The goal of super-linter is to help you establish best practices and consistent
formatting across multiple programming languages, and ensure developers are
adhering to those conventions.
Super-linter analyzes source code files using several tools, and reports the
issues that those tools find as console output, and as
[GitHub Actions status checks](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks).
| **ANSIBLE_DIRECTORY** | `/ansible` | Flag to set the root directory for Ansible file location(s), relative to `DEFAULT_WORKSPACE`. Set to `.` to use the top-level of the `DEFAULT_WORKSPACE`. |
| **BASH_EXEC_IGNORE_LIBRARIES** | `false` | If set to `true`, shell files with a file extension and no shebang line are ignored when checking if the executable bit is set. |
| **BASH_FILE_NAME** | `.shellcheckrc` | Filename for [Shellcheck](https://github.com/koalaman/shellcheck/blob/master/shellcheck.1.md#rc-files) |
| **BASH_SEVERITY** | Shellcheck default severity | Specify the minimum severity of errors to consider in shellcheck. Valid values in order of severity are error, warning, info and style. |
| **CHECKOV_FILE_NAME** | `.checkov.yaml` | Configuration filename for Checkov. |
| **CLANG_FORMAT_FILE_NAME** | `.clang-format` | Configuration filename for [clang-format](https://clang.llvm.org/docs/ClangFormatStyleOptions.html). |
| **CREATE_LOG_FILE** | `false` | If set to `true`, it creates the log file. You can set the log filename using the `LOG_FILE` environment variable. This overrides any existing log files. |
| **DEFAULT_BRANCH** | Default repository branch when running on GitHub Actions, `master` otherwise | The name of the repository default branch. There's no need to configure this variable when running on GitHub Actions |
| **DEFAULT_WORKSPACE** | `/tmp/lint` | The location containing files to lint if you are running locally. Defaults to `GITHUB_WORKSPACE` when running in GitHub Actions. There's no need to configure this variable when running on GitHub Actions. |
| **DISABLE_ERRORS** | `false` | Flag to have the linter complete with exit code 0 even if errors were detected. |
| **ENABLE_GITHUB_ACTIONS_GROUP_TITLE** | `false` if `RUN_LOCAL=true`, `true` otherwise | Flag to enable [GitHub Actions log grouping](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#grouping-log-lines). |
| **ENABLE_GITHUB_ACTIONS_STEP_SUMMARY** | `false` if `RUN_LOCAL=true`, `true` otherwise | Flag to enable [GitHub Actions job summary](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-job-summary) for the Super-linter action. For more information, see [Summary outputs](#summary-outputs). |
| **ENFORCE_COMMITLINT_CONFIGURATION_CHECK** | `false` | If set to `true` and `VALIDATE_GIT_COMMITLINT` is set to `true`, Super-linter exits with an error if there's no commitlint configuration file. Otherwise, Super-linter emits a warning and forcefully sets `VALIDATE_GIT_COMMITLINT` to `false`. |
| **FILTER_REGEX_EXCLUDE** | not set | Regular expression defining which files will be excluded from linting (ex: `.*src/test.*`). Not setting this variable means to process all files. Jscpd and Checkov ignore this variable. Use their include and ignore features to select or ignore the files to lint. |
| **FILTER_REGEX_INCLUDE** | not set | Regular expression defining which files will be processed by linters (ex: `.*src/.*`). Not setting this variable means to process all files. `FILTER_REGEX_INCLUDE` is evaluated before `FILTER_REGEX_EXCLUDE`. Jscpd and Checkov ignore this variable. Use their include and ignore features to select or ignore the files to lint. |
| **FIX_ANSIBLE** | `false` | Option to enable fix mode for `ANSIBLE`. |
| **FIX_CLANG_FORMAT** | `false` | Option to enable fix mode for `CLANG_FORMAT`. |
| **FIX_CSHARP** | `false` | Option to enable fix mode for `CSHARP`. |
| **FIX_CSS_PRETTIER** | `true` | Flag to enable or disable the formatting of CSS, Sass, and SCSS files with Prettier. |
| **FIX_CSS** | `false` | Option to enable fix mode for `CSS`. |
| **FIX_DOTNET_SLN_FORMAT_ANALYZERS** | `false` | Option to enable or disable fix mode for Dotnet solutions. |
| **FIX_DOTNET_SLN_FORMAT_STYLE** | `false` | Option to enable or disable fix mode for Dotnet solutions. |
| **FIX_DOTNET_SLN_FORMAT_WHITESPACE** | `true` | Option to enable or disable fix mode for Dotnet solutions. |
