chore(deps): update dependency semgrep to v1.142.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
semgrep	1.116.0 -> 1.142.0

---

Release Notes

returntocorp/semgrep (semgrep)

v1.142.0

Added

• Pro: improved taint handling of match expressions in Scala. In examples like

  val x = taint match {
      case Some(t) => t
      case None => return "example"
  }

  dataflow should now track taint from taint to x. (code-9085)
• pro: scala: http4s-specific support for case $M -> ... :? ... +& test +& ... => ... patterns. (code-9131)

Fixed

• Supply Chain subproject resolution table is now shown even when no subprojects were successfully resolved (SC-2492)
• UV lockfiles that include editable and local dependencies without versions are now parsed correctly. The unversioned dependencies will be ignored. (SC-2888)
• Failures in parsing UV lockfiles are now correctly reported as "Failed" rather than "Unsupported" (SC-2895)
• build.gradle.kts files now resolve correctly when --allow-local-builds is passed. (SC-2899)
• Rule parsing in 1.139.0 was switched to happen solely in semgrep-core. This caused some users to exit with code 7, so this change has been reverted. (saf-2265)

v1.141.1

Fixed

• Rule parsing in 1.139.0 was switched to happen solely in semgrep-core. This caused some users to exit with code 7, so this change has been reverted. (saf-2265)

v1.141.0

Compare Source

Added

• pro: scala: http4s-specific support for $M -> ... / $X / ... patterns (code-9114)

Fixed

• Improved detection of implicitly returned expressions.
  Functions in some languages, such as Ruby and Scala, can return a value without an explicit return statement.
  More expressions, such as string interpolation, are now correctly identified as implicitly returned. (code-9101)
• Scala: Parser now accepts an $MVAR as a pattern alias (@), so
  e.g. case $X @​ ... => ... is now a valid pattern. (code-9130)
• fixed an issue where CamlinternalLazy.Undefined would occur while using eio multicore (saf-1877)

v1.140.0

Compare Source

Added

• scala: Allow partial case patterns such as case 1 => ... to easily match
  individual case clauses within a match-expression. (code-9118)
• Added python 3.14 support. (gh-11250)
• MCP: Slash command setup_semgrep_mcp now supports Claude Code. (saf-2261)

Changed

• Semgrep's Docker image base has been bumped from Alpine Linux 3.21 to 3.22 (docker-version)

Fixed

• Java and Rust: Fixed parsing of float and double literals with type suffixes so they can be used in metavariable-comparison and pattern matching. Previously, Java literals like 0.5f or 1.0d, and Rust literals like 0.5f32 or 1.0f64 would fail to parse and could not be compared. (gh-7968)
• Display an error instead of a malformed success message
  when the show subcommand fails due to an invalid CLI token. (grow-630)
• new semgrep/semgrep images should now contain golang v1.24 instead of v1.23 (saf-2240)
• Fixed an issue where temporary files, containing rules to be validated,
  persisted after a semgrep scan. (saf-2257)
• MCP: Fixed tool calls failing for some models (e.g., GPT-5). (saf-2262)
• MCP: Fixed a bug where resource closure errors would occur when trying to use
  the MCP with the streamable-http tranport method. (saf-2264)

v1.139.0

Compare Source

Added

• --pro-intrafile scans will now add built-in taint propagators, like --pro does,
  hence producing extra findings. For example, in Java, list.add(taint) will now
  make list tainted even if the rule does not explicitly request that. Scan times
  should not be generally affected in a significant way. (code-9103)
• Scala: Enable pattern { ... } to match partial functions like { case 1 => "1" }. (code-9106)
• Associate Containerfiles with the dockerfile language (gh-11091)

Changed

• Rule parsing now happens solely in OCaml. This should have no change in the behavior of whether a rule successfully parses or not, but will change the parse errors emitted (#​4346, #​4269, #​4379) (gh-4379)
• MCP: Removed the config parameter from the semgrep_scan tools, to prevent
  agents from inserting unwanted config files to scan with. (saf-2258)

Fixed

• scala: Fixed matching of { case ... => ... } patterns. (code-9111)
• Fixed a bug preventing metavariable-comparisons with more than two subsequent "and" or "or" conditions from producing findings. For example, the condition $X > 1 or $Y > 1 or $Z > 1 would previously always evaluate to false. Now, it will behave as expected. (gh-11209)
• MCP: Fixed an issue where the semgrep_scan tool, when invoking the RPC-based
  scanning approach, would return JSON output not consistent with the CLI tool. (saf-2250)
• MCP: The semgrep_findings tool now gives a suitable error message when erring due
  to insufficient permissions on standard semgrep login tokens. (saf-2254)
• MCP: Fixed a bug where if the user is already logged in when running the setup flow,
  the Semgrep Pro Engine installation step would be ignored. (saf-2259)

v1.138.0

Added

• pro: scala: Method dispatching through traits (code-9092)

Changed

• Pro: additionally improved prefiltering for taint rules, especially when using
  taint labels. This allows for the generation of more specific conditions than
  the previously released version (v1.133.0). (code-9097)

Fixed

• pro: python: Fix resolution of implicit namespace modules (code-9008)
• We now filter SEMGREP_APP_TOKEN from any request made to non semgrep URLs
  passed to -f/-c/--config during config/rules fetching. (gh-11016)
• Typescript: Made it so that the pattern var $X = $FUNC($REQ, $RES, ...) {...}
  no longer fails to parse. (saf-2159)
• pro: improved performance of tsconfig.json matching for Typescript projects
  that contain multiple tsconfig.jsons. (saf-2163)
• Semgrep no longer fails to validate a config when a rule lang is capitalized (Introduced 1.137.0) (saf-2247)

v1.137.1

Fixed

• Semgrep no longer fails to validate a config when a rule lang is capitalized (Introduced 1.137.0) (saf-2247)

v1.137.0

Compare Source

Added

• pro: typescript: Improved name resolution for destructuring parameters. (code-9088)
• Added a new semgrep mcp subcommand, which runs the Semgrep MCP server, which previously
  used to live at https://github.com/semgrep/mcp. That repository will be deprecated
  as of this release, and future MCP contributions / issues should go into this repo. (saf-2239)

Changed

• Update semgrep-interfaces to only accept valid lanugage keys for editor (PR-4600)
• The minimum Python version for Semgrep is now 3.10. We are dropping support for Python 3.9.

Fixed

• Fix incorrect interpretation of \# and \ in glob patterns found in
  Semgrepignore and included Gitignore files. (fix-glob-escape)
• Removed pkg_resources is deprecated warning by bumping opentelemetry-*
  packages (gh-11069)
• Fixes an issue in Dart language processing to return better results (gh-11173)

v1.136.0

Compare Source

No significant changes.

v1.135.0

Compare Source

No significant changes.

v1.134.0

Compare Source

Added

• pro: First version of inter-file (whole-program) analysis for Scala. (code-9029)

v1.133.0

Added

• Pro: improved prefiltering for interfile rules. This allows the engine to skip
  interfile rules earlier in the process when we determine they cannot match in a
  given scan, which should improve performance. (code-8524)
• Semgrep will now display emotional support ascii art and a backtrace, with function names and sometimes files/line #s, when it segfaults, or receives other similar critical signals (pretty-segv)

Fixed

• Pro: Fixed a bug that prevented taint tracking through new in some cases. (code-9047)
• We now substitute metavariables for their values in a deterministic order to
  ensure keys for match-based IDs are stable. (gh-4459)
• Fixed incorrect YAML parsing of strings like nan as well as some more
  obscure cases that were interpreted as a float instead of a string. This
  might affect any area of Semgrep that deals with YAML files containing
  the string nan. (yaml-float-parsing)

v1.132.1

No significant changes.

v1.132.0

Compare Source

Added

• PHP: When enabling option taint_assume_safe_booleans the return values of
  boolval, is_bool, and || will be considered safe.
  When enabling taint_assume_safe_numbers the return values of intval,
  floatval, +, -, *, / and % will also be considered safe. (php)
• When performing secrets validation, the amount of time that the HTTP request
  took to complete will now be visible in the debug logs. (#​2130)
• Introduces a timeout to internal HTTP requests, to prevent remote endpoints
  from indefinitely hanging the engine. (#​4295)

Changed

• Pro scans will no longer attempt to parse tsconfig files for non-typescript scans. (gh-4407)

