.trivyignore

# .NET SDK
CVE-2024-0057
CVE-2024-30105
CVE-2024-38095
CVE-2024-38168
CVE-2024-43483
CVE-2024-43484
CVE-2024-43485
# https://avd.aquasec.com/nvd/2025/cve-2025-26646/ Not applicable in MegaLinter context
CVE-2025-26646

# https://avd.aquasec.com/nvd/cve-2024-25621 containerd, Not applicable in MegaLinter context
CVE-2024-25621
# https://avd.aquasec.com/nvd/cve-2025-52881 containerd, Not applicable in MegaLinter context
CVE-2025-52881

# Docker
CVE-2024-41110

# Devskim
CVE-2018-8292
CVE-2019-0820

# Go stdlib (all go based linters)
CVE-2024-6257
CVE-2023-45288
CVE-2024-24788
CVE-2024-24790
CVE-2024-45337
CVE-2024-45338
CVE-2025-22869
CVE-2025-22874
CVE-2025-30204
CVE-2025-47906
# https://avd.aquasec.com/nvd/2025/cve-2025-47907/ , not a security issue in MegaLinter context
CVE-2025-47907
CVE-2025-58187
CVE-2025-47912
CVE-2025-58183
CVE-2025-58185
CVE-2025-58186
CVE-2025-58187
CVE-2025-58188
CVE-2025-61723
CVE-2025-61724
CVE-2025-61726
CVE-2025-61728
CVE-2025-61730
CVE-2025-68121

# go-git
CVE-2025-21613
CVE-2025-21614

# java PMD 
CVE-2024-7254

# Kubescape
# https://github.com/oxsecurity/megalinter/issues/3519
GHSA-9763-4f94-gfch
GHSA-m425-mq94-257g
CVE-2023-39325
CVE-2023-45283
CVE-2023-49569
CVE-2023-49568

# node
# json-path
CVE-2024-21534

# python
CVE-2024-6232
CVE-2024-7592

# powershell
CVE-2024-21907
CVE-2021-24112

# Roslynator
CVE-2018-8292
CVE-2023-29331
CVE-2019-0820

# Lightning flow scanner
CVE-2020-26226

# sfdx
CVE-2025-24970
CVE-2025-59343
GHSA-xpw8-rcwv-8f8p

# sfdx-scanner
# https://avd.aquasec.com/nvd/cve-2025-48734 Not dangerous in MegaLinter context, and sfdx-scanner will be soon replaced by code-analyzer plugin
CVE-2025-48734
CVE-2025-55163
# Remove when migrated to code-analyzer
CVE-2025-59419
CVE-2025-64756

# octokit
CVE-2025-25288
CVE-2025-25289
CVE-2025-25290

# spectral
CVE-2024-47068
CVE-2025-1302

# terraform
CVE-2025-0377

# terrascan
# https://github.com/tenable/terrascan/issues/1674
CVE-2024-23652
CVE-2024-23653
CVE-2024-23651
CVE-2024-26147

