title	description
Configure environment variables security with MegaLinter	Hide from linter executables the environment variables that can contain secrets

Environment variables security

Secured env variables

MegaLinter runs on a docker image and calls the linters via command line to gather their results.

If you run it from your CI/CD pipelines, the docker image may have access to your environment variables, that can contain secrets defined in CI/CD variables.

As it can be complicated to trust the authors of all the open-source linters, MegaLinter removes variables from the environment used to call linters.

Thanks to this feature, you only need to trust MegaLinter and its internal python dependencies, but there is no need to trust all the linters that are used !

You can add secured variables to the default list using configuration property SECURED_ENV_VARIABLES in .mega-linter.yml or in an environment variable (priority is given to ENV variables above .mega-linter.yml property).

Values can be:

String (ex: MY_SECRET_VAR)
Regular Expression (ex: (MY.*VAR))

Environment variables are secured for each command line called (linters, plugins, sarif formatter...) except for PRE_COMMANDS , ONLY if you define secured_env: false in the command.

Secured configuration examples

Example of adding extra secured variables .mega-linter.yml:

SECURED_ENV_VARIABLES:
  - MY_SECRET_TOKEN
  - ANOTHER_VAR_CONTAINING_SENSITIVE_DATA
  - OX_API_KEY
  - (MY.*VAR)  # Regex format

Example of adding extra secured variables in CI variables, so they can not be overridden in .mega-linter.yml:

SECURED_ENV_VARIABLES=MY_SECRET_TOKEN,ANOTHER_VAR_CONTAINING_SENSITIVE_DATA,OX_API_KEY

Default secured variables

If you override SECURED_ENV_VARIABLES_DEFAULT, it replaces the default list, so it's better to only define SECURED_ENV_VARIABLES to add them to the default list !

SECURED_ENV_VARIABLES_DEFAULT contains:

GITHUB_TOKEN
PAT
SYSTEM_ACCESSTOKEN
GIT_AUTHORIZATION_BEARER
CI_JOB_TOKEN
GITLAB_ACCESS_TOKEN_MEGALINTER
GITLAB_CUSTOM_CERTIFICATE
WEBHOOK_REPORTER_BEARER_TOKEN
NODE_TOKEN
NPM_TOKEN
DOCKER_USERNAME
DOCKER_PASSWORD
CODECOV_TOKEN
GCR_USERNAME
GCR_PASSWORD
SMTP_PASSWORD
CI_SFDX_HARDIS_GITLAB_TOKEN
(SFDX_CLIENT_ID_.*)
(SFDX_CLIENT_KEY_.*)

Unhide variables for linters

You can configure exceptions for a specific linter by defining (linter-key)_UNSECURED_ENV_VARIABLES.

Variable names in this list won't be hidden to the linter commands.

TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN # Can contain string only, not regex

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!