Code Quality
Code linting, static security analysis, and secret detection
collabops/lint@v1
On-Premise: ❌ — recommended alternatives: sast-scan@v1, secret-detect@v1
Runs multi-language code linting based on MegaLinter. Supports 60+ languages.
| Input | Required | Default | Description |
|---|---|---|---|
enable | NO | "" | Linters to enable (comma-separated) |
disable | NO | "" | Linters to disable (comma-separated) |
apply-fixes | NO | "false" | Apply automatic fixes |
working-directory | NO | "/workspace/source" | Scan target directory |
Examples
All languages auto-detected
jobs:
lint:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
# Detects changed files and picks the right linters automatically.
- name: lint
uses: "collabops/lint@v1"
Restrict to specific languages (enable / disable)
jobs:
lint:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
- name: lint-typed
uses: "collabops/lint@v1"
with:
# enable is an allowlist (only the listed ones). Comma-separated, uppercase.
enable: "TYPESCRIPT,YAML,DOCKERFILE"
# disable is a denylist. Combinable with enable.
disable: "SPELL,COPYPASTE"
Auto-fix (apply-fixes)
jobs:
lint-fix:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
- name: lint-with-autofix
uses: "collabops/lint@v1"
with:
enable: "TYPESCRIPT,JAVASCRIPT"
# Formatters / fixable linters write changes back to disk.
apply-fixes: "true"
# Hand the fixed tree off to another Job in the same workflow.
- name: upload-fixes
uses: "collabops/upload-artifact@v2"
with:
name: lint-fixes
path: .
Key points — The simplest form (no with) auto-selects linters for the changed files. enable and disable combine; the 60+ language keywords are uppercase (TYPESCRIPT, DOCKERFILE, …). apply-fixes: "true" mutates the workspace, so pair it with downstream commit/PR automation carefully.
collabops/sast-scan@v1
On-Premise: ✅ airgapped compatible
Runs static application security testing (SAST) based on Semgrep. Detects OWASP Top 10 and other security vulnerabilities.
| Input | Required | Default | Description |
|---|---|---|---|
config | NO | "auto" | Semgrep rules config (auto, p/python, p/javascript, or file path) |
severity | NO | "ERROR" | Minimum severity filter (INFO, WARNING, ERROR) |
output-format | NO | "text" | Output format (text, json, sarif) |
working-directory | NO | "/workspace/source" | Scan target directory |
Examples
Basic — auto ruleset
jobs:
sast:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
# Default config: "auto" — language detection picks a standard ruleset.
- name: sast-scan
uses: "collabops/sast-scan@v1"
OWASP Top 10 + fail on WARNING+
jobs:
sast:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
- name: sast-owasp
uses: "collabops/sast-scan@v1"
with:
# Standard ruleset. Accepts a Semgrep registry slug, local path, or URL.
config: p/owasp-top-ten
# Fail the Job when any finding meets or exceeds this severity.
severity: WARNING
SARIF output + artifact upload
# To preserve the report even on failure, split into a separate Job with if: "always()".
jobs:
sast:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
- name: sast-with-sarif
uses: "collabops/sast-scan@v1"
with:
config: p/security-audit
# Standard format consumable by security dashboards and review tools.
output-format: sarif
archive-sast-report:
needs: [sast]
# Always runs regardless of upstream success/failure — report is always collected.
if: "always()"
steps:
- name: archive-sarif
uses: "collabops/upload-artifact@v2"
with:
name: sast-report
path: semgrep-results.sarif
Key points — config accepts a Semgrep registry slug (p/owasp-top-ten), local path, or URL. severity is INFO|WARNING|ERROR — make the failure threshold explicit. Pair the SARIF output with if: always() + upload-artifact so the report is collected even on failure.
collabops/secret-detect@v1
On-Premise: ✅ airgapped compatible
Detects secrets in source code using Gitleaks. Scans for API keys, passwords, and other sensitive credentials.
