[automation] Auto-update linters version, help and documentation

nvuillam · github-actions[bot] · commit 2dbe74060dad · 2025-11-18T22:21:37.000Z
diff --git a/.automation/generated/linter-helps.json b/.automation/generated/linter-helps.json
diff --git a/.automation/generated/linter-versions.json b/.automation/generated/linter-versions.json
@@ -2,7 +2,7 @@
     "actionlint": "1.7.8",
     "ansible-lint": "25.11.0",
     "arm-ttk": "0.0.0",
-    "bandit": "1.8.6",
+    "bandit": "1.9.1",
     "bash-exec": "5.2.37",
     "bicep_linter": "0.38.33",
     "black": "25.11.0",
@@ -38,7 +38,7 @@
     "golangci-lint": "2.6.2",
     "goodcheck": "3.1.0",
     "graphql-schema-linter": "3.0.1",
-    "grype": "0.103.0",
+    "grype": "0.104.0",
     "hadolint": "2.14.0",
     "helm": "3.18.4",
     "htmlhint": "1.7.1",
@@ -109,7 +109,7 @@
     "stylelint": "16.25.0",
     "stylua": "2.0.0",
     "swiftlint": "0.62.2",
-    "syft": "1.37.0",
+    "syft": "1.38.0",
     "tekton-lint": "1.1.0",
     "terraform-fmt": "1.13.5",
     "terragrunt": "0.93.8",
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -137,6 +137,9 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
   - [robocop](https://github.com/MarketSquare/robotframework-robocop) from 6.9.2 to **6.10.0** on 2025-11-17
   - [tflint](https://github.com/terraform-linters/tflint) from 0.59.1 to **0.60.0** on 2025-11-17
   - [robocop](https://github.com/MarketSquare/robotframework-robocop) from 6.10.0 to **6.10.1** on 2025-11-17
+  - [bandit](https://bandit.readthedocs.io/en/latest/) from 1.8.6 to **1.9.1** on 2025-11-18
+  - [grype](https://github.com/anchore/grype) from 0.103.0 to **0.104.0** on 2025-11-18
+  - [syft](https://github.com/anchore/syft) from 1.37.0 to **1.38.0** on 2025-11-18
 <!-- linter-versions-end -->
 
 ## [v9.1.0] - 2025-10-07
diff --git a/docs/all_linters.md b/docs/all_linters.md
diff --git a/docs/descriptors/python_bandit.md b/docs/descriptors/python_bandit.md
@@ -45,7 +45,7 @@ Bandit is essential for maintaining secure Python codebases and is widely used i
 
 ## bandit documentation
 
-- Version in MegaLinter: **1.8.6**
+- Version in MegaLinter: **1.9.1**
 - Visit [Official Web Site](https://bandit.readthedocs.io/en/latest/){target=_blank}
 - See [How to configure bandit rules](https://bandit.readthedocs.io/en/latest/config.html#){target=_blank}
   - If custom `.bandit.yml` config file isn't found, [.bandit.yml](https://github.com/oxsecurity/megalinter/tree/main/TEMPLATES/.bandit.yml){target=_blank} will be used
@@ -302,12 +302,12 @@ The following tests were discovered and loaded:
 - Dockerfile commands :
 ```dockerfile
 # renovate: datasource=pypi depName=bandit
-ARG PIP_BANDIT_VERSION=1.8.6
+ARG PIP_BANDIT_VERSION=1.9.1
 # renovate: datasource=pypi depName=bandit_sarif_formatter
 ARG PIP_BANDIT_SARIF_FORMATTER_VERSION=1.1.1
 ```
 
 - PIP packages (Python):
-  - [bandit==1.8.6](https://pypi.org/project/bandit/1.8.6)
+  - [bandit==1.9.1](https://pypi.org/project/bandit/1.9.1)
   - [bandit_sarif_formatter==1.1.1](https://pypi.org/project/bandit_sarif_formatter/1.1.1)
-  - [bandit[toml]==1.8.6](https://pypi.org/project/bandit[toml]/1.8.6)
+  - [bandit[toml]==1.9.1](https://pypi.org/project/bandit[toml]/1.9.1)
diff --git a/docs/descriptors/repository_gitleaks.md b/docs/descriptors/repository_gitleaks.md
@@ -34,18 +34,18 @@ If MegaLinter with gitleaks runs against a PR on a platform not listed above, an
 