Fixed

• Language server: Made it so that errors which occur no longer pop up in while using the
  IDE. They still log, but will no longer be displayed via UX. (saf-2193)
• When validating the results of a secrets scan, do not have more than 256
  outstanding validators executing at a given time. (#​2130)

v1.131.0

Compare Source

Fixed

• Semgrep diff scans can now query the app for which merge base to use. This fixes the issue where some diff scans on shallow clones would use the wrong merge base, and do a diff scan on commits not in a PR. (better-merge-base)
• Fix a possibility that an empty file be created in place of a missing input file. This bug had been introduced with Semgrep 1.115.0. (dont-create-missing-input-files)
• When processing a target with debug logging enabled, we now only log the target
  path rather than the entire internal structure representation. This allows for
  more succinct log files and no longer introduces mid-entry newlines, which can
  break log-parsing tooling. (gh-4315)
• Language server: Fixed a bug which broke the Sign in command (saf-2151)
• CiScanComplete.dependencies is now populated with parsed dependencies (sc-2468)
• Print error details when a SemgrepError exception is raised and causes semgrep to fail. (silent-semgrep-error)

v1.130.0

Fixed

• Fix the Python parser to correctly handle and parse valid structural dictionary patterns. (gh-11100)

v1.128.1

No significant changes.

v1.128.0

Added

• HTTP{,S}_PROXY=... now accepts URIs without a scheme (e.g HTTP_PROXY=domain.com:port) (saf-2082)

Fixed

• Java: Deprecated class $A partial class pattern, in favor of

  class $A { ... }
  ``` (safe-2104)
  

1.127.1 - 2025-06-25

Fixed

• Fixed an issue where Semgrep would segfault if --trace was passed and the
  number of jobs was greater than 1

1.127.0 - 2025-06-24

Fixed

• pro: typescript: Prevent stack overflows and out-of-memory issues when reading
  TS configs. (code-8678)

1.126.0 - 2025-06-18

Fixed

• Missing version constraints in yarn.lock descriptors no longer raise parsing errors (sc-2293)

1.125.0 - 2025-06-11

Added

• Dependency resolution errors that result from local builds are now reported in the scan log by default. (SC-2442)
• Adds reporting of SSC subproject dependency resolution to the output when using --json. (SC-2458)
• Semgrep's JSON output now will always include some basic profiling data (WIP). (code-8529)
• C# Dependency Parsing can now handle dependencies with "Project" & "CentralTransitive" transitivities. (sc-2376)

Fixed

• Fixed an issue present since v1.117.0 that led .semgrepignore excludes to be applied to Secrets product scans. Now, Semgrep will once again scan files that have been excluded from Code and SSC scans for possible leaked secrets. (SAF-2067)
• Added support for npm aliasing in package-lock.json, fixing a bug where packages would rarely be misidentified. (SC-2387)
• Fixed scenario where case statements with ellipsis did not match patterns correctly. (gh-10086)
• Nosemgrep ignore comments no longer require exactly one space before, allowing for more commenting styles. (gh-11041)
• Fixed bug where Javascript autofix breaks syntax for if statements by consuming parentheses. (gh-9522)
• Fix: the Semgrep findings returned by the Semgrep language server (LSP)
  are now sorted correctly based on their location within files.
  This benefits all the Semgrep IDE extensions (VSCode, IntelliJ). (ide-findings-order)
• fixed an issue where semgrep ci logs in GitLab would return an incorrect URL
  with the wrong &ref=... argument. (saf-959)

1.124.1 - 2025-06-10

Fixed

• Fixed an issue present since v1.117.0 that led .semgrepignore excludes to be applied to Secrets product scans. Now, Semgrep will once again scan files that have been excluded from Code and SSC scans for possible leaked secrets. (SAF-2067)

1.124.0 - 2025-06-04

Added

• Parallelizes rule validation to improve performance when scanning with many rule files. (SAF-2061)
• Semgrep should now respect ALL_PROXY, HTTP_PROXY, HTTPS_PROXY,
  NO_PROXY, PROXY_USERNAME and PROXY_PASSWORD for all networking (including
  that done via the OCaml components). Moreover, the environment variable
  OCAML_EXTRA_CA_CERTS should now allow additional CA certs to be used for
  network operations done by OCaml components. (code-8157)

Fixed

• Stop attempting to parse build.gradle.kts files as build.gradle. (SC-2209)
• Taint rules using the experimental feature labels, and specifying sinks
  with a requires: of the form not A, could produce findings with an empty
  list of traces, potentially causing a crash. We now recognize the issue and
  prevent the crash from happening. (code-8531)
• Fixed inconsistency where the empty Python fstring f"" was not matched by the pattern "...". (gh-10047)
• Fixed bug where dev depenencies (and their dependencies, and so on) were incorrectly marked as "transitivity: unknown" when parsing package-lock.json projects, specifically v3 lockfiles. (gh-4003)
• Fixed scenario where a multiplication expression of ints was not considered an int. This will help with metavariable-type. Concretely, "2 * groups" was not considered an int, where groups is an int. Additionally adds type inference for mod, floor division, and pow. (gh-9855)
• pro: python: Fixed a regression that could (in rare cases) cause naming to take a
  disproportionate amount of time significantly slowing down scans. (saf-1978)

1.123.0 - 2025-05-28

Fixed

• Fixed bug where supply chain reachability rules which match multiple dependencies could produce reachable findings on transitive dependencies even when the actually used direct dependency was not vulnerable. (SC-2088)
• Fixed documentation to reflect that, for --metrics="auto", pseudoanonymous metrics are sent when the user is logged in. (gh-11028)

1.122.0 - 2025-05-14

Added

• Adds support for the UV package manager in Supply Chain scans. (SC-1900)

Fixed

• pro: Fixed inter-file naming bug affecting Go's struct-methods that could result
  in false negatives.

  Previously, adding a pattern-inside like

  func ($THING $TYPE) $FUNC(...) $R { ... }
  

  to a taint rule could cause some findings to incorrectly stop being reported. (code-7767)

• PRO: Fixed the issue with type matching when a type has a type parameter, e.g., matching the pattern std::vector<$T> with the code std::vector<int> v in C++. (code-8443)

• Make Nuget dependency child parsing case insensitive (sc-2355)

• Fixed bug where direct dev depenencies were not marked as direct when parsing package-lock.json projects. (sc-dev)

1.121.0 - 2025-05-06

Added

• pro: Improved handling of tsconfig.json in instances where multiple
  typescript "projects" (i.e., separately rooted source directories with their
  own configurations not joined by a single tsconfig.json with project
  references) are being scanned as one project under semgrep. This should result
  in better name/module resolution in TypeScript. (code-7798)
• pro: Improved handling of include, exclude and files properties in
  tsconfig.json. Projects which use more than one tsconfig in a given directory
  which apply to different sets of files under that directory should see
  improvements in name/module resolution. (code-7798-a)
• Improved Supply Chain scan output and logging. (sc-2356)

Changed

• Upgrade the Julia parser to the tree-sitter-julia 0.22.0 (gh-10820)

Fixed

• Fixed CI output so it shows per-product links depending on what product is enabled in a scan. (pr-3776)
• CLI: Fixed a bug where --disable-nosem was not properly causing nosemgrep'd findings
  to be uploaded to the App. (saf-1982)
• Exempt large manifests & lockfiles from being ignored by semgrep's file size filtering.
  This fixes a regression introduced in 1.117.0 (sca-1705). (sc-1705)

1.120.1 - 2025-04-25

Fixed

• Fix bug introduced in Semgrep 1.120.0 causing interfile analyses to run out of memory due to too many parallel jobs. The default setting had been accidentally set to the number of available CPUs which is often too much in interfile mode. It's now back to -j1 and it can be overridden by the user. (interfile-num-jobs)

1.120.0 - 2025-04-22

Added

• Added a few new entries in the .semgrepignore default file
  (e.g., _cargo, _opam, .svn) (semgrepignore)
• Add an experimental option --x-semgrepignore-filename to change the name of .semgrepignore files to something else. This can be used to scan a subproject in a separate semgrep invocation as the rest of the containing project. (semgrepignore-filename)

Fixed

• Fixed bug in pro package-lock.json parsing where dependencies with no specified version would cause an exception (SC-2150)
• Fixed the default -j setting so as to take into account the cgroup
  CPU quota on Linux. This will affect Docker and other containerized
  environments that share resources on the same host. Use the new command
  semgrep show resources --experimental to show the default setting. (saf-1950)

1.119.0 - 2025-04-16

Added

• python: Semgrep will now perform dataflow analysis within and through comprehensions. (saf-1560)
• A new subcommand semgrep show project-root is now provided to display
  the project root path associated with a scan root. This is useful for
  troubleshooting Semgrepignore (v2) issues. (saf-1936)

Fixed

• tainting: Apply taint_assume_safe_numbers and taint_assume_safe_booleans
  earlier when considering to track taint through class fields and function
  parameters. If the field/parameter has a number/Boolean type and the
  corresponding option is set, it will just not be tracked. In some cases this
  can help with performance.

  Also added short/Short to the list of integer types recognized by
  taint_assume_safe_numbers. (code-8345)

• IDE: The Semgrep VS Code Extension will no longer hang on Getting code actions from Semgrep...
  on saving a file, when updating rules. (saf-1954)

1.118.0 - 2025-04-09

Fixed

• Pro: Failure to parse a package.json file when analysing JavaScript or
  TypeScript is no longer a fatal error. (code-8227)

• taint-mode: Fixed bug in taint "auto-cleaning" where we automatically clean the
  LHS of an assigmnet if the RHS is clean, provided that the LHS is not subject to
  any "side-effects". In some cases, this could cause the taint analysis to timeout.
  Some combinations of rules and repos will see a major perf improvement, in other
  cases it may not be noticeable. (code-8288)

• In a Semgrep rule's metadata section, two fields may provide URLs:

  • source: populated dynamically by the Semgrep registry serving the rule, it's a URL that
    offers information about the rule.
  • source-rule-url: optional string, a URL for the source of inspiration for the rule.

  The SARIF format supports only one URL under the field helpUri.
  Previously, Semgrep populated the SARIF helpUri field only with metadata.source.
  This fix is to use metadata.source if available, otherwise falling back to metadata.source-rule-url.

  Contributed by @​candrews. (gh-10891)

1.117.0 - 2025-04-02

Added

• Add temporary backward compatibility in Semgrepignore v2 for patterns
  that start with ./. For example, the pattern ./*.py should be written as
  /*.py to have the desired effect of excluding the .py files
  located in the same directory as the .semgrepignore file containing
  the pattern.
  To minimize surprises for users switching to Semgrepignore v2,
  we'll be interpreting automatically ./*.py as /*.py for the time
  being so as to match the legacy Semgrepignore v1 behavior. Users should not
  rely on this since it doesn't comply with the Gitignore/Semgrepignore
  standard and will be removed in the future. (tolerate-semgrepignore-v1-dotslash)
• Target file selection now uses
  Semgrepignore v2 by default. This brings the behavior of the Semgrepignore file
  exclusions closer to Git and .gitignore files. There can now
  be multiple .semgrepignore files in the project. The .semgrepignore file
  in the current folder is no longer consulted unless it in the project.
  Negated patterns are now supported such as !scanme.py as with Gitignore.
  Some bugs were fixed. (use-semgrepignore-v2)

Changed

• Upgrade Semgrep from OCaml 5.2.1 to 5.3.0 (#​3)

Fixed

• In Semgrepignore v2, allow wildcards * and ? to match file names with a leading period. This matches the behavior of Gitignore and Semgrepignore v1. (semgrepignore-dotfiles)

1.116.0 - 2025-03-28

Fixed

• Use value of $XDG_CACHE_HOME before hardcoded ~/.cache for semgrep_version file (gh-4465)

1.115.0 - 2025-03-26

Added

• pro: Extended the requires: key for taint sinks to specify multiple conditions
  associated with different metavariables.

  For example:

  pattern-sinks:
  - patterns:
    - pattern: $OBJ.foo($SINK, $ARG1)
    - focus-metavariable: $SINK
    requires:
    - $SINK: TAINT
    - $OBJ: OBJ
    - $ARG1: ARG1
  

  With a regular requires: the condition can only apply to whatever the sink is
  matching, in this case, $SINK. With a "multi-requires" we are able to restrict
  $SINK, $OBJ and $ARG1 independently, each one having its own condition.

  Note that requires: is part of the experimental taint labels feature. (code-7912)

• In the text output of semgrep scan and semgrep ci, a warning message
  announcing the upcoming Semgrepignore v2 is now displayed. Differences in
  target selection are shown. (semgrepignore-v2-warning)

1.114.0 - 2025-03-19

Fixed

• Pro Engine now more accurately tracks the scope of Python local variables. For
  example, the following code defines two z variables that should be tracked
  separately.

  z = 1
  
  def foo():
      z = 2
      a = z
  

  The Pro engine now correctly recognizes that the z assigned to a is the one
  defined in the local scope, not the global scope. (code-8114)

1.113.0 - 2025-03-17

Fixed

• Semgrep will no longer fail a diff scan if there is a relative safe directory (saf-1851)

1.112.0 - 2025-03-13

Added

• TypeScript parser now allows ellipses in class bodies. For example, you can
  write the pattern like:

  class $C {
    ...
    $FUNC() { ... }
    ...
  }
  ``` (code-8242)
  