| Input | Required | Default | Description |
|---|---|---|---|
config | NO | "" | Gitleaks config file path (.gitleaks.toml) |
report-format | NO | "json" | Report format (json, csv, sarif, junit) |
report-path | NO | "/workspace/source/gitleaks-report.json" | Report output path |
working-directory | NO | "/workspace/source" | Scan target directory |
Examples
Default scan + JSON report
jobs:
secret-scan:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
# Secret scanning should cover the full history.
fetch-depth: "0"
- name: secret-detect
uses: "collabops/secret-detect@v1"
Custom rules + SARIF upload
# Split archival into its own Job so the report survives a failed scan.
jobs:
secret-scan:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
fetch-depth: "0"
- name: secret-detect-with-rules
uses: "collabops/secret-detect@v1"
with:
# Use the in-repo ruleset when one exists.
config: .gitleaks.toml
report-format: sarif
report-path: /workspace/source/gitleaks-report.sarif
archive-secret-report:
needs: [secret-scan]
if: "always()"
steps:
- name: archive-report
uses: "collabops/upload-artifact@v2"
with:
name: gitleaks-report
path: gitleaks-report.sarif
Key points — Secret scanning is only meaningful over the full history — set fetch-depth: "0" (shallow clones miss historical leaks). config can point at an in-repo .gitleaks.toml; omit it for the default ruleset. The Job fails by default when a finding is reported, so use if: always() to ensure the report is always uploaded.
collabops/sonar-scan@v1
On-Premise: ✅ airgapped compatible (requires a SonarQube server reachable from the pipeline)
Static analysis that uploads code quality and security results to an external SonarQube server. The sonar-scanner CLI runs on the image's bundled JRE, so there is no runtime download.
| Input | Required | Default | Description |
|---|---|---|---|
sonar-host-url | YES | — | SonarQube server URL (SONAR_HOST_URL) |
sonar-token | YES | — | Auth token (inject via secrets) |
project-key | YES | — | Project key (sonar.projectKey) |
sources | NO | "." | Source path to analyze (sonar.sources) |
working-directory | NO | "/workspace/source" | Scan working directory (sonar.projectBaseDir) |
skip-jre-provisioning | NO | "true" | Use the image's bundled JRE (airgapped-safe, no runtime download) |
extra-args | NO | "" | Pass extra sonar-scanner -D options through |
Examples
Basic scan
jobs:
quality:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
# Uploads the analysis to an external SonarQube server. Server URL/token come from workspace settings.
- name: sonar-scan
uses: "collabops/sonar-scan@v1"
with:
# SonarQube server URL — register SONAR_HOST_URL in workspace variables and reference it.
sonar-host-url: ${{ vars.SONAR_HOST_URL }}
# Analysis token — store it in secrets (never inline plaintext).
sonar-token: ${{ secrets.SONAR_TOKEN }}
# Project key created on the SonarQube server.
project-key: "<workspace>-<repository>"
Block change requests with a Quality Gate
# To use it as a CR merge gate, combine the change_request trigger with qualitygate.wait.
jobs:
quality:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
- name: sonar-scan
uses: "collabops/sonar-scan@v1"
with:
sonar-host-url: ${{ vars.SONAR_HOST_URL }}
sonar-token: ${{ secrets.SONAR_TOKEN }}
project-key: "<workspace>-<repository>"
# Wait for the server-side Quality Gate result and fail the step on failure to block the merge.
# (Only meaningful when a Quality Gate is configured for the project on the server.)
extra-args: "-Dsonar.qualitygate.wait=true"
Per-server tuning with extra-args
jobs:
quality:
steps:
- name: checkout
uses: "collabops/checkout@v2"
with:
repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
- name: sonar-scan
uses: "collabops/sonar-scan@v1"
with:
sonar-host-url: ${{ vars.SONAR_HOST_URL }}
sonar-token: ${{ secrets.SONAR_TOKEN }}
project-key: "<workspace>-<repository>"
# Source path to analyze (relative to working-directory).
sources: "src"
# Pass extra -D options through — multiple separated by spaces.
extra-args: "-Dsonar.exclusions=**/*.test.ts -Dsonar.sourceEncoding=UTF-8"
Key points — sonar-host-url, sonar-token, and project-key are required. Always inject the token via secrets and the server URL via vars (never inline plaintext). Even in airgapped On-Premise, skip-jre-provisioning defaults to true so it runs without runtime downloads, but the pipeline pod still needs a reachable SonarQube server. To block CR merges, combine extra-args: "-Dsonar.qualitygate.wait=true" with a server-side Quality Gate.