/super-linter

Combination of multiple linters to install as a GitHub Action

Primary LanguageShellMIT LicenseMIT

Super-Linter

Super-linter is a ready-to-run collection of linters and code analyzers, to help validate your source code.

The goal of super-linter is to help you establish best practices and consistent formatting across multiple programming languages, and ensure developers are adhering to those conventions.

Super-linter analyzes source code files using several tools, and reports the issues that those tools find as console output, and as GitHub Actions status checks. You can also run super-linter outside GitHub Actions.

Super-linter is licensed under a MIT License.

Super-Linter

Supported linters and code analyzers

Super-linter supports the following tools:

Language Linter
Ansible ansible-lint
AWS CloudFormation templates cfn-lint
Azure Resource Manager (ARM) arm-ttk
C++ cpp-lint / clang-format
C# dotnet format / clang-format
CSS stylelint
Clojure clj-kondo
CoffeeScript coffeelint
Copy/paste detection jscpd
Dart dartanalyzer
Dockerfile hadolint
EditorConfig editorconfig-checker
ENV dotenv-linter
Gherkin gherkin-lint
GitHub Actions actionlint
Golang golangci-lint
Groovy npm-groovy-lint
HTML HTMLHint
Java checkstyle / google-java-format
JavaScript ESLint / standard js
JSON eslint-plugin-json
JSONC eslint-plugin-jsonc
Infrastructure as code Checkov
Kubernetes kubeconform
Kotlin ktlint
LaTeX ChkTex
Lua luacheck
Markdown markdownlint
Natural language textlint
OpenAPI spectral
Perl perlcritic
PHP PHP built-in linter / PHP CodeSniffer / PHPStan / Psalm
PowerShell PSScriptAnalyzer
Protocol Buffers protolint
Python3 pylint / flake8 / black / isort
R lintr
Raku Raku
Renovate renovate-config-validator
Ruby RuboCop
Rust Rustfmt / Clippy
Scala scalafmt
Secrets GitLeaks
Shell ShellCheck / executable bit check / shfmt
Snakemake snakefmt / snakemake --lint
SQL sql-lint / sqlfluff
Tekton tekton-lint
Terraform fmt / tflint / terrascan
Terragrunt terragrunt
TypeScript ESLint / standard js
XML LibXML
YAML YamlLint

Get started

More in-depth tutorial available

To run super-linter as a GitHub Action, you do the following:

  1. Create a new GitHub Actions workflow in your repository with the following content:

    ---
    name: Lint
    
    on:  # yamllint disable-line rule:truthy
      push: null
      pull_request: null
    
    jobs:
      build:
        name: Lint
        runs-on: ubuntu-latest
    
        permissions:
          contents: read
          packages: read
          # To report GitHub Actions status checks
          statuses: write
    
        steps:
          - name: Checkout code
            uses: actions/checkout@v4
    
          - name: Super-linter
            uses: super-linter/super-linter@v5.7.2  # x-release-please-version
            env:
              DEFAULT_BRANCH: main
              # To report GitHub Actions status checks
              GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    ...
  2. Commit that file to a new branch.

  3. Push the new commit to the remote repository.

  4. Create a new pull request to observe the results.

Upgrade to newer super-linter versions

For more information about upgrading super-linter to a new major version, see the upgrade guide.

Add Super-Linter badge in your repository README

You can show Super-Linter status with a badge in your repository README:

Example:

[![Super-Linter](https://github.com/<OWNER>/<REPOSITORY>/actions/workflows/<WORKFLOW_FILE_NAME>/badge.svg)](https://github.com/marketplace/actions/super-linter)

For more information, see Adding a workflow status badge.

Super-linter variants

Super-Linter provides several variants:

  • standard: super-linter/super-linter:[VERSION]: includes all supported linters.