| **FIX_ENV** | `false` | Option to enable fix mode for `ENV`. |
| **FIX_GO_MODULES** | `false` | Option to enable fix mode for `GO_MODULES`. |
| **FIX_GO** | `false` | Option to enable fix mode for `GO`. |
| **FIX_GOOGLE_JAVA_FORMAT** | `false` | Option to enable fix mode for `GOOGLE_JAVA_FORMAT`. |
| **FIX_GRAPHQL_PRETTIER** | `true` | Flag to enable or disable the formatting of GraphQL files with Prettier. |
| **FIX_GROOVY** | `false` | Option to enable fix mode for `GROOVY`. |
| **FIX_HTML_PRETTIER** | `true` | Flag to enable or disable the formatting of HTML files with Prettier. |
| **FIX_JAVASCRIPT_ES** | `false` | Option to enable fix mode for `JAVASCRIPT_ES`. |
| **FIX_JAVASCRIPT_PRETTIER** | `false` | Flag to enable or disable the formatting of JavaScript files with Prettier. |
| **FIX_JAVASCRIPT_STANDARD** | `false` | Option to enable fix mode for `JAVASCRIPT_STANDARD`. |
| **FIX_JSON_PRETTIER** | `true` | Flag to enable or disable the formatting of JSON files with Prettier. |
| **FIX_JSON** | `false` | Option to enable fix mode for `JSON`. |
| **FIX_JSONC** | `false` | Option to enable fix mode for `JSONC`. |
| **FIX_JSONC_PRETTIER** | `true` | Flag to enable or disable the formatting of JSONC and JSON5 files with Prettier. |
| **FIX_JSX_PRETTIER** | `true` | Flag to enable or disable the formatting of JSX files with Prettier. |
| **FIX_JSX** | `false` | Option to enable fix mode for `JSX`. |
| **FIX_PYTHON_RUFF** | `false` | Option to enable fix mode for `PYTHON_RUFF`. |
| **FIX_RUBY** | `false` | Option to enable fix mode for `RUBY`. |
| **FIX_RUST_2015** | `false` | Option to enable fix mode for `RUST_2015`. |
| **FIX_RUST_2018** | `false` | Option to enable fix mode for `RUST_2018`. |
| **FIX_RUST_2021** | `false` | Option to enable fix mode for `RUST_2021`. |
| **FIX_RUST_CLIPPY** | `false` | Option to enable fix mode for `RUST_CLIPPY`. When `FIX_RUST_CLIPPY` is `true`, Clippy is allowed to fix issues in the workspace even if there are unstaged and staged changes in the workspace. |
| **FIX_SCALAFMT** | `false` | Option to enable fix mode for `SCALAFMT`. |
| **FIX_SHELL_SHFMT** | `false` | Option to enable fix mode for `SHELL_SHFMT`. |
| **FIX_SNAKEMAKE_SNAKEFMT** | `false` | Option to enable fix mode for `SNAKEMAKE_SNAKEFMT`. |
| **FIX_SQLFLUFF** | `false` | Option to enable fix mode for `SQLFLUFF`. |
| **FIX_TERRAFORM_FMT** | `false` | Option to enable fix mode for `TERRAFORM_FMT`. |
| **FIX_TSX** | `false` | Option to enable fix mode for `TSX`. |
| **FIX_TYPESCRIPT_ES** | `false` | Option to enable fix mode for `TYPESCRIPT_ES`. |
| **FIX_TYPESCRIPT_PRETTIER** | `false` | Flag to enable or disable the formatting of TypeScript files with Prettier. |
| **FIX_TYPESCRIPT_STANDARD** | `false` | Option to enable fix mode for `TYPESCRIPT_STANDARD`. |
| **FIX_VUE_PRETTIER** | `true` | Flag to enable or disable the formatting of Vue files with Prettier. |
| **FIX_YAML_PRETTIER** | `true` | Flag to enable or disable the formatting of YAML files with Prettier. |
| **GITHUB_ACTIONS_COMMAND_ARGS** | `null` | Additional arguments passed to `actionlint` command. Useful to [ignore some errors](https://github.com/rhysd/actionlint/blob/main/docs/usage.md#ignore-some-errors) |
| **GITHUB_CUSTOM_API_URL** | `https://api.${GITHUB_DOMAIN}` | Specify a custom GitHub API URL in case GitHub Enterprise is used: e.g. `https://github.myenterprise.com/api/v3` |
| **GITHUB_CUSTOM_SERVER_URL** | `https://${GITHUB_DOMAIN}"` | Specify a custom GitHub server URL. Useful for GitHub Enterprise instances. |
| **GITHUB_DOMAIN** | `github.com` | Specify a custom GitHub domain in case GitHub Enterprise is used: e.g. `github.myenterprise.com`. `GITHUB_DOMAIN` is a convenience configuration variable to automatically build `GITHUB_CUSTOM_API_URL` and `GITHUB_CUSTOM_SERVER_URL`. |
| **GITLEAKS_LOG_LEVEL** | Gitleaks default log level | Gitleaks log level. Defaults to the Gitleaks default log level. |
| **IGNORE_GENERATED_FILES** | `false` | If set to `true`, super-linter will ignore all the files with `@generated` marker but without `@not-generated` marker. Jscpd and Checkov ignore this variable. Use their include and ignore features to select or ignore the files to lint. |