• Semgrep will now present more detailed info when a scan is complete, such as what percent of lines were scanned. It is also formatted in a new manner (saf-details)
• Verbose output will now print additional info about parsing and internal semgrep errors, such as what % of lines were skipped, and the lines they occured on (saf-verbose)

Fixed

• pro: Fixed bug in (experimental) "at-exit" sinks feature that would prevent
  the identification of a statement like return foo() as one such sink. (code-8199)
• FIX: --gitlab-secrets output has been updated to conform to GitLab JSON schema (scrt-849)
• The behavior of --semgrepignore-v2 changed to be closer to the legacy
  Semgrepignore v1. .gitignore files are no longer loaded automatically
  as part of the Semgrepignore v2 exclusion mechanism.
  Loading a .gitignore file must be done
  by placing :include .gitignore in the .semgrepignore file
  as was the case with Semgrepignore v1. (semgrepignore-v1-compat)

1.111.0 - 2025-03-04

Changed

• Removed .semgrepignore file lookup using the SEMGREP_R2C_INTERNAL_EXPLICIT_SEMGREPIGNORE environment variable. This was used by semgrep-action which
  has been deprecated. (semgrep-action)

Fixed

• pro: Fixed bug that could prevent taint tracking from following a virtual call
  in JS/TS. (code-8065)
• PRO: Restricted heuristic search of the Python module path to paths only under
  the project root to reduce inaccuracies in module resolution. This change
  mitigates the risk of resolving module specifiers to incorrect paths,
  particularly in cases involving common library names (e.g., django). (code-8146)
• Fix the incorrect schema and analysis type in the JSON output of the secret
  findings when using the --gitlab-secrets flag. (scrt-833)

1.110.0 - 2025-02-26

Added

• pro: Inter-file analysis will now process Javascript and Typescript files
  together, so that taint can be tracked across both languages. (code-8076)

• Pro: new metavariable-name operator which allows for expressing a constraint
  against the fully qualified name or nearest equivalent of a metavariable
  (useful mainly in JavaScript and TypeScript, where there is no first-class
  syntax for this, or where such names or pseudo-names containt symbols which
  cannot appear in identifiers). Requires pro naming passes and works best with
  interfile naming.

  Additional documentation forthcoming. (code-8121)

Changed

• Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our PyPI and Homebrew distributions. Our Docker images have been built with OCaml 5.2.1 since Semgrep 1.107.0. (ocaml5)

Fixed

• Fixed a regression in pro interfile mode where type inference for the var
  keyword in Java was not functioning correctly. (code-7991)