  • slim: super-linter/super-linter:slim-[VERSION]: includes all supported linters except:

    • rust linters
    • dotenv linters
    • armttk linters
    • pwsh linters
    • c# linters

Configure super-linter

You can configure super-linter using the following environment variables:

Environment variable Default Value Description
ACTIONS_RUNNER_DEBUG false Flag to enable additional information about the linter, versions, and additional output.
ANSIBLE_CONFIG_FILE .ansible-lint.yml Filename for Ansible-lint configuration (ex: .ansible-lint, .ansible-lint.yml)
ANSIBLE_DIRECTORY /ansible Flag to set the root directory for Ansible file location(s), relative to DEFAULT_WORKSPACE. Set to . to use the top-level of the DEFAULT_WORKSPACE.
BASH_SEVERITY style Specify the minimum severity of errors to consider in shellcheck. Valid values in order of severity are error, warning, info and style.
CHECKOV_FILE_NAME .checkov.yaml Configuration filename for Checkov.
CREATE_LOG_FILE false If set to true, it creates the log file. You can set the log filename using the LOG_FILE environment variable. This overrides any existing log files.
CSS_FILE_NAME .stylelintrc.json Filename for Stylelint configuration (ex: .stylelintrc.yml, .stylelintrc.yaml)
DEFAULT_BRANCH master The name of the repository default branch.
DEFAULT_WORKSPACE /tmp/lint The location containing files to lint if you are running locally. Defaults to GITHUB_WORKSPACE when running in GitHub Actions. There's no need to configure this variable when running in GitHub Actions.
DISABLE_ERRORS false Flag to have the linter complete with exit code 0 even if errors were detected.
DOCKERFILE_HADOLINT_FILE_NAME .hadolint.yaml Filename for hadolint configuration (ex: .hadolintlintrc.yaml)
EDITORCONFIG_FILE_NAME .ecrc Filename for editorconfig-checker configuration
ENABLE_GITHUB_ACTIONS_GROUP_TITLE false if RUN_LOCAL=true, true otherwise Flag to enable GitHub Actions log grouping.
ERROR_ON_MISSING_EXEC_BIT false If set to false, the bash-exec linter will report a warning if a shell script is not executable. If set to true, the bash-exec linter will report an error instead.
FILTER_REGEX_EXCLUDE none Regular expression defining which files will be excluded from linting (ex: .*src/test.*)
FILTER_REGEX_INCLUDE all Regular expression defining which files will be processed by linters (ex: .*src/.*)
GITHUB_ACTIONS_CONFIG_FILE actionlint.yml Filename for Actionlint configuration (ex: actionlint.yml)
GITHUB_ACTIONS_COMMAND_ARGS null Additional arguments passed to actionlint command. Useful to ignore some errors
GITHUB_CUSTOM_API_URL https://api.github.com Specify a custom GitHub API URL in case GitHub Enterprise is used: e.g. https://github.myenterprise.com/api/v3
GITHUB_DOMAIN github.com Specify a custom GitHub domain in case GitHub Enterprise is used: e.g. github.myenterprise.com
GITLEAKS_CONFIG_FILE .gitleaks.toml Filename for GitLeaks configuration (ex: .gitleaks.toml)
IGNORE_GENERATED_FILES false If set to true, super-linter will ignore all the files with @generated marker but without @not-generated marker.
IGNORE_GITIGNORED_FILES false If set to true, super-linter will ignore all the files that are ignored by Git.
JAVA_FILE_NAME sun_checks.xml Filename for Checkstyle configuration (ex: checkstyle.xml)
JAVASCRIPT_DEFAULT_STYLE standard Flag to set the default style of JavaScript. Available options: standard/prettier
JAVASCRIPT_ES_CONFIG_FILE .eslintrc.yml Filename for ESLint configuration (ex: .eslintrc.yml, .eslintrc.json)
JSCPD_CONFIG_FILE .jscpd.json Filename for JSCPD configuration
KUBERNETES_KUBECONFORM_OPTIONS null Additional arguments to pass to the command-line when running Kubernetes Kubeconform (Example: --ignore-missing-schemas)
LINTER_RULES_PATH .github/linters Directory for all linter configuration rules.
LOG_FILE super-linter.log The filename for outputting logs. All output is sent to the log file regardless of LOG_LEVEL.
LOG_LEVEL VERBOSE How much output the script will generate to the console. One of ERROR, WARN, NOTICE, VERBOSE, DEBUG or TRACE.
