Update oxsecurity/megalinter action to v9

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
oxsecurity/megalinter	action	major	v8 -> v9

---

Release Notes

oxsecurity/megalinter (oxsecurity/megalinter)

v9

Compare Source

• New linters

  • Add Robocop linter, by @​bdovaz in #​6232

• Linters enhancements

  • Python Linting: Added more file type supports for various linters. Full description here

• Doc

  • Add OLLAMA_BASE_URL is MegaLinter config Json schema

• Flavors

  • Custom flavors: Add workflow to automate detection of new MegaLinter versions and generation of new Custom Flavor

• CI

  • Fix v9 release issue + mark hardcoded versions to upgrade at each new major release.

• Linter versions upgrades (22)

  • ansible-lint from 25.9.0 to 25.9.1
  • bicep_linter from 0.37.4 to 0.38.33
  • cfn-lint from 1.39.1 to 1.40.0
  • checkstyle from 11.0.1 to 11.1.0
  • clj-kondo from 2025.09.19 to 2025.09.22
  • golangci-lint from 2.4.0 to 2.5.0
  • hadolint from 2.13.1 to 2.14.0
  • isort from 6.0.1 to 6.1.0
  • kics from 2.1.13 to 2.1.14
  • npm-groovy-lint from 15.2.1 to 15.2.2
  • php-cs-fixer from 3.87.2 to 3.88.2
  • phpstan from 2.1.28 to 2.1.30
  • pylint from 3.3.8 to 3.3.9
  • pyright from 1.1.405 to 1.1.406
  • robocop from 6.7.0 to 6.7.2
  • rubocop from 1.80.2 to 1.81.1
  • ruff-format from 0.13.1 to 0.13.3
  • ruff from 0.13.1 to 0.13.3
  • snakemake from 9.11.4 to 9.11.9
  • terraform-fmt from 1.13.2 to 1.13.3
  • terragrunt from 0.87.2 to 0.88.1
  • trivy from 0.66.0 to 0.67.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
⚠️ ACTION	actionlint	6		2	0	0.08s
✅ COPYPASTE	jscpd	yes		no	no	1.91s
✅ JSON	jsonlint	5		0	0	0.19s
✅ JSON	npm-package-json-lint	yes		no	no	0.4s
✅ JSON	prettier	9	0	0	0	0.32s
✅ JSON	v8r	9		0	0	8.32s
⚠️ MARKDOWN	markdownlint	5	0	2	0	0.77s
✅ MARKDOWN	markdown-table-formatter	5	0	0	0	0.29s
✅ REPOSITORY	gitleaks	yes		no	no	1.37s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
❌ REPOSITORY	grype	yes		6	no	26.02s
✅ REPOSITORY	secretlint	yes		no	no	0.46s
✅ REPOSITORY	syft	yes		no	no	1.98s
✅ REPOSITORY	trivy	yes		no	no	7.14s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.2s
✅ REPOSITORY	trufflehog	yes		no	no	7.81s
✅ SPELL	cspell	35		0	0	4.08s
⚠️ SPELL	lychee	21		1	0	0.86s
✅ TYPESCRIPT	eslint	9	0	0	0	4.31s
✅ TYPESCRIPT	prettier	9	0	0	0	0.66s
✅ YAML	prettier	8	0	0	0	0.68s
✅ YAML	v8r	8		0	0	6.32s
✅ YAML	yamllint	8		0	0	0.7s

Detailed Issues

❌ REPOSITORY / grype - 6 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME                INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS           RISK   
cross-spawn         7.0.3      7.0.5     npm   GHSA-3xgq-45jj-v275  High      0.1% (33rd)    < 0.1  
@eslint/plugin-kit  0.2.2      0.2.3     npm   GHSA-7q7g-4xm8-89cq  Low       0.2% (46th)    < 0.1  
@babel/helpers      7.25.6     7.26.10   npm   GHSA-968p-4wvh-cqc8  Medium    < 0.1% (15th)  < 0.1  
brace-expansion     1.1.11     1.1.12    npm   GHSA-v6h2-p8h4-qcjw  Low       < 0.1% (4th)   < 0.1  
brace-expansion     2.0.1      2.0.2     npm   GHSA-v6h2-p8h4-qcjw  Low       < 0.1% (4th)   < 0.1  
@eslint/plugin-kit  0.2.2      0.3.4     npm   GHSA-xffm-g5w8-qvg7  Low       N/A            N/A
[0025] ERROR discovered vulnerabilities at or above the severity threshold

⚠️ ACTION / actionlint - 2 errors

.github/workflows/github-dependents-info.yml:53:9: shellcheck reported issue in this script: SC2086:info:1:15: Double quote to prevent globbing and word splitting [shellcheck]
   |
53 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/github-dependents-info.yml:53:9: shellcheck reported issue in this script: SC2086:info:1:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
53 |         run: sudo chown -R $USER:$USER .
   |         ^~~~

⚠️ SPELL / lychee - 1 error

[403] https://npmjs.org/package/node-sarif-builder | Network error: Forbidden
📝 Summary
---------------------
🔍 Total...........49
✅ Successful......35
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded........13
❓ Unknown..........0
🚫 Errors...........1

Errors in README.md
[403] https://npmjs.org/package/node-sarif-builder | Network error: Forbidden

⚠️ MARKDOWN / markdownlint - 2 errors

.github/ISSUE_TEMPLATE.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "- **I'm submitting a ...**"]
.github/PULL_REQUEST_TEMPLATE.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "- **What kind of change does t..."]

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.0.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,COPYPASTE_JSCPD,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL,SPELL_LYCHEE,TYPESCRIPT_ES,TYPESCRIPT_PRETTIER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R