• PRO: Fix the range not found error when using a metavariable pattern match on
  a typed metavariable. For example, the following metavariable pattern rule will
  no longer trigger the error:

  patterns:
    - pattern: ($FOO $VAR).bar()
    - metavariable-pattern:
        metavariable: $FOO
        pattern-either:
          - pattern: org.foo.Foo
  ``` (code-8007)
  

• lsp will no longer send diagnostics where the message is MarkupContent since
  our current implementation does not discriminate on the client capability for
  recieiving such diagnostics (to-be-added in 3.18). (code-8120)

• Yarn.lock parser now correctly denotes NPM organization scope. (sc-2107)

• Packages in Package.resolved without a version are now ignored. (sc-2116)

• Updated Package.swift parser to support:

  • The url value in a .package entry doesn't have to end with .git
  • You can have an exact field that looks like exact: "1.0.0" instead of .exact("1.0.0")
  • The exact version can be an object like Version(1,2,3) instead of a string
  • You can have .package values with no url, like this: .package(name: "package", path: "foo/bar") (sc-2117)

1.109.0 - 2025-02-19

Changed

• Pyproject.toml files are now parsed using a toml parser (tomli). (sc-2054)

Fixed

• pro: taint-mode: Fixed limitation in custom taint propagators.
  See https://semgrep.dev/playground/s/ReJQO (code-7967)
• taint-mode: Disable symbolic-propagation when matching taint propagators
  to prevent unintended interactions. See https://semgrep.dev/playground/s/7KE0k. (code-8054)
• Fixed pattern match deduplication to avoid an O(n^2) worst-case complexity, and
  optimized the matching of ordered ..., PAT, ... patterns. (saf-682)

1.108.0 - 2025-02-12

Added

• pro: Semgrep can now dynamically resolve dependencies for Python projects using pip, allowing it to determine transitive dependencies automatically. (sc-2069)

Changed

• Bump base Alpine docker image from 3.19 to 3.21. (alpine-version)
• The semgrep-appsec-platform specific metadata fields "semgrep.dev:" and
  "semgrep.policy:" are now filtered from the JSON output unless you
  are logged in with the Semgrep appsec platform.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (metadata-filter)
• The Semgrep Docker image now uses Python 3.12 (bumped from 3.11). (python-version)

Fixed

• This PR changes the way we handle failures in git worktree remove more gracefully.
  Instead of erroring, we continue to scan so that the user can still get results, but
  log the error. It also adds a guard so that this failure is less likely to happen
  and will include more debugging information when it does. (sms-521)

1.107.0 - 2025-02-04

Added

• More testing of pnpm-lock.yaml dependency parsing. (gh-2999)
• Added a progress indicator during dependency resolution for supply chain scans. (sc-2045)

Fixed

• The pro engine now respects the correct order of field resolution in Scala's
  multiple inheritance. The type that appears later takes precedence when
  resolving fields. For example, in class A extends B with C with D, the order
  of precedence is D, C, B, and A. (code-7891)
• pro: taint: Fixed bug in callback support, see https://semgrep.dev/playground/s/oqobX (code-7976)
• pro: python: Fixed resolution of calls to the implementation of abstract methods.
  See https://semgrep.dev/playground/s/X5kZ4. (code-7987)
• Fixed the semgrep ci --help to not include experimental options
  like --semgrep-branch (saf-1746)
• Peer dependency relationships in package-lock.json files are tracked when parsing a dependency graph (sc-2032)
• Peer dependency relationships in pnpm-lock.yaml files are tracked when parsing a dependency graph (sc-2033)

Infra/Release Changes

• Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our Docker images (ocaml5-docker)

1.106.0 - 2025-01-29

No significant changes.

1.105.0 - 2025-01-29

Added

• Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

• Added extra defensive try/catch around lockfile parsing (parsing)

Fixed

• LSP shortlinks in diagnostics should no longer drop anchors or query parameters
  in URIs. (gh-10687)
• Some bug fixes to pnpm lockfile parsing. (gh-2955)
• Fix npm aliasing bug in yarn parser. (sc-2052)
• Fixed bug where supply chain diff scans of package-lock.json v2 projects incorrectly produced non-new findings (sc-2060)

1.104.0 - 2025-01-22

Changed

• Supply chain diff scans now skip resolving dependencies for subprojects without changes. (SC-2026)

Fixed

• pro: Fixed bug in inter-file matching of subtypes. When looking to match some
  type A, Semgrep will match any type B that is a subtype of A, but in certain
  situations this did not work. (code-7963)

• taint-mode: Make traces record assignments that transfer taint via shapes.

  For example, in code like:

  B b = new B(taint);
  B b1 = b;
  sink(b1.getTaintedData());
  

  The assignment b1 = b should be recorded in the trace but previously it was not. (code-7966)

• Python: Parser updated to the most recent tree-sitter grammar.
  Parse rate from 99.8% -> 99.998%. (saf-1810)

1.103.0 - 2025-01-15

Added

• pro: taint: Support for lambdas as callbacks.

  var tainted = source();
  
  function withCallback1(val, callback) {
      if (val) {
          callback(val);
      }
  }
  
  withCallback1(tainted, function (val) {
      sink(val); // finding !
  }); (code-7626)
  

• pro: python: Semgrep will now consider top-level lambdas like x below for
  inter-procedural analysis:

  x = lambda s: sink(s) # now we get a finding !
  
  x(taint) (gh-10731)
  

Changed

• Removed pip from the Semgrep Docker image. If you need it, you may install it by running apk add py3-pip. (saf-1774)

Fixed

• Python: Now correctly parsing files with parenthesized withs, like this:

  with (
    f() as a,
    g() as b,
  ):
    pass
  ``` (saf-1802)
  

• Semgrep will now truncate error messages that are produced when they are very long (saf-333)

1.102.0 - 2025-01-08

Added

• Added pro-only support for parsing a dependency graph from package-lock.json v1 files (SC-1858)
• Added pro-only support for parsing a dependency graph from package-lock.json v2 and v3 files (SC-1991)
• The poetry.lock parser can now parse dependency relationships (ssc-1970)
• The Yarn.lock V1 and V2 parsers can parse dependency relationships. (ssc-1988)

Fixed

• The semgrep test and semgrep validate commands have been
  correctly documented as EXPERIMENTAL (in semgrep --help).
  Those commands are not GA yet and people should still
  use the semgrep scan --test and semgrep scan --validate (or
  the variants without the implicit "scan") commands (unless
  they want to experiment with getting results faster and are ok
  with incomplete coverage of the legacy semgrep --test
  and semgrep --validate). (experimental)
• Improve error handling for functionality ancillary to a scan (such as looking for nosemgrep comments and rendering autofixes) to reduce the likelihood of an unexpected error in such a component bringing down the entire scan. (saf-1737)
• Fix the behavior of semgrep when running into broken symlinks.
  If such a path is passed explicitly as a scanning root on the
  command line, it results in an error. Otherwise if it's a file discovered
  while scanning the file system, it's a warning. (saf-1776)
• Fixed another crash due to exception in lines_of_file. The code
  should now be more robust and not abort the whole scan when
  an out of bound line access happens during the nosemgrep analysis
  or when outputing the lines of a match. (saf-1778)
• Direct dev dependencies in yarn/npm lockfiles are now correctly marked as direct (sc-1996)

1.101.0 - 2024-12-18

Added

• Improved pnpm-lock.yaml parsing. (gh-2663)

Changed

• Re-ordered some terminal output of semgrep ci to allow semgrep-app to block scans based on specific findings (SECW-2740)
• A few fields in the JSON output (e.g., "fingerprint", "metavars") require now
  the user to be logged in to see them.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json
  for more information. (json)
• We're renaming semgrep OSS to Semgrep Community Edition.
  See https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/
  for more information. (rename)
• A few fields in the SARIF output (e.g., "fingerprints") require now
  the user to be logged in to see them.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif
  for more information. (sarif)

Fixed

• pro: Improved inter-file tracking of tainted global variables. (code-7054)

• Python (pro-only): Taint now correctly tracks through calls to class methods
  within a class, via the cls parameter.

  So for instance, we would be able to determine a source-to-sink
  vulnerability in the following code snippet:

  class A:
    def foo(self, x):
      sink(x)
  
    @​classmethod
    def bar(cls):
      cls.foo(source)
  ``` (saf-1765)
  

• pro: Fixed bug when generating inter-procedural taint traces, that it could
  cause a call-step to be missing in the trace. (saf-1783)

• Restored the "rules" field in the SARIF output, even when logged out. (saf-1794)

1.100.0 - 2024-12-12

Added

• Pro engine now correctly distinguishes overloaded Scala methods based on their
  arity and parameter types, e.g., foo(x: Int, y: String) vs. foo(x: String, y: Int). (code-7870)

Changed

• The minimum Python version for semgrep is now 3.9.
  We are dropping support for Python 3.8 (python)

Fixed

• pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
  false negatives when a function updated an arbitrary index, e.g.:

  var x = {};
  
  function foo(k) {
      x[k] = source();
  }
  
  function test(k) {
      foo(k);
      sink(x); // finding here!
  } (CODE-7838)
  

• Fixed bug affecting taint tracking through static fields when mixing accesses
  using the class name and using an instance object, e.g.:

  class C {
      static String s;
  }
  
  ...
  
          C o = new C();
          C.s = taint;
          sink(o.s); // finding ! (CODE-7871)
  

• No more RPC error when using --sarif with some join-mode rules.
  Moreover, regular rules without the 'languages:' field will be skipped
  instead of aborting the whole scan. (gh-10723)

1.99.0 - 2024-12-05

Fixed

• Fix the date format used in --gitlab-sast option to match
  the spec and not use the RFC 3339.
  Thanks to Elias Haeussler for the fix. (saf-1755)

1.98.0 - 2024-12-04

Added

• taint-mode: Semgrep will now track invididual fields/keys in record/dict
  expressions.

  For example, in Semgrep Pro:

  def foo():
      return { 0: "safe", 1: taint }
  
  def test():
      t = foo()
      sink(t[0]) # safe thus NO finding
      sink(t[1]) # finding (code-7781)
  

• The TypeScript parser now supports ellipses in function parameters. For
  example, the following code is TypeScript (as opposed to pure JavaScript)
  because it uses decorators on function parameters:

  foo(x, @​Bar() y, z): string { return ''; }
  

  You can match this method using the following pattern:

  function $FN(..., @​Bar(...) $X, ...) { ... }
  ``` (code-7800)
  