MARKDOWN_CONFIG_FILE .markdown-lint.yml Filename for Markdownlint configuration (ex: .markdown-lint.yml, .markdownlint.json, .markdownlint.yaml)
MARKDOWN_CUSTOM_RULE_GLOBS .markdown-lint/rules,rules/** Comma-separated list of file globs matching custom Markdownlint rule files.
MULTI_STATUS true A status API is made for each language that is linted to make visual parsing easier.
NATURAL_LANGUAGE_CONFIG_FILE .textlintrc Filename for textlint configuration (ex: .textlintrc)
PERL_PERLCRITIC_OPTIONS null Additional arguments to pass to the command-line when running perlcritic (Example: --theme community)
PHP_CONFIG_FILE php.ini Filename for PHP Configuration (ex: php.ini)
PHP_PHPCS_FILE_NAME phpcs.xml Filename for PHP CodeSniffer (ex: .phpcs.xml, .phpcs.xml.dist)
PROTOBUF_CONFIG_FILE .protolintrc.yml Filename for protolint configuration (ex: .protolintrc.yml)
PYTHON_BLACK_CONFIG_FILE .python-black Filename for black configuration (ex: .isort.cfg, pyproject.toml)
PYTHON_FLAKE8_CONFIG_FILE .flake8 Filename for flake8 configuration (ex: .flake8, tox.ini)
PYTHON_ISORT_CONFIG_FILE .isort.cfg Filename for isort configuration (ex: .isort.cfg, pyproject.toml)
PYTHON_MYPY_CONFIG_FILE .mypy.ini Filename for mypy configuration (ex: .mypy.ini, setup.config)
PYTHON_PYLINT_CONFIG_FILE .python-lint Filename for pylint configuration (ex: .python-lint, .pylintrc)
RENOVATE_SHAREABLE_CONFIG_PRESET_FILE_NAMES not set Comma-separated filenames for renovate shareable config preset (ex: default.json)
RUBY_CONFIG_FILE .ruby-lint.yml Filename for rubocop configuration (ex: .ruby-lint.yml, .rubocop.yml)
SCALAFMT_CONFIG_FILE .scalafmt.conf Filename for scalafmt configuration (ex: .scalafmt.conf)
SNAKEMAKE_SNAKEFMT_CONFIG_FILE .snakefmt.toml Filename for Snakemake configuration (ex: pyproject.toml, .snakefmt.toml)
SSL_CERT_SECRET none SSL cert to add to the Super-Linter trust store. This is needed for users on self-hosted runners or need to inject the cert for security standards (ex. ${{ secrets.SSL_CERT }})
SSH_KEY none SSH key that has access to your private repositories
SSH_SETUP_GITHUB false If set to true, adds the github.com SSH key to known_hosts. This is ignored if SSH_KEY is provided - i.e. the github.com SSH key is always added if SSH_KEY is provided
SSH_INSECURE_NO_VERIFY_GITHUB_KEY false INSECURE - If set to true, does not verify the fingerprint of the github.com SSH key before adding this. This is not recommended!
SQL_CONFIG_FILE .sql-config.json Filename for SQL-Lint configuration (ex: sql-config.json , .config.json)
SQLFLUFF_CONFIG_FILE /.sqlfluff Filename for SQLFLUFF configuration (ex: /.sqlfluff, pyproject.toml)
SUPPRESS_FILE_TYPE_WARN false If set to true, will hide warning messages about files without their proper extensions. Default is false
SUPPRESS_POSSUM false If set to true, will hide the ASCII possum at top of log output. Default is false
TERRAFORM_TERRASCAN_CONFIG_FILE terrascan.toml Filename for terrascan configuration (ex: terrascan.toml)
TERRAFORM_TFLINT_CONFIG_FILE .tflint.hcl Filename for tfLint configuration (ex: .tflint.hcl)
TYPESCRIPT_DEFAULT_STYLE ts-standard Flag to set the default style of TypeScript. Available options: ts-standard/prettier
TYPESCRIPT_ES_CONFIG_FILE .eslintrc.yml Filename for ESLint configuration (ex: .eslintrc.yml, .eslintrc.json)
TYPESCRIPT_STANDARD_TSCONFIG_FILE ${DEFAULT_WORKSPACE}/tsconfig.json Path to the TypeScript project configuration in ts-standard. The path is relative to DEFAULT_WORKSPACE
USE_FIND_ALGORITHM false By default, we use git diff to find all files in the workspace and what has been updated, this would enable the Linux find method instead to find all files to lint
VALIDATE_ALL_CODEBASE true Will parse the entire repository and find all files to validate across all types. NOTE: When set to false, only new or edited files will be parsed for validation.
VALIDATE_ANSIBLE true Flag to enable or disable the linting process of the Ansible language.