 You can still choose to scan only PR commits in your CI/CD platform by setting the following MegaLinter environment variables:
 
-- `PULL_REQUEST=true`\*
-- `REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true`
-- `REPOSITORY_GITLEAKS_PR_SOURCE_SHA` with last commit sha from your PR and `REPOSITORY_GITLEAKS_PR_TARGET_SHA` commit sha from your target branch (for example, `main` if you do PR to main branch)
+  - `PULL_REQUEST=true`\*
+  - `REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true`
+  - `REPOSITORY_GITLEAKS_PR_SOURCE_SHA` with last commit sha from your PR and `REPOSITORY_GITLEAKS_PR_TARGET_SHA` commit sha from your target branch (for example, `main` if you do PR to main branch)
 
     Example commands:
 
-  - Source commit SHA:
+      - Source commit SHA:
         ```bash
         git rev-list -n 1 refs/remotes/origin/<source_branch>
         ```
 
-  - Target commit SHA:
+      - Target commit SHA:
         ```bash
         git rev-parse refs/remotes/origin/<target_branch>
         ```
diff --git a/docs/descriptors/repository_grype.md b/docs/descriptors/repository_grype.md
@@ -30,7 +30,7 @@ description: How to use grype (configure, ignore files, ignore errors, help & ve
 
 ## grype documentation
 
-- Version in MegaLinter: **0.103.0**
+- Version in MegaLinter: **0.104.0**
 - Visit [Official Web Site](https://github.com/anchore/grype#readme){target=_blank}
 - See [How to configure grype rules](https://github.com/anchore/grype#configuration){target=_blank}
   - If custom `.grype.yaml` config file isn't found, [.grype.yaml](https://github.com/oxsecurity/megalinter/tree/main/TEMPLATES/.grype.yaml){target=_blank} will be used
@@ -151,6 +151,7 @@ Flags:
       --exclude stringArray    exclude paths from being scanned using a glob expression
   -f, --fail-on string         set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]
       --file string            file to write the default report output to (default is STDOUT)
+      --from stringArray       specify the source behavior to use (e.g. docker, registry, podman, oci-dir, ...)
   -h, --help                   help for grype
       --ignore-states string   ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix]
       --name string            set the name of the target being analyzed
diff --git a/docs/descriptors/repository_syft.md b/docs/descriptors/repository_syft.md
@@ -29,7 +29,7 @@ description: How to use syft (configure, ignore files, ignore errors, help & ver
 
 ## syft documentation
 
-- Version in MegaLinter: **1.37.0**
+- Version in MegaLinter: **1.38.0**
 - Visit [Official Web Site](https://github.com/anchore/syft#readme){target=_blank}
 
 [![syft - GitHub](https://gh-card.dev/repos/anchore/syft.svg?fullname=)](https://github.com/anchore/syft){target=_blank}
@@ -151,7 +151,7 @@ Available Commands:
 Flags:
       --base-path string                          base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
   -c, --config stringArray                        syft configuration file(s) to use
-      --enrich stringArray                        enable package data enrichment from local and online sources (options: all, golang, java, javascript)
+      --enrich stringArray                        enable package data enrichment from local and online sources (options: all, golang, java, javascript, python)
       --exclude stringArray                       exclude paths from being scanned using a glob expression
       --file string                               file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
       --from stringArray                          specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
@@ -179,7 +179,7 @@ Use "syft [command] --help" for more information about a command.
 - Dockerfile commands :
 ```dockerfile
 # renovate: datasource=github-tags depName=anchore/syft
-ARG REPOSITORY_SYFT_VERSION=1.37.0
+ARG REPOSITORY_SYFT_VERSION=1.38.0
 RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/refs/tags/v${REPOSITORY_SYFT_VERSION}/install.sh | sh -s -- -b /usr/local/bin
 ```
 