• [Pro only] Patterns such as new $T(...) will now match C# target-typed new expressions such as new (). (csharp-new)

• Symbolic propagation will now propagate record expressions. (flow-86)

• Adds support for SwiftPM Package.resolved version 3 to Supply Chain (sc-1964)

Changed

• Optimize matching performance of dot access ellipsis (x. ... .foo) on very long strings of dot accesses in source files. (match-perf)
• Renames the flag to enable experimental lockfileless scanning from --allow-dynamic-dependency-resolution to --allow-local-builds to reflect the security risk that enabling the feature introduces. Also removes the opt-out flag, since we do not plan to make the feature enabled by default. (sc-2006)

Fixed

• taint-mode: Fixed what is considered a sink when a sink formula matches a
  lambda expression: it is the lambda itself that is the sink, not the
  individual statements in the lambda.

  Example:

  function test() {
    // no longer generates finding
    // note that `log(taint)` is *not* a sink
    sink(() => { log(taint); return "ok" });
  } (code-7758)
  

• taint-mode: Semgrep will no longer report an unexpected finding in cases like:

  var x = [taint];
  x = ["ok"];
  sink(x); // no finding, x is ok
  

  Variable x will be correctly cleaned after x = ["ok"]. (flow-87)

• Removed the experimental --use-osemgrep-sarif flag. (saf-1703)

• A single carriage return (CR) is not recognized anymore as a
  newline. This avoids out of bound error when reporting findings
  on old windows files using this old format. (saf-1743)

1.97.0 - 2024-11-19

Added

• Improved logic for interfile analysis in TypeScript projects using
  project references. (code-7677)
• Semgrep Pro engine now resolves method invocations on abstract classes. In
  addition to the existing resolution for interface method invocations, this
  change further enhances dataflow tracking accuracy for dynamic method
  invocations. (code-7750)
• Added the ability to validate temporary AWS tokens in the secrets product. (gh-2554)
• Poetry.lock & Pyproject.toml parsers can now handle multiline strings. (ssc-1942)

Fixed

• Improved error handling for some networking errors (e.g., premature server
  disconnection). In some cases this would previously cause a fatal error, but we
  should instead be able to recover in most instances (and now can). (code-7715)
• Target file selection in git projects: files containing special characters
  (according to git) are now scanned correctly instead of being ignored. (saf-1687)
• Swift: Ellipses and metavariable ellipses can now be used as function parameters in patterns. (saf-1721)
• Semgrep will no longer freeze when tracing is enabled and it has a low memory limit (saf-1722)
• osemgrep-pro: Autofix and nosemgrep now work properly (saf-1724)

1.96.0 - 2024-11-07

Added

• The pro engine now handles duplicate function names in C. When duplicate
  functions are found, we assume that any of the duplicated functions could be
  called. For example, if the function foo is defined in two different files,
  taint errors will be reported for both instances:

  // "a/test.h"
  void foo(int x) {
      //deepruleid: dup-symbols
      sink(x);
  }
  
  // "b/test.h"
  void foo(int x) {
      //deepruleid: dup-symbols
      sink(x);
  }
  
  // "main.c"
  #ifdef HEADER_A
      #include "a/test.h"
  #else
      #include "b/test.h"
  #endif
  