VALIDATE_ARM true Flag to enable or disable the linting process of the ARM language.
VALIDATE_BASH true Flag to enable or disable the linting process of the Bash language.
VALIDATE_BASH_EXEC true Flag to enable or disable the linting process of the Bash language to validate if file is stored as executable.
VALIDATE_CPP true Flag to enable or disable the linting process of the C++ language.
VALIDATE_CHECKOV true Flag to enable or disable the linting process with Checkov
VALIDATE_CLANG_FORMAT true Flag to enable or disable the linting process of the C++/C language with clang-format.
VALIDATE_CLOJURE true Flag to enable or disable the linting process of the Clojure language.
VALIDATE_CLOUDFORMATION true Flag to enable or disable the linting process of the AWS Cloud Formation language.
VALIDATE_COFFEESCRIPT true Flag to enable or disable the linting process of the Coffeescript language.
VALIDATE_CSHARP true Flag to enable or disable the linting process of the C# language.
VALIDATE_CSS true Flag to enable or disable the linting process of the CSS language.
VALIDATE_DART true Flag to enable or disable the linting process of the Dart language.
VALIDATE_DOCKERFILE_HADOLINT true Flag to enable or disable the linting process of the Docker language.
VALIDATE_EDITORCONFIG true Flag to enable or disable the linting process with the EditorConfig.
VALIDATE_ENV true Flag to enable or disable the linting process of the ENV language.
VALIDATE_GHERKIN true Flag to enable or disable the linting process of the Gherkin language.
VALIDATE_GITHUB_ACTIONS true Flag to enable or disable the linting process of the GitHub Actions.
VALIDATE_GITLEAKS true Flag to enable or disable the linting process of the secrets.
VALIDATE_GO true Flag to enable or disable the linting process of the individual Golang files. Set this to false if you want to lint Go modules. See the VALIDATE_GO_MODULES variable.
VALIDATE_GO_MODULES true Flag to enable or disable the linting process of Go modules. Super-linter considers a directory to be a Go module if it contains a file named go.mod.
VALIDATE_GOOGLE_JAVA_FORMAT true Flag to enable or disable the linting process of the Java language. (Utilizing: google-java-format)
VALIDATE_GROOVY true Flag to enable or disable the linting process of the language.
VALIDATE_HTML true Flag to enable or disable the linting process of the HTML language.
VALIDATE_JAVA true Flag to enable or disable the linting process of the Java language. (Utilizing: checkstyle)
VALIDATE_JAVASCRIPT_ES true Flag to enable or disable the linting process of the JavaScript language. (Utilizing: ESLint)
VALIDATE_JAVASCRIPT_STANDARD true Flag to enable or disable the linting process of the JavaScript language. (Utilizing: standard)
VALIDATE_JSCPD true Flag to enable or disable the JSCPD.
VALIDATE_JSON true Flag to enable or disable the linting process of the JSON language.
VALIDATE_JSX true Flag to enable or disable the linting process for jsx files (Utilizing: ESLint)
VALIDATE_KOTLIN true Flag to enable or disable the linting process of the Kotlin language.
VALIDATE_KUBERNETES_KUBECONFORM true Flag to enable or disable the linting process of Kubernetes descriptors with Kubeconform
VALIDATE_LATEX true Flag to enable or disable the linting process of the LaTeX language.
VALIDATE_LUA true Flag to enable or disable the linting process of the language.
VALIDATE_MARKDOWN true Flag to enable or disable the linting process of the Markdown language.
VALIDATE_NATURAL_LANGUAGE true Flag to enable or disable the linting process of the natural language.
VALIDATE_OPENAPI true Flag to enable or disable the linting process of the OpenAPI language.
VALIDATE_PERL true Flag to enable or disable the linting process of the Perl language.
VALIDATE_PHP true Flag to enable or disable the linting process of the PHP language. (Utilizing: PHP built-in linter) (keep for backward compatibility)
VALIDATE_PHP_BUILTIN true Flag to enable or disable the linting process of the PHP language. (Utilizing: PHP built-in linter)