| **IGNORE_GITIGNORED_FILES** | `false` | If set to `true`, super-linter will ignore all the files that are ignored by Git. Checkov ignores this variable. Use its include and ignore features to select or ignore the files to lint. |
| **JAVA_FILE_NAME** | `sun_checks.xml` | Filename for [Checkstyle configuration](https://checkstyle.sourceforge.io/config.html). Checkstyle embeds several configuration files, such as `sun_checks.xml`, `google_checks.xml` that you can use without providing your own configuration file. |
| **KUBERNETES_KUBECONFORM_OPTIONS** | `null` | Additional arguments to pass to the command-line when running **Kubernetes Kubeconform** (Example: --ignore-missing-schemas) |
| **LINTER_RULES_PATH** | `.github/linters` | Directory for all linter configuration rules. |
| **LOG_FILE** | `super-linter.log` | The filename for outputting logs. Super-linter saves the log file to `${DEFAULT_WORKSPACE}/${LOG_FILE}`. |
| **LOG_LEVEL** | `INFO` | How much output the script will generate to the console. One of `ERROR`, `WARN`, `NOTICE`, `INFO`, or `DEBUG`. |
| **MARKDOWN_CUSTOM_RULE_GLOBS** | not set | Comma-separated list of [file globs](https://github.com/igorshubovych/markdownlint-cli#globbing) matching [custom Markdownlint rule files](https://github.com/DavidAnson/markdownlint/blob/main/doc/CustomRules.md). |
| **MULTI_STATUS** | `true` | A status API is made for each language that is linted to make visual parsing easier. |
| **REMOVE_ANSI_COLOR_CODES_FROM_OUTPUT** | `false` | If set to `true`, Super-linter removes ANSI color codes from linters stdout and stderr files, and from the Super-linter log file. |
| **SAVE_SUPER_LINTER_OUTPUT** | `false` | If set to `true`, Super-linter will save its output in the workspace. For more information, see [Super-linter outputs](#super-linter-outputs). |
| **SAVE_SUPER_LINTER_SUMMARY** | `false` | If set to `true`, Super-linter will save a summary. For more information, see [Summary outputs](#summary-outputs). |
| **SSL_CERT_SECRET** | `none` | SSL cert to add to the **Super-Linter** trust store. This is needed for users on `self-hosted` runners or need to inject the cert for security standards (ex. ${{ secrets.SSL_CERT }}) |
| **SSH_KEY** | `none` | SSH key that has access to your private repositories |
| **SSH_SETUP_GITHUB** | `false` | If set to `true`, adds the `github.com` SSH key to `known_hosts`. This is ignored if `SSH_KEY` is provided - i.e. the `github.com` SSH key is always added if `SSH_KEY` is provided |
| **SSH_INSECURE_NO_VERIFY_GITHUB_KEY** | `false` | **INSECURE -** If set to `true`, does not verify the fingerprint of the github.com SSH key before adding this. This is not recommended! |
| **SUPER_LINTER_OUTPUT_DIRECTORY_NAME** | `super-linter-output` | Name of the directory where super-linter saves its output. |
| **SUPER_LINTER_SUMMARY_FILE_NAME** | `super-linter-summary.md` | Name of the file where to save the summary output. For more information, see [Summary outputs](#summary-outputs). |
| **SUPPRESS_FILE_TYPE_WARN** | `false` | If set to `true`, will hide warning messages about files without their proper extensions. Default is `false` |
| **SUPPRESS_POSSUM** | `false` | If set to `true`, will hide the ASCII possum at top of log output. Default is `false` |
| **TYPESCRIPT_STANDARD_TSCONFIG_FILE** | `${DEFAULT_WORKSPACE}/tsconfig.json` | Path to the [TypeScript project configuration](https://www.typescriptlang.org/docs/handbook/tsconfig-json.html) in [ts-standard](https://github.com/standard/ts-standard). The path is relative to `DEFAULT_WORKSPACE` |
| **USE_FIND_ALGORITHM** | `false` | By default, we use `git diff` to find all files in the workspace and what has been updated, this would enable the Linux `find` method instead to find all files to lint |
| **VALIDATE_ALL_CODEBASE** | `true` | Will parse the entire repository and find all files to validate across all types. **NOTE:** When set to`false`, only **new** or **edited** files will be parsed for validation. |
| **VALIDATE_GIT_COMMITLINT** | `true` | Option to enable or disable the linting process of Git commits with commitlint. commitlint needs a configuration file to work. Also, see the `ENFORCE_COMMITLINT_CONFIGURATION_CHECK` and the `ENABLE_COMMITLINT_STRICT_MODE` variables. |