  int main() {
      int x = source();
      foo(x);
  }
  ``` (code-7654)
  

Changed

• Reduced memory allocations while processing nosemgrep comments, improving memory use and time for scans with a large number of findings. (nosem-mem)

Fixed

• Optimized taint-mode (only in Pro) to scale better when there is a large number
  of matches of sources/propagators/sanitizers/sinks within a function. (flow-83)
• Fixed a bug in the supply chain scanner's gradle lockfile parser. Previously, semgrep would fail to parse
  any gradle lockfile which did not start with a specific block comment. Now, semgrep will parse gradle
  lockfiles correctly by ignoring the comment (allowing any or no comment at all to exist). (gh-10508)
• Exceptions thrown during the processing of a target should not fail
  the whole scan anymore (regression introduced in 1.94.0). The scan will
  have an exit code of 0 instead of 2 (unless the user passed --strict in which
  case it will exit with code 2). (incid-110)
• Fix exponential parsing time with generic mode on input containing many
  unclosed braces on the same line. (saf-1667)
• Fix regexp parsing error occurring during ReDoS analysis when encountering
  a character class starting with [: such as [:a-z]. (saf-1693)
• Fix in semgrep scan: anchored semgrepignore patterns for folders such
  as /tests are now honored properly. Such patterns had previously no
  effect of target file filtering. (semgrepignore-anchored-dirs)

1.95.0 - 2024-10-31

Changed

• Remove deprecated --enable-experimental-requirements flag. Functionality has
  been always enabled since Semgrep 1.93.0. (ssc-1903)

Fixed

• osemgrep: Running osemgrep with the Pro Engine now correctly runs rules with proprietary languages (saf-1686)
• Fixed bug where semgrep would crash if --trace was passed (saf-tracing)

1.94.0 - 2024-10-30

Fixed

• pro: taint-mode: Semgrep should no longer confuse a return in a lambda with
  a return in its enclosing function.

  E.g. In the example below the return value of foo is NOT tainted:

  function foo() {
      bar(() => taint);
      return ok;
  } (code-7657)
  

• OCaml: matching will now recognized "local open" so that a pattern like
  Foo.bar ... will now correctly match code such as let open Foo in bar 1
  or Foo.(bar 1) in addition to the classic Foo.bar 1. (local_open)

• Project files lacking sufficient read permissions are now skipped gracefully
  by semgrep. (saf-1598)

• Semgrep will now print stderr and additional debugging info when semgrep-core
  exits with a fatal error code but still returns a json repsonse (finishes
  scanning) (saf-1672)

• semgrep ci should parse correctly git logs to compute the set of contributors
  even if some authors have special characters in their names. (saf-1681)

1.93.0 - 2024-10-23

Added

• Improved naming for Common JS module imports (require) in arbitrary
  expression contexts. Notably, in-line use of require should now be linked to
  the correct module. For instance, the pattern foo.bar should now match
  against require('foo').bar and taint is likewise similarily tracked. (code-7485)
• Secrets: semgrep ci output now includes a list of all secrets rules which
  generated at least one blocking finding (similar to Code) (code-7663)
• Added experimental support via --allow-dynamic-dependency-resolution for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)
• Expanded support for pip requirement lockfiles is now available by default. Semgrep will now
  find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt).
  The existing experimental flag --enable-experimental-requirements is now deprecated and
  will be removed in a future release. (gh-2441)

Changed

• Removed support for Vue. The tree-sitter grammar has not been updated in 3 years,
  there was no community rules added and semgrep-vue is causing linking conflicts
  when compiling semgrep under Windows so just simpler to remove support for Vue.
  In theory, extract mode could be a good substitute to parse Vue files. (vue)

Fixed

• semgrep will now print exit codes if a segfault/OOM/other terminating signal happens in semgrep-core, or any of semgrep-core's child processes (saf-1646)

1.92.0 - 2024-10-17

Added

• Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
  when they lead to a sink, e.g.:

  function unsafe_callback(x) {
    sink(x); // finding here now !
  }
  
  function withCallback(val, callback) {
    callback(val);
  }
  
  withCallback(taint, unsafe_callback); (code-7476)
  

• New subcommand dump-cst for tree-sitter languages available via semgrep show. This shows the concrete syntax tree for a given file. (code-7653)

• Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)

• Added support for the Move-on-sui language! (sui)

• Pro-only: semgrep test now supports the --pro flag to not only use pro languages
  but also run the tests with the --pro-intrafile engine flag. If a finding
  is detected only by the pro engine, please use proruleid: instead of ruleid:
  and if an OSS finding is actually a false positive for the pro engine, please
  add the prook: to your test annotation. (test_pro)

Fixed

• pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
  in the correct dependency order, potentially leading to FNs. (code-7649)

• Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
  is not enabled. (grow-422)

• semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)

• Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.

  Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)

1.91.0 - 2024-10-10

Added

• Type inference in the Pro engine has been improved for class fields in
  TypeScript that are assigned a new instance but lack an explicit type
  definition. When no explicit type is provided for a class field, its type is
  inferred from the type of the expression assigned to it. For example, in the
  class definition class Foo { private readonly bar = new Bar(); }, the type of
  bar is inferred to be Bar. (code-7635)
• Cargo.lock parser can now associate dependencies with lockfile line numbers (sc-1140)

Fixed

• Address python rich.errors.LiveError where attempting to display multiple progress bars
  raises an exception as flagged in #​10562. (grow-414)
• C: Fix a regression causing pattern -n to sometimes not match code -n. (saf-1592)
• When a scan runs into an exception, the app is appropriately notified
  about the failure. Previously, in the app, it would seem to the user
  that the scan is still in progress. (sms-502)

1.90.0 - 2024-09-25

Added

• Expanded support for requirement

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

⚠️ PYTHON / bandit - 69 errors

Run started:2025-11-05 13:40:43.675974

Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./.automation/build.py:11:0
10	import shutil
11	import subprocess
12	import sys

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: ''
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b105_hardcoded_password_string.html
   Location: ./.automation/build.py:3050:35
3049	                api_github_headers = {"content-type": "application/json"}
3050	                use_github_token = ""
3051	                if "GITHUB_TOKEN" in os.environ:

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: ' (with GITHUB_TOKEN)'
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b105_hardcoded_password_string.html
   Location: ./.automation/build.py:3054:39
3053	                    api_github_headers["authorization"] = f"Bearer {github_token}"
3054	                    use_github_token = " (with GITHUB_TOKEN)"
3055	                logging.info(

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./.automation/build.py:3432:14
3431	        cwd=cwd,
3432	        shell=True,
3433	        executable=None if sys.platform == "win32" else which("bash"),
3434	    )
3435	    stdout = utils.clean_string(process.stdout)
3436	    logging.info(f"Format table results: ({process.returncode})\n" + stdout)
3437	
3438	
3439	def generate_json_schema_docs():
3440	    logging.info("Generating json schema html docs…")
3441	    if sys.platform == "win32":

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./.automation/build.py:3455:14
3454	        cwd=cwd,
3455	        shell=True,
3456	        executable=None if sys.platform == "win32" else which("bash"),
3457	    )
3458	    stdout = utils.clean_string(process.stdout)
3459	    logging.info(
3460	        f"Generate json schema docs results: ({process.returncode})\n" + stdout
3461	    )
3462	
3463	
3464	def generate_version():

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b607_start_process_with_partial_path.html
   Location: ./.automation/build.py:3468:14
3467	    cwd_to_use = os.getcwd() + "/mega-linter-runner"
3468	    process = subprocess.run(
3469	        [
3470	            "npm",
3471	            "version",
3472	            "--newversion",
3473	            RELEASE_TAG,
3474	            "-no-git-tag-version",
3475	            "--no-commit-hooks",
3476	        ],
3477	        stdout=subprocess.PIPE,
3478	        universal_newlines=True,
3479	        cwd=cwd_to_use,
3480	        shell=True,
3481	    )
3482	    print(process.stdout)

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./.automation/build.py:3480:14
3479	        cwd=cwd_to_use,
3480	        shell=True,
3481	    )
3482	    print(process.stdout)
3483	    print(process.stderr)
3484	    # Update python project version:
3485	    process = subprocess.run(
3486	        ["hatch", "version", RELEASE_TAG],
3487	        stdout=subprocess.PIPE,
3488	        text=True,
3489	        shell=True,
3490	        check=True,
3491	    )
3492	    # Update changelog
3493	    if UPDATE_CHANGELOG is True:
3494	        changelog_file = f"{REPO_HOME}/CHANGELOG.md"

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b607_start_process_with_partial_path.html
   Location: ./.automation/build.py:3485:14
3484	    # Update python project version:
3485	    process = subprocess.run(
3486	        ["hatch", "version", RELEASE_TAG],
3487	        stdout=subprocess.PIPE,
3488	        text=True,
3489	        shell=True,
3490	        check=True,
3491	    )
3492	    # Update changelog

--------------------------

(Truncated to 5714 characters out of 43891)

⚠️ BASH / bash-exec - 1 error

Results of bash-exec linter (version 5.2.37)
See documentation on https://megalinter.io/beta/descriptors/bash_bash_exec/
-----------------------------------------------

✅ [SUCCESS] .automation/build_schemas_doc.sh
✅ [SUCCESS] .automation/format-tables.sh
✅ [SUCCESS] .vscode/testlinter.sh
✅ [SUCCESS] build.sh
✅ [SUCCESS] entrypoint.sh
❌ [ERROR] sh/megalinter_exec
    Error: File:[sh/megalinter_exec] is not executable

⚠️ REPOSITORY / grype - 31 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME                           INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS           RISK   