VALIDATE_PHP_PHPCS true Flag to enable or disable the linting process of the PHP language. (Utilizing: PHP CodeSniffer)
VALIDATE_PHP_PHPSTAN true Flag to enable or disable the linting process of the PHP language. (Utilizing: PHPStan)
VALIDATE_PHP_PSALM true Flag to enable or disable the linting process of the PHP language. (Utilizing: PSalm)
VALIDATE_POWERSHELL true Flag to enable or disable the linting process of the Powershell language.
VALIDATE_PROTOBUF true Flag to enable or disable the linting process of the Protobuf language.
VALIDATE_PYTHON true Flag to enable or disable the linting process of the Python language. (Utilizing: pylint) (keep for backward compatibility)
VALIDATE_PYTHON_BLACK true Flag to enable or disable the linting process of the Python language. (Utilizing: black)
VALIDATE_PYTHON_FLAKE8 true Flag to enable or disable the linting process of the Python language. (Utilizing: flake8)
VALIDATE_PYTHON_ISORT true Flag to enable or disable the linting process of the Python language. (Utilizing: isort)
VALIDATE_PYTHON_MYPY true Flag to enable or disable the linting process of the Python language. (Utilizing: mypy)
VALIDATE_PYTHON_PYLINT true Flag to enable or disable the linting process of the Python language. (Utilizing: pylint)
VALIDATE_R true Flag to enable or disable the linting process of the R language.
VALIDATE_RAKU true Flag to enable or disable the linting process of the Raku language.
VALIDATE_RENOVATE true Flag to enable or disable the linting process of the Renovate configuration files.
VALIDATE_RUBY true Flag to enable or disable the linting process of the Ruby language.
VALIDATE_RUST_2015 true Flag to enable or disable the linting process of the Rust language. (edition: 2015)
VALIDATE_RUST_2018 true Flag to enable or disable the linting process of Rust language. (edition: 2018)
VALIDATE_RUST_2021 true Flag to enable or disable the linting process of Rust language. (edition: 2021)
VALIDATE_RUST_CLIPPY true Flag to enable or disable the clippy linting process of Rust language.
VALIDATE_SCALAFMT true Flag to enable or disable the linting process of Scala language. (Utilizing: scalafmt --test)
VALIDATE_SHELL_SHFMT true Flag to enable or disable the linting process of Shell scripts. (Utilizing: shfmt)
VALIDATE_SNAKEMAKE_LINT true Flag to enable or disable the linting process of Snakefiles. (Utilizing: snakemake --lint)
VALIDATE_SNAKEMAKE_SNAKEFMT true Flag to enable or disable the linting process of Snakefiles. (Utilizing: snakefmt)
VALIDATE_STATES true Flag to enable or disable the linting process for AWS States Language.
VALIDATE_SQL true Flag to enable or disable the linting process of the SQL language.
VALIDATE_SQLFLUFF true Flag to enable or disable the linting process of the SQL language. (Utilizing: sqlfuff)
VALIDATE_TEKTON true Flag to enable or disable the linting process of the Tekton language.
VALIDATE_TERRAFORM_FMT true Flag to enable or disable the formatting process of the Terraform files.
VALIDATE_TERRAFORM_TERRASCAN true Flag to enable or disable the linting process of the Terraform language for security related issues.
VALIDATE_TERRAFORM_TFLINT true Flag to enable or disable the linting process of the Terraform language. (Utilizing tflint)
VALIDATE_TERRAGRUNT true Flag to enable or disable the linting process for Terragrunt files.
VALIDATE_TSX true Flag to enable or disable the linting process for tsx files (Utilizing: ESLint)
VALIDATE_TYPESCRIPT_ES true Flag to enable or disable the linting process of the TypeScript language. (Utilizing: ESLint)
VALIDATE_TYPESCRIPT_STANDARD true Flag to enable or disable the linting process of the TypeScript language. (Utilizing: ts-standard)
VALIDATE_XML true Flag to enable or disable the linting process of the XML language.
VALIDATE_YAML true Flag to enable or disable the linting process of the YAML language.
YAML_CONFIG_FILE .yaml-lint.yml Filename for Yamllint configuration (ex: .yaml-lint.yml, .yamllint.yml)
YAML_ERROR_ON_WARNING false Flag to enable or disable the error on warning for Yamllint.