| **VALIDATE_GITHUB_ACTIONS** | `true` | Flag to enable or disable the linting process of the GitHub Actions. |
| **VALIDATE_GITLEAKS** | `true` | Flag to enable or disable the linting process of the secrets. |
| **VALIDATE_GO** | `true` | Flag to enable or disable the linting process of the individual Golang files. Set this to `false` if you want to lint Go modules. See the `VALIDATE_GO_MODULES` variable. |
| **VALIDATE_GO_MODULES** | `true` | Flag to enable or disable the linting process of Go modules. Super-linter considers a directory to be a Go module if it contains a file named`go.mod`. |
| **VALIDATE_KOTLIN** | `true` | Flag to enable or disable the linting process of the Kotlin language. |
| **VALIDATE_KUBERNETES_KUBECONFORM** | `true` | Flag to enable or disable the linting process of Kubernetes descriptors with Kubeconform |
| **VALIDATE_LATEX** | `true` | Flag to enable or disable the linting process of the LaTeX language. |
| **VALIDATE_LUA** | `true` | Flag to enable or disable the linting process of the language. |
| **VALIDATE_MARKDOWN** | `true` | Flag to enable or disable the linting process of the Markdown language. |
| **VALIDATE_MARKDOWN_PRETTIER** | `true` | Flag to enable or disable checking the formatting of Markdown files with Prettier. |
| **VALIDATE_NATURAL_LANGUAGE** | `true` | Flag to enable or disable the linting process of the natural language. |
| **VALIDATE_OPENAPI** | `true` | Flag to enable or disable the linting process of the OpenAPI language. |
| **VALIDATE_PERL** | `true` | Flag to enable or disable the linting process of the Perl language. |
| **VALIDATE_PHP** | `true` | Flag to enable or disable the linting process of the PHP language. (Utilizing: PHP built-in linter) (keep for backward compatibility) |
| **VALIDATE_PHP_BUILTIN** | `true` | Flag to enable or disable the linting process of the PHP language. (Utilizing: PHP built-in linter) |
| **VALIDATE_PHP_PHPCS** | `true` | Flag to enable or disable the linting process of the PHP language. (Utilizing: PHP CodeSniffer) |
| **VALIDATE_PHP_PHPSTAN** | `true` | Flag to enable or disable the linting process of the PHP language. (Utilizing: PHPStan) |
| **VALIDATE_PHP_PSALM** | `true` | Flag to enable or disable the linting process of the PHP language. (Utilizing: PSalm) |
| **VALIDATE_POWERSHELL** | `true` | Flag to enable or disable the linting process of the Powershell language. |
| **VALIDATE_PROTOBUF** | `true` | Flag to enable or disable the linting process of the Protobuf language. |
| **VALIDATE_PYTHON** | `true` | Flag to enable or disable the linting process of the Python language. (Utilizing: pylint) (keep for backward compatibility) |
| **VALIDATE_PYTHON_BLACK** | `true` | Flag to enable or disable the linting process of the Python language. (Utilizing: black) |
| **VALIDATE_PYTHON_FLAKE8** | `true` | Flag to enable or disable the linting process of the Python language. (Utilizing: flake8) |
| **VALIDATE_PYTHON_ISORT** | `true` | Flag to enable or disable the linting process of the Python language. (Utilizing: isort) |
| **VALIDATE_PYTHON_MYPY** | `true` | Flag to enable or disable the linting process of the Python language. (Utilizing: mypy) |
that automatically greates a unique `GITHUB_TOKEN` secret for the workflow.
GitHub Actions imposes the following limitations on workflows:
- To avoid accidentally creating recursive workflow runs, the commit that
contains linting and formatting fixes
[doesn't create new workflow runs](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow).
- It restrict edits to GitHub Actions workflows files (in `.github/workflows`).
- It may fail pushing commits to protected branches.
To work around these limitations, you do the following:
1. [Create an authentication token with additional permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#granting-additional-permissions).
1. Grant the authentication token the
[`repo` and `workflow` permissions](https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens).
1. Use the authentication token in the `actions/checkout` step:
```yaml
- uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.SUPER_LINTER_TOKEN }}
```
This example assumes that you saved the authentication token in a secret
called `SUPER_LINTER_TOKEN`, but you can choose whatever name you prefer for