSON
dotnet	C#, VB.NET, PowerShell
security	Security-focused linters only
terraform	Terraform, HCL

View all flavors

Full Pipeline Example

This example shows all available options:

# .azuredevops/megalinter.yml
trigger: none
pr: none

pool:
  vmImage: ubuntu-latest

variables:
  MEGALINTER_IMAGE: oxsecurity/megalinter-security:v9

stages:
  - stage: Lint
    jobs:
      - job: MegaLinter
        steps:
          - checkout: self
            fetchDepth: 0

          # Run MegaLinter
          - task: MegaLinter@1
            displayName: Run MegaLinter
            inputs:
              path: $(Build.SourcesDirectory)
              flavor: security
              release: v9
              fix: true
              removeContainer: true
              enablePRComments: true
              createFixPR: true
            env:
              SYSTEM_ACCESSTOKEN: $(System.AccessToken)

          # Publish reports
          - task: PublishBuildArtifacts@1
            displayName: Publish MegaLinter Reports
            condition: succeededOrFailed()
            inputs:
              pathToPublish: $(Build.SourcesDirectory)/megalinter-reports
              artifactName: megalinter-reports

Permissions

For PR comments and auto-fix PRs, grant the build service:

1. Contribute to pull requests - For PR comments
2. Create branch - For auto-fix PR creation

Configuration

Create a .mega-linter.yml in your repository root:

APPLY_FIXES: all
DISABLE_LINTERS:
  - SPELL_CSPELL
SHOW_ELAPSED_TIME: true

Full configuration options

Resources

• MegaLinter Documentation
• Configuration Guide
• Available Flavors
• GitHub Repository
• Extension Versioning Strategy

Development

Prerequisites

• Node.js >= 20.0.0
• npm >= 10.0.0

Setup

npm install
cd megalinter && npm install

Build & Test

# Build the Azure DevOps task (TypeScript → JavaScript)
cd megalinter
npm run build

# Run the Cucumber BDD tests and linting from the repo root
cd ..
npx cucumber-js
npm run lint

Contributing

See CONTRIBUTING.md for guidelines.

CI/CD Workflows

This repository includes the following GitHub Actions workflows:

PR Code Validation

The PR Code Validation and Publish Private Extension workflow (.github/workflows/pr-code-validation.yml) runs automatically on pull requests to the main or dev branches. It ensures code quality by:

1. Building and testing the code:

   • Checking out the repository
   • Setting up Node.js runtime
   • Installing dependencies
   • Running linters (npm run lint)
   • Executing Cucumber BDD tests (npx --no-install cucumber-js, instead of npm test to avoid the posttest coverage loop in CI)
   • Building the TypeScript code (npm run build)

2. Publishing a private extension:

   • Checking PR mergeability
   • Installing GitVersion for semantic versioning
   • Replacing tokens in configuration files
   • Installing tfx-cli for Azure DevOps extension management
   • Authenticating with Azure DevOps
   • Packaging and publishing the private extension to your organization

Required Secrets:

To use this workflow, configure the following GitHub secrets in your repository settings:

• AZURE_DEVOPS_EXT_PAT - Azure DevOps Personal Access Token (PAT) with marketplace publish permissions
• AZURE_DEVOPS_ORGS - Comma-separated list of Azure DevOps organizations to share the private extension with
• TASK_AUTHOR, TASK_DESCRIPTION, TASK_FRIENDLYNAME, TASK_HELPMARKDOWN, TASK_NAME, TASK_ID - Task metadata
• PRIVATE_EXTENSIONID, PRIVATE_EXTENSIONNAME, PUBLISHERID - Extension metadata

Branch Protection:

To enforce this workflow as a required check before merging:

1. Go to Settings → Branches in your GitHub repository
2. Add or edit a branch protection rule for main and/or dev
3. Enable Require status checks to pass before merging
4. Select Build and Test as a required status check

License

GPL-3.0