The VALIDATE_[LANGUAGE] variables work as follows:

  • super-linter runs all supported linters by default.
  • If you set any of the VALIDATE_[LANGUAGE] variables to true, super-linter defaults to leaving any unset variable to false (only validate those languages).
  • If you set any of the VALIDATE_[LANGUAGE] variables to false, super-linter defaults to leaving any unset variable to true (only exclude those languages).
  • If you set any of the VALIDATE_[LANGUAGE] variables to both true and false, super-linter fails reporting an error.

For more information about reusing super-linter configuration across environments, see Share Environment variables between environments.

Configure linters

Super-linter provides default configurations for some linters in the TEMPLATES/ directory. You can customize the configuration for the linters that support this by placing your own configuration files in the LINTER_RULES_PATH directory. LINTER_RULES_PATH is relative to the DEFAULT_WORKSPACE directory.

Super-linter supports customizing the name of these configuration files. For more information, refer to Configure super-linter.

For example, you can configure super-linter to load configuration files from the config/lint directory in your repository:

  env:
    LINTER_RULES_PATH: `config/lint`

Some of the linters that super-linter provides can be configured to disable certain rules or checks, and to ignore certain files or part of them.

For more information about how to configure each linter, review their own documentation.

Include or exclude files from checks

If you need to include or exclude directories from being checked, you can use two environment variables: FILTER_REGEX_INCLUDE and FILTER_REGEX_EXCLUDE.

For example:

  • Lint only the src folder: FILTER_REGEX_INCLUDE: .*src/.*
  • Do not lint files inside test folder: FILTER_REGEX_EXCLUDE: .*test/.*
  • Do not lint JavaScript files inside test folder: FILTER_REGEX_EXCLUDE: .*test/.*.js

Additionally, if you set IGNORE_GENERATED_FILES to true, super-linter ignores any file with @generated string in it, unless the file also has @not-generated marker. For example, super-linter considers a file with the following contents as generated:

#!/bin/sh
echo "@generated"

while considers this file as not generated:

#!/bin/sh
echo "@generated" # @not-generated

Finally, you can set IGNORE_GITIGNORED_FILES to true to ignore a file if Git ignores it too.

Run Super-Linter outside GitHub Actions

You don't need GitHub Actions to run super-linter. It supports several runtime environments.

Run using a container runtime engine

You can run super-linter outside GitHub Actions. For example, you can run super-linter from a shell:

docker run \
  -e ACTIONS_RUNNER_DEBUG=true \
  -e RUN_LOCAL=true \
  -v /path/to/local/codebase:/tmp/lint \
  ghcr.io/super-linter/super-linter:latest

For more information, see Run super-linter outside GitHub Actions.

Use your own SSH key and certificate

If you need to use your own SSH key to authenticate against private repositories, you can use the SSH_KEY environment variable. The value of that environment variable is expected to be be the private key of an SSH keypair that has access to your private repositories.

For example, you can configure this private key as an Encrypted Secret and access it with the secrets parameter from your GitHub Actions workflow:

  env:
    SSH_KEY: ${{ secrets.SSH_PRIVATE_KEY }}

If you need to inject a SSL certificate into the trust store, you can use the SSL_CERT_SECRET variable. The value of that variable is expected to be the path to the files that contains a CA that can be used to valide the certificate:

  env:
    SSL_CERT_SECRET: ${{ secrets.ROOT_CA }}

How to contribute

If you would like to help contribute to super-linter, see CONTRIBUTING.