# tflint
CVE-2024-3817

# tsqllint
CVE-2023-36414
CVE-2024-0056

# vale
CVE-2025-29786

# Misc
# Not fixed yet https://avd.aquasec.com/nvd/2024/cve-2024-29415/
CVE-2024-29415
# axios
CVE-2024-39338
# mega-linter-runner
CVE-2024-4067
# libexpat
CVE-2024-45490
CVE-2024-45491
CVE-2024-45492
# stdlib  
CVE-2024-34156
# mega-linter-runner cross-spawn
CVE-2024-21538
# other
CVE-2024-47535
CVE-2024-12797
# https://avd.aquasec.com/nvd/cve-2025-46569 : Linters in MegaLinter do not run servers.
CVE-2025-46569
# https://avd.aquasec.com/nvd/cve-2025-48387 : tar-fs, not applicable in MegaLinter context
CVE-2025-48387
# https://avd.aquasec.com/nvd/cve-2025-5889 : brace-expansion, ddos attack, not applicable in MegaLinter context
CVE-2025-5889
# https://avd.aquasec.com/nvd/cve-2025-3730 : torch, not applicable in MegaLinter context    
CVE-2025-3730
# https://avd.aquasec.com/nvd/cve-2025-53547 : helm, not applicable in MegaLinter context
CVE-2025-53547
# https://avd.aquasec.com/nvd/cve-2025-22868: golang.org/x/oauth2 unexpected memory consumption, not applicable in MegaLinter context   
CVE-2025-22868
# Not applicable in MegaLinter context as it is not used as server
CVE-2025-7783
# https://avd.aquasec.com/nvd/cve-2025-8959: go-getter Arbitrary File Read. Not applicable in MegaLinter context
CVE-2025-8959
# https://avd.aquasec.com/nvd/cve-2025-9288 : sha.js: Missing type checks leading to hash rewind and passing on crafte. Harmless in MegaLinter because Salesforce linters do not connect to Salesforce orgs
CVE-2025-9288
# https://avd.aquasec.com/nvd/cve-2025-64118 : node-tar has a race condition leading to uninitialized memory exposure. Not applicable in MegaLinter context
CVE-2025-64118
#  https://avd.aquasec.com/nvd/cve-2025-65106 : Langchain core vulnerable to prompt injection. As prompts are built only by MegaLinter or local overrides in the repo, this is harmless
CVE-2025-65106
# https://avd.aquasec.com/nvd/cve-2025-64756 : Glob command injection. Harmless in MegaLinter context as user inputs are not passed to glob patterns
CVE-2025-64756
# https://avd.aquasec.com/nvd/cve-2025-65965 : Credentials are hidden to linters logs, so not applicable in MegaLinter context
CVE-2025-65965
# https://avd.aquasec.com/nvd/cve-2025-61729 : stdlib crypto/x509: Excessive resource consumption when printing error string, not applicable in MegaLinter context
CVE-2025-61729
# https://avd.aquasec.com/nvd/cve-2025-65945 : auth0/node-jws Improperly Verifies HMAC Signatures. Not applicable in MegaLinter context as linters do not use auth0 nor jws  
CVE-2025-65945
# https://avd.aquasec.com/nvd/cve-2025-66506 : github.com/sigstore/fulcio: Fulcio: Denial of Service, not applicable in MegaLinter context         
CVE-2025-66506
# https://avd.aquasec.com/nvd/cve-2025-66564 :  github.com/sigstore/timestamp-authority: Sigstore Timestamp Authority: Denial of Service via excessive OID, not applicable in MegaLinter context
CVE-2025-66564
# https://avd.aquasec.com/nvd/cve-2025-68156 : github.com/expr-lang/expr: Expr: Denial of Service via uncontrolled recursion in expression evaluation, not applicable in MegaLinter context
CVE-2025-68156
# https://avd.aquasec.com/nvd/cve-2026-22701 : filelock Time-of-Check-Time-of-Use (TOCTOU) race condition leading to privilege escalation, not applicable in MegaLinter context
CVE-2026-22701
# https://github.com/advisories/GHSA-58pv-8j8x-9vj2 : jaraco.context Has a Path Traversal Vulnerability. jaraco & setuptools are not used in MegaLinter context
GHSA-58pv-8j8x-9vj2
# https://avd.aquasec.com/nvd/cve-2026-23745 : Node tar, not applicable in MegaLinter context
CVE-2026-23745
# https://avd.aquasec.com/nvd/cve-2026-23950 : Node tar, not applicable in MegaLinter context
CVE-2026-23950
# https://avd.aquasec.com/nvd/cve-2026-25128: fast-xml-parser has RangeError DoS Numeric Entities Bug: Biggest risk is crashing the application when reading a malicious XML file, not applicable in MegaLinter context
CVE-2026-25128
# https://avd.aquasec.com/nvd/cve-2026-24842: Node tar, not applicable in MegaLinter context
CVE-2026-24842
# https://avd.aquasec.com/nvd/cve-2026-25547: @isaacs/brace-expansion , not risky in MegaLinter context
CVE-2026-25547
# https://avd.aquasec.com/nvd/cve-2026-25639: axios denial of service, not applicable in MegaLinter context
CVE-2026-25639
# https://avd.aquasec.com/nvd/cve-2026-26278 : fast-xml-parser, DDOS attack, not applicable in MegaLinter context
CVE-2026-26278
# https://avd.aquasec.com/nvd/cve-2026-26960 : node-tar, not applicable in MegaLinter context
CVE-2026-26960 
# https://avd.aquasec.com/nvd/cve-2026-26996 : minimatch Redos risk, not applicable in MegaLinter context
CVE-2026-26996
# https://avd.aquasec.com/nvd/cve-2026-25896 : fast-xml-parser, not applicable in MegaLinter context as XML files are Salesforce metadatas
CVE-2026-25896
# https://avd.aquasec.com/nvd/cve-2025-12183 :  lz4-java DDOS risk, not applicable in MegaLinter context
CVE-2025-12183
# https://avd.aquasec.com/nvd/cve-2026-27606  : node rollup , not applicable in MegaLinter context
CVE-2026-27606
# https://avd.aquasec.com/nvd/cve-2026-27699 : in Salesforce/cli, they will fix that soon, but as linters do not connect to Salesforce orgs, this is not applicable in MegaLinter context
CVE-2026-27699
# https://avd.aquasec.com/nvd/cve-2026-27903 : minimatch ReDoS vulnerability, not applicable in MegaLinter context
CVE-2026-27903
# https://avd.aquasec.com/nvd/cve-2026-27904 : minimatch ReDoS vulnerability, not applicable in MegaLinter context
CVE-2026-27904
# https://avd.aquasec.com/nvd/cve-2026-27601 : underscore Redos vulnerability, not applicable in MegaLinter context  
CVE-2026-27601
# https://avd.aquasec.com/nvd/cve-2026-24051 : go telemetry PATH vulnerability, not applicable in MegaLinter context as we don't allow to send custom paths to this library
CVE-2026-24051
# https://github.com/advisories/GHSA-72hv-8253-57qq: com.fasterxml.jackson.core:jackson-core DDOS vulnerability, not applicable in MegaLinter context
GHSA-72hv-8253-57qq
# https://github.com/advisories/GHSA-qffp-2rhf-9h96: tar, not applicable in MegaLinter context as we don't use tar in a way that could be vulnerable to this issue
GHSA-qffp-2rhf-9h96
# https://avd.aquasec.com/nvd/cve-2026-29786 : tar, not applicable in MegaLinter context as we don't use tar in a way that could be vulnerable to this issue
CVE-2026-29786
# https://avd.aquasec.com/nvd/2026/cve-2026-29786/: Docker for windows, this issue does not impact non-Windows binaries
CVE-2025-15558
# https://avd.aquasec.com/nvd/cve-2026-30922 : pyasn1, DDOS attack risk, not applicable in MegaLinter context
CVE-2026-30922
# Dockerfile
DS001
DS-0001
DS002
DS-0002
DS003
DS-0003
DS004
DS-0004
DS013
DS-0013
DS014
DS-0014
DS026
DS-0026