ejs                            3.1.6      3.1.7     npm     GHSA-phwq-j96m-2c2q  Critical  93.5% (99th)   87.9   
tar                            6.0.1      6.1.1     npm     GHSA-3jfq-g458-7qm9  High      85.5% (99th)   67.1   
requests                       2.24.0     2.31.0    python  GHSA-j8r2-6x86-q33q  Medium    6.1% (90th)    3.4    
ip                             1.1.5                npm     GHSA-2p57-rm9w-gvfp  High      3.8% (87th)    3.0    
minimist                       1.2.5      1.2.6     npm     GHSA-xvch-5gv4-984h  Critical  0.9% (74th)    0.8    
ejs                            3.1.6      3.1.10    npm     GHSA-ghr5-ch3p-vcr6  Medium    1.3% (78th)    0.6    
tar                            6.0.1      6.1.9     npm     GHSA-5955-9wpr-37jh  High      0.6% (68th)    0.5    
node-fetch                     2.6.6      2.6.7     npm     GHSA-r683-j2x4-v87g  High      0.5% (65th)    0.4    
minimatch                      3.0.4      3.0.5     npm     GHSA-f8q6-p94x-37v3  High      0.5% (66th)    0.4    
semver                         7.3.5      7.5.2     npm     GHSA-c2qf-rxjj-qqgw  High      0.3% (54th)    0.2    
braces                         3.0.2      3.0.3     npm     GHSA-grv7-fg5c-xmjg  High      0.2% (45th)    0.2    
ansi-regex                     3.0.0      3.0.1     npm     GHSA-93q8-gq69-wqmw  High      0.2% (44th)    0.2    
tar                            6.0.1      6.1.2     npm     GHSA-r628-mhmh-qjhw  High      0.2% (39th)    0.1    
@octokit/request-error         2.1.0      5.1.1     npm     GHSA-xx4v-prfh-6cgc  Medium    0.3% (48th)    0.1    
@octokit/request               5.6.2      8.4.1     npm     GHSA-rmvr-2pp2-xj38  Medium    0.2% (46th)    0.1    
http-cache-semantics           4.1.0      4.1.1     npm     GHSA-rc47-6667-2j5j  High      0.2% (37th)    0.1    
ip                             1.1.5      1.1.9     npm     GHSA-78xj-cgh5-2h22  Low       0.4% (59th)    0.1    
tar                            6.0.1      6.2.1     npm     GHSA-f5x3-32g6-xq36  Medium    0.2% (42nd)    0.1    
tar                            6.1.11     6.2.1     npm     GHSA-f5x3-32g6-xq36  Medium    0.2% (42nd)    0.1    
cross-spawn                    7.0.3      7.0.5     npm     GHSA-3xgq-45jj-v275  High      0.1% (33rd)    < 0.1  
@octokit/plugin-paginate-rest  2.17.0     9.2.2     npm     GHSA-h5c3-5r3r-rr8q  Medium    0.2% (37th)    < 0.1  
micromatch                     4.0.4      4.0.8     npm     GHSA-952p-6rrq-rcjv  Medium    0.1% (32nd)    < 0.1  
debug                          4.2.0      4.3.1     npm     GHSA-gxpj-cx7g-858c  Low       < 0.1% (27th)  < 0.1  
requests                       2.24.0     2.32.0    python  GHSA-9wx4-h78v-vm56  Medium    < 0.1% (13th)  < 0.1  
requests                       2.24.0     2.32.4    python  GHSA-9hjg-9r4m-mvj7  Medium    < 0.1% (13th)  < 0.1  
word-wrap                      1.2.3      1.2.4     npm     GHSA-j8xg-fqg3-53r7  Medium    < 0.1% (12th)  < 0.1  
tar                            6.0.1      6.1.7     npm     GHSA-9r2w-394v-53qc  High      < 0.1% (6th)   < 0.1  
tmp                            0.0.33     0.2.4     npm     GHSA-52f5-9888-hmc6  Low       < 0.1% (22nd)  < 0.1  
tar                            6.0.1      6.1.9     npm     GHSA-qq89-hq3f-393p  High      < 0.1% (4th)   < 0.1  
brace-expansion                1.1.11     1.1.12    npm     GHSA-v6h2-p8h4-qcjw  Low       < 0.1% (5th)   < 0.1  
brace-expansion                2.0.1      2.0.2     npm     GHSA-v6h2-p8h4-qcjw  Low       < 0.1% (5th)   < 0.1
[0032] ERROR discovered vulnerabilities at or above the severity threshold

⚠️ SPELL / lychee - 17 errors

[WARN ] WARNING: `--exclude-mail` is deprecated and will soon be removed; E-Mail is no longer checked by default. Use `--include-mail` to enable E-Mail checking.
[403] https://npmjs.org/package/mega-linter-runner | Network error: Forbidden
[403] https://cloudtuned.hashnode.dev/ | Network error: Forbidden
[403] https://cloudtuned.hashnode.dev/introducing-megalinter-streamlining-code-quality-checks-across-multiple-languages | Network error: Forbidden
[403] https://htmlhint.com/integrations/task-runner/ | Network error: Forbidden
[404] https://github.com/$ | Network error: Not Found
[403] https://npmjs.org/package/mega-linter-runner | Error (cached)
[403] https://htmlhint.com/integrations/task-runner/ | Error (cached)
[403] https://htmlhint.com/ | Network error: Forbidden
[403] https://htmlhint.com/docs/user-guide/list-rules | Network error: Forbidden
[403] https://htmlhint.com/configuration/ | Network error: Forbidden
[403] https://www.npmjs.com/package/markdown-table-formatter | Network error: Forbidden
[404] https://plugins.jetbrains.com/plugin/11563-flake8-support | Network error: Not Found
[404] https://github.com/Lightning-Flow-Scanner | Network error: Not Found
[404] https://lychee.cli.rs/usage/config/ | Network error: Not Found
[404] https://lychee.cli.rs/usage/cli/ | Network error: Not Found
[404] https://github.com/pderichs/sublime_rubocop | Network error: Not Found
[404] https://raku.org/camelia-logo.png | Network error: Not Found
[TIMEOUT] https://www.gnu.org/software/bash/ | Timeout
[TIMEOUT] https://www.gnu.org/software/bash/manual/bash.html | Timeout
[TIMEOUT] https://www.nongnu.org/chktex/ | Timeout
[TIMEOUT] https://www.nongnu.org/chktex | Timeout
📝 Summary
---------------------
🔍 Total.........2373
✅ Successful....1888
⏳ Timeouts.........4
🔀 Redirected.......0
👻 Excluded.......464
❓ Unknown..........0
🚫 Errors..........17

Errors in mega-linter-runner/README.md
[403] https://npmjs.org/package/mega-linter-runner | Error (cached)

Errors in megalinter/descriptors/spell.megalinter-descriptor.yml
[404] https://lychee.cli.rs/usage/cli/ | Network error: Not Found
[404] https://lychee.cli.rs/usage/config/ | Network error: Not Found

Errors in megalinter/descriptors/python.megalinter-descriptor.yml
[404] https://plugins.jetbrains.com/plugin/11563-flake8-support | Network error: Not Found

Errors in megalinter/descriptors/html.megalinter-descriptor.yml
[403] https://htmlhint.com/configuration/ | Network error: Forbidden
[403] https://htmlhint.com/integrations/task-runner/ | Error (cached)
[403] https://htmlhint.com/docs/user-guide/list-rules | Network error: Forbidden
[403] https://htmlhint.com/ | Network error: Forbidden

Errors in megalinter/descriptors/markdown.megalinter-descriptor.yml
[403] https://www.npmjs.com/package/markdown-table-formatter | Network error: Forbidden

Errors in megalinter/descriptors/salesforce.megalinter-descriptor.yml
[404] https://github.com/Lightning-Flow-Scanner | Network error: Not Found

Errors in megalinter/descriptors/raku.megalinter-descriptor.yml
[404] https://raku.org/camelia-logo.png | Network error: Not Found

Errors in README.md
[403] https://htmlhint.com/integrations/task-runner/ | Network error: Forbidden
[403] https://npmjs.org/package/mega-linter-runner | Network error: Forbidden
[403] https://cloudtuned.hashnode.dev/ | Network error: Forbidden
[403] https://cloudtuned.hashnode.dev/introducing-megalinter-streamlining-code-quality-checks-across-multiple-languages | Network error: Forbidden

Errors in megalinter/descriptors/ruby.megalinter-descriptor.yml
[404] https://github.com/pderichs/sublime_rubocop | Network error: Not Found

Errors in mega-linter-runner/generators/mega-linter-custom-flavor/templates/check-new-megalinter-version.yml
[404] https://github.com/$ | Network error: Not Found

Errors in megalinter/descriptors/bash.megalinter-descriptor.yml
[TIMEOUT] https://www.gnu.org/software/bash/ | Timeout
[TIMEOUT] https://www.gnu.org/software/bash/manual/bash.html | Timeout

Errors in megalinter/descriptors/latex.megalinter-descriptor.yml
[TIMEOUT] https://www.nongnu.org/chktex | Timeout
[TIMEOUT] https://www.nongnu.org/chktex/ | Timeout

⚠️ MARKDOWN / markdownlint - 306 errors

.github/copilot-instructions.md:9 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]
.github/copilot-instructions.md:156 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]
.github/linters/valestyles/proselint/README.md:12:601 MD013/line-length Line length [Expected: 600; Actual: 755]
CHANGELOG.md:120:90 MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]
CHANGELOG.md:2141:87 MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]
docs/articles.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "They talk about MegaLinter"]
docs/badge.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Badge"]
docs/config-activation.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Activation and deactivation"]
docs/config-apply-fixes.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Apply fixes"]
docs/config-cli-lint-mode.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "CLI lint mode"]
docs/config-file.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: ".mega-linter.yml file"]
docs/config-filtering.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Filter linted files"]
docs/config-linters.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Linter specific variables"]
docs/config-postcommands.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Post-commands"]
docs/config-precommands.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Pre-commands"]
docs/config-variables-security.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Environment variables security"]
docs/config-variables.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Common variables"]
docs/configuration.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Configuration"]
docs/descriptors/action_actionlint.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "actionlint"]
docs/descriptors/action.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "ACTION"]
docs/descriptors/ansible_ansible_lint.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "ansible-lint"]
docs/descriptors/ansible_ansible_lint.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 795]
docs/descriptors/ansible.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "ANSIBLE"]
docs/descriptors/api_spectral.md:14:601 MD013/line-length Line length [Expected: 600; Actual: 746]
docs/descriptors/api.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "API"]
docs/descriptors/arm_arm_ttk.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "arm-ttk"]
docs/descriptors/arm.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "ARM"]
docs/descriptors/bash_bash_exec.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "bash-exec"]
docs/descriptors/bash_shellcheck.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "shellcheck"]
docs/descriptors/bash_shellcheck.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 785]
docs/descriptors/bash_shfmt.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "shfmt"]
