Updates base image to python:3.13-alpine3.22 (#6133)

* Updates base image to python:3.13-alpine3.22

Updates the base Docker image for the build and runtime environments to python:3.13-alpine3.22.

This ensures that the linter environment benefits from the latest security patches and updates available in the newer Alpine release.

Fixes #6065

* Updates clang version to 20

Updates the clang version used in multiple Dockerfiles and MegaLinter descriptors from 19 to 20.

This ensures that the latest clang tools are used for static analysis and formatting.

* Increases test timeout duration

Extends the test execution timeout to accommodate potentially longer test runs.
This prevents premature termination of tests due to time constraints, ensuring more reliable test results.

* Upgrade checkov

* disable puppet-lint

* [MegaLinter] Apply linters fixes

* Disable checkov

* [MegaLinter] Apply linters fixes

---------

Co-authored-by: nvuillam <[email protected]>

Author: nvuillam

.automation/generated/linters_matrix.json

@@ -63,7 +63,6 @@
   "powershell_powershell",
   "powershell_powershell_formatter",
   "protobuf_protolint",
-  "puppet_puppet_lint",
   "python_pylint",
   "python_black",
   "python_flake8",
@@ -75,7 +74,6 @@
   "python_ruff_format",
   "r_lintr",
   "raku_raku",
-  "repository_checkov",
   "repository_devskim",
   "repository_dustilock",
   "repository_git_diff",

.automation/test/Dockerfile-megalinter-custom

@@ -33,7 +33,7 @@ FROM hadolint/hadolint:${DOCKERFILE_HADOLINT_VERSION} AS hadolint
 # Build wheel for megalinter python package
 ##################
 FROM ghcr.io/astral-sh/uv:0.7.22 AS uv
-FROM python:3.13-alpine3.21 AS build-ml-core
+FROM python:3.13-alpine3.22 AS build-ml-core
 WORKDIR /
 COPY --from=uv /uv /uvx /bin/
 # Install dependencies
@@ -50,7 +50,7 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 ##################
 # Get base image #
 ##################
-FROM python:3.13-alpine3.21
+FROM python:3.13-alpine3.22
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

.github/workflows/deploy-DEV.yml

@@ -175,7 +175,7 @@ jobs:
           fi
           docker image ls
           docker run $CI_ENV -e TEST_CASE_RUN=true -e OUTPUT_FORMAT=text -e OUTPUT_FOLDER=${{ github.sha }} -e OUTPUT_DETAIL=detailed -e GITHUB_SHA=${{ github.sha }} -e GITHUB_REPOSITORY=${GITHUB_REPOSITORY} -e GITHUB_BRANCH=${GITHUB_BRANCH} -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" -e TEST_KEYWORDS="${TEST_KEYWORDS_TO_USE}" -e MEGALINTER_VOLUME_ROOT="${GITHUB_WORKSPACE}" -v "/var/run/docker.sock:/var/run/docker.sock:rw" -v ${GITHUB_WORKSPACE}:/tmp/lint ${{ fromJson(steps.meta.outputs.json).tags[0]}}
-        timeout-minutes: 90
+        timeout-minutes: 120
         env:
           COMMIT_MSG: ${{ github.event.head_commit.message }}
 

CHANGELOG.md

@@ -20,10 +20,13 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
   - Use ghcr.io docker images by default because of rate limits on docker.io
   - Use uv to create the venv folder for pip-installed linters
   - Add copilot instructions for GitHub Copilot
+  - Update base image to python:3.13-alpine3.21 (also embeds go 1.24)
 
 - New linters
 
 - Disabled linters
+  - [puppet-lint](https://megalinter.io/beta/descriptors/puppet_puppet_lint/): Disabled Until fix is provided for <https://github.com/puppetlabs/puppet-lint/issues/251>
+  - [checkov](https://megalinter.io/beta/descriptors/repository_checkov/): Disabled until fix is provided for <https://github.com/bridgecrewio/checkov/issues/7263>
 
 - Removed linters
   - **markdown-link-check** has been removed because [**lychee**](https://megalinter.io/latest/descriptors/spell_lychee/) can be used instead, and has much better performances

Dockerfile

@@ -87,7 +87,7 @@ FROM alpine/terragrunt:${TERRAFORM_TERRAGRUNT_VERSION} AS terragrunt
 # Build wheel for megalinter python package
 ##################
 FROM ghcr.io/astral-sh/uv:0.8.17 AS uv
-FROM python:3.13-alpine3.21 AS build-ml-core
+FROM python:3.13-alpine3.22 AS build-ml-core
 WORKDIR /
 COPY --from=uv /uv /uvx /bin/
 # Install dependencies
@@ -104,7 +104,7 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 ##################
 # Get base image #
 ##################
-FROM python:3.13-alpine3.21
+FROM python:3.13-alpine3.22
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -266,8 +266,6 @@ ARG PHP_FRIENDSOFPHP_PHP_CS_FIXER_VERSION=v3.87.2
 # renovate: datasource=nuget depName=PSScriptAnalyzer registryUrl=https://www.powershellgallery.com/api/v2/
 ARG PSSA_VERSION='1.24.0'
 
-# renovate: datasource=rubygems depName=puppet-lint
-ARG GEM_PUPPET_LINT_VERSION=4.3.0
 # renovate: datasource=pypi depName=pylint
 ARG PIP_PYLINT_VERSION=3.3.8
 # renovate: datasource=pypi depName=typing-extensions
@@ -292,8 +290,6 @@ ARG PIP_RUFF_VERSION=0.13.0
 ARG RAKU_RAKU_VERSION=2024.12
 ARG RAKU_RAKU_ALPINE_VERSION=3.20
 
-# renovate: datasource=pypi depName=checkov
-ARG PIP_CHECKOV_VERSION=3.2.413
 # renovate: datasource=nuget depName=Microsoft.CST.DevSkim.CLI
 ARG REPOSITORY_DEVSKIM_VERSION=1.0.63
 # renovate: datasource=github-tags depName=anchore/grype
@@ -437,7 +433,7 @@ RUN apk -U --no-cache upgrade \
                 coreutils \
                 py3-pyflakes \
                 cppcheck \
-                clang19-extra