search

oxsecurity / megalinter

🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.
https://megalinter.io
GNU Affero General Public License v3.0
1.81k stars 215 forks source link

Devskim config ignored instead crawl-archives enabled by default #3611

Closed raphaelzoellner closed 1 week ago

raphaelzoellner commented 1 month ago

Describe the bug For the devskim linter the -c flag seems to be passed by default to the validate command. This enables the crawl of archives which is disabled by default for devskim. I suspect the --options-json should be passed instead to specify the devskim configuration file.

To Reproduce Steps to reproduce the behavior:

  1. Try to specify --crawl-archives as REPOSITORY_DEVSKIM_ARGUMENTS arguments in megalinter configuration.
  2. Run megalinter security flavor or any flavor containing devskim
  3. Observe the following error 
    ERROR(S):
Option 'c, crawl-archives' is defined multiple times.

Expected behavior The --options-json flag is used to specify the devskim configuration file by megalinter.

Additional context cli_config_arg_name is not specified in the descriptor for the devskim linter https://github.com/oxsecurity/megalinter/blob/v7.12.0/megalinter/descriptors/repository.megalinter-descriptor.yml#L83

If cli_config_arg_name is not specified, the default flag seems to be -c which is interpreted by devskim as crawl-archives instead of the path to the configuration file. https://github.com/oxsecurity/megalinter/blob/v7.12.0/megalinter/Linter.py#L107

echoix commented 1 month ago

In that case, does defining the cli_config_arg_name solve the issue? If so, we'd love to have a PR for this!