docs/descriptors/bash.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "BASH"]
docs/descriptors/bicep_bicep_linter.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "bicep_linter"]
docs/descriptors/bicep.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "BICEP"]
docs/descriptors/c_clang_format.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "clang-format"]
docs/descriptors/c_clang_format.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 768]
docs/descriptors/c_cppcheck.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "cppcheck"]
docs/descriptors/c_cpplint.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "cpplint"]
docs/descriptors/c.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "C"]
docs/descriptors/clojure_cljstyle.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "cljstyle"]
docs/descriptors/clojure_cljstyle.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 768]
docs/descriptors/clojure.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "CLOJURE"]
docs/descriptors/cloudformation_cfn_lint.md:14:601 MD013/line-length Line length [Expected: 600; Actual: 865]
docs/descriptors/cloudformation.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "CLOUDFORMATION"]
docs/descriptors/coffee_coffeelint.md:7 MD025/single-title/single-h1 Multiple top-level headings

(Truncated to 5714 characters out of 37912)

⚠️ YAML / prettier - 6 errors

.automation/plugins.yml 81ms (unchanged)
.github/FUNDING.yml 5ms (unchanged)
.github/dependabot.yml 37ms (unchanged)
.github/linters/.cfnlintrc.yml 3ms (unchanged)
.github/linters/.checkov.yml 4ms (unchanged)
.github/linters/.golangci.yml 7ms (unchanged)
.github/linters/.hadolint.yml 2ms (unchanged)
.github/linters/.openapirc.yml 2ms (unchanged)
.github/linters/.protolintrc.yml 9ms (unchanged)
.github/linters/.ruby-lint.yml 2ms (unchanged)
.github/linters/.yamllint.yml 17ms (unchanged)
.github/linters/analysis_options.yml 12ms (unchanged)
.github/linters/valestyles/Microsoft/AMPM.yml 5ms (unchanged)
.github/linters/valestyles/Microsoft/Accessibility.yml 4ms (unchanged)
.github/linters/valestyles/Microsoft/Acronyms.yml 12ms (unchanged)
.github/linters/valestyles/Microsoft/Adverbs.yml 38ms (unchanged)
.github/linters/valestyles/Microsoft/Auto.yml 5ms (unchanged)
.github/linters/valestyles/Microsoft/Avoid.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/ComplexWords.yml 43ms (unchanged)
.github/linters/valestyles/Microsoft/Contractions.yml 5ms (unchanged)
.github/linters/valestyles/Microsoft/Dashes.yml 11ms (unchanged)
.github/linters/valestyles/Microsoft/DateFormat.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/DateNumbers.yml 3ms (unchanged)
.github/linters/valestyles/Microsoft/DateOrder.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Ellipses.yml 3ms (unchanged)
.github/linters/valestyles/Microsoft/FirstPerson.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Foreign.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Gender.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/GenderBias.yml 8ms (unchanged)
.github/linters/valestyles/Microsoft/GeneralURL.yml 5ms (unchanged)
.github/linters/valestyles/Microsoft/HeadingAcronyms.yml 5ms (unchanged)
.github/linters/valestyles/Microsoft/HeadingColons.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/HeadingPunctuation.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Headings.yml 3ms (unchanged)
.github/linters/valestyles/Microsoft/Hyphens.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Negative.yml 3ms (unchanged)
.github/linters/valestyles/Microsoft/Ordinal.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/OxfordComma.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Passive.yml 9ms (unchanged)
.github/linters/valestyles/Microsoft/Percentages.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Quotes.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/RangeFormat.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/RangeTime.yml 5ms (unchanged)
.github/linters/valestyles/Microsoft/Ranges.yml 3ms (unchanged)
.github/linters/valestyles/Microsoft/Semicolon.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/SentenceLength.yml 3ms (unchanged)
.github/linters/valestyles/Microsoft/Spacing.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Suspended.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Terms.yml 9ms (unchanged)
.github/linters/valestyles/Microsoft/URLFormat.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Units.yml 3ms (unchanged)
.github/linters/valestyles/Microsoft/Vocab.yml 12ms (unchanged)
.github/linters/valestyles/Microsoft/We.yml 2ms (unchanged)
.github/linters/valestyles/Microsoft/Wordiness.yml 22ms (unchanged)
.github/linters/valestyles/proselint/Airlinese.yml 3ms (unchanged)
.github/linters/valestyles/proselint/AnimalLabels.yml 12ms (unchanged)
.github/linters/valestyles/proselint/Annotations.yml 3ms (unchanged)
.github/linters/valestyles/proselint/Apologizing.yml 2ms (unchanged)
.github/linters/valestyles/proselint/Archaisms.yml 4ms (unchanged)
.github/linters/valestyles/proselint/But.yml 2ms (unchanged)
.github/linters/valestyles/proselint/Cliches.yml 90ms (unchanged)
.github/linters/valestyles/proselint/CorporateSpeak.yml 4ms (unchanged)
.github/linters/valestyles/proselint/Currency.yml 4ms (unchanged)
.github/linters/valestyles/proselint/Cursing.yml 2ms (unchanged)
.github/linters/valestyles/proselint/DateCase.yml 2ms (unchanged)
.github/linters/valestyles/proselint/DateMidnight.yml 1ms (unchanged)
.github/linters/valestyles/proselint/DateRedundancy.yml 2ms (unchanged)
.github/linters/valestyles/proselint/DateSpacing.yml 3ms (unchanged)
.github/linters/valestyles/proselint/DenizenLabels.yml 13ms (unchanged)
.github/linters/valestyles/proselint/Diacritical.yml 14ms (unchanged)
.github/linters/valestyles/proselint/GenderBias.yml 15ms (unchanged)
.github/linters/valestyles/proselint/GroupTerms.yml 3ms (unchanged)
.github/linters/valestyles/proselint/Hedging.yml 2ms (unchanged)
.github/linters/valestyles/proselint/Hyperbole.yml 2ms (unchanged)
.github/linters/valestyles/proselint/Jargon.yml 1ms (unchanged)
.github/linters/valestyles/proselint/LGBTOffensive.yml 2ms (unchanged)
.github/linters/valestyles/proselint/LGBTTerms.yml 5ms (unchanged)
.github/linters/valestyles/proselint/Malapropisms.yml 2ms (unchanged)
.github/linters/valestyles/proselint/Needless.yml 52ms (unchanged)
.github/linters/valestyles/proselint/Nonwords.yml 7ms (unchanged)
.github/linters/valestyles/proselint/Oxymorons.yml 2ms (unchanged)
.github/linters/valestyles/proselint/P-Value.yml 2ms (unchanged)
.github/linters/valestyles/proselint/RASSyndrome.yml 2ms (unchanged)
.github/linters/valestyles/proselint/Skunked.yml 2ms (unchanged)
.github/linters/valestyles/proselint/Spelling.yml 3ms (unchanged)
.github/linters/valestyles/proselint/Typography.yml 3ms (unchanged)
.github/linters/valestyles/proselint/Uncomparables.yml 8ms (unchanged)
.github/linters/valestyles/proselint/Very.yml 3ms (unchanged)
.github/release-drafter.yml 9ms (unchanged)
.gitpod.yml 4ms (unc

(Truncated to 5714 characters out of 11537)

⚠️ YAML / yamllint - 188 errors

.automation/plugins.yml
  1:1       warning  missing document start "---"  (document-start)

.github/FUNDING.yml
  3:1       warning  missing document start "---"  (document-start)

.github/dependabot.yml
  4:1       warning  missing document start "---"  (document-start)

.github/linters/.cfnlintrc.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/.checkov.yml
  2:1       warning  missing document start "---"  (document-start)

.github/linters/.golangci.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/.hadolint.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/.protolintrc.yml
  2:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/AMPM.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Accessibility.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Acronyms.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Adverbs.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Auto.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Avoid.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/ComplexWords.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Contractions.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Dashes.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/DateFormat.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/DateNumbers.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/DateOrder.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Ellipses.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/FirstPerson.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Foreign.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Gender.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/GenderBias.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/GeneralURL.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/HeadingAcronyms.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/HeadingColons.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/HeadingPunctuation.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Headings.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Hyphens.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Negative.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Ordinal.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/OxfordComma.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Passive.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Percentages.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Quotes.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/RangeFormat.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/RangeTime.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Ranges.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Semicolon.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/SentenceLength.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Spacing.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Suspended.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Terms.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/URLFormat.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Units.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/Vocab.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft/We.yml
  1:1       warning  missing document start "---"  (document-start)

.github/linters/valestyles/Microsoft

(Truncated to 5714 characters out of 21376)

✅ Linters with no issues

black, checkov, cspell, flake8, git_diff, hadolint, isort, jscpd, jsonlint, markdown-table-formatter, mypy, npm-groovy-lint, pylint, ruff, secretlint, shellcheck, shfmt, spectral, syft, trivy, trivy-sbom, trufflehog, v8r, v8r, xmllint

See detailed reports in MegaLinter artifacts