diff --git a/docs/descriptors/salesforce.md b/docs/descriptors/salesforce.md
@@ -39,7 +39,7 @@ ARG NPM_SALESFORCE_CLI_VERSION=2.108.6
 # renovate: datasource=npm depName=@salesforce/plugin-packaging
 ARG NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION=2.20.5
 # renovate: datasource=npm depName=sfdx-hardis
-ARG SFDX_HARDIS_VERSION=6.12.2
+ARG SFDX_HARDIS_VERSION=6.12.3
 ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
 ENV PATH="$JAVA_HOME/bin:${PATH}"
 RUN sf plugins install @salesforce/plugin-packaging@${NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION} \
diff --git a/docs/descriptors/salesforce_lightning_flow_scanner.md b/docs/descriptors/salesforce_lightning_flow_scanner.md
@@ -141,7 +141,7 @@ ARG NPM_SALESFORCE_CLI_VERSION=2.108.6
 # renovate: datasource=npm depName=@salesforce/plugin-packaging
 ARG NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION=2.20.5
 # renovate: datasource=npm depName=sfdx-hardis
-ARG SFDX_HARDIS_VERSION=6.12.2
+ARG SFDX_HARDIS_VERSION=6.12.3
 ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
 ENV PATH="$JAVA_HOME/bin:${PATH}"
 RUN sf plugins install @salesforce/plugin-packaging@${NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION} \
diff --git a/docs/descriptors/salesforce_sfdx_scanner_apex.md b/docs/descriptors/salesforce_sfdx_scanner_apex.md
@@ -391,7 +391,7 @@ ARG NPM_SALESFORCE_CLI_VERSION=2.108.6
 # renovate: datasource=npm depName=@salesforce/plugin-packaging
 ARG NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION=2.20.5
 # renovate: datasource=npm depName=sfdx-hardis
-ARG SFDX_HARDIS_VERSION=6.12.2
+ARG SFDX_HARDIS_VERSION=6.12.3
 ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
 ENV PATH="$JAVA_HOME/bin:${PATH}"
 RUN sf plugins install @salesforce/plugin-packaging@${NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION} \
diff --git a/docs/descriptors/salesforce_sfdx_scanner_aura.md b/docs/descriptors/salesforce_sfdx_scanner_aura.md
@@ -388,7 +388,7 @@ ARG NPM_SALESFORCE_CLI_VERSION=2.108.6
 # renovate: datasource=npm depName=@salesforce/plugin-packaging
 ARG NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION=2.20.5
 # renovate: datasource=npm depName=sfdx-hardis
-ARG SFDX_HARDIS_VERSION=6.12.2
+ARG SFDX_HARDIS_VERSION=6.12.3
 ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
 ENV PATH="$JAVA_HOME/bin:${PATH}"
 RUN sf plugins install @salesforce/plugin-packaging@${NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION} \
diff --git a/docs/descriptors/salesforce_sfdx_scanner_lwc.md b/docs/descriptors/salesforce_sfdx_scanner_lwc.md
@@ -389,7 +389,7 @@ ARG NPM_SALESFORCE_CLI_VERSION=2.108.6
 # renovate: datasource=npm depName=@salesforce/plugin-packaging
 ARG NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION=2.20.5
 # renovate: datasource=npm depName=sfdx-hardis
-ARG SFDX_HARDIS_VERSION=6.12.2
+ARG SFDX_HARDIS_VERSION=6.12.3
 ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
 ENV PATH="$JAVA_HOME/bin:${PATH}"
 RUN sf plugins install @salesforce/plugin-packaging@${NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION} \
diff --git a/docs/descriptors/snakemake_snakemake.md b/docs/descriptors/snakemake_snakemake.md
@@ -149,7 +149,7 @@ usage: snakemake [-h] [--dry-run] [--profile PROFILE]
                  [--summary] [--detailed-summary] [--archive FILE]
                  [--cleanup-metadata FILE [FILE ...]] [--cleanup-shadow]
                  [--skip-script-cleanup] [--unlock]
-                 [--list-changes {params,input,code}] [--list-input-changes]
+                 [--list-changes {code,params,input}] [--list-input-changes]
                  [--list-params-changes] [--list-untracked]
                  [--delete-all-output | --delete-temp-output]
                  [--keep-incomplete] [--drop-metadata] [--version]
@@ -683,7 +683,7 @@ UTILITIES:
                         (default: False)
   --unlock              Remove a lock on the working directory. (default:
                         False)
-  --list-changes, --lc {params,input,code}
+  --list-changes, --lc {code,params,input}
                         List all output files for which the given items (code,
                         input, params) have changed since creation.
   --list-input-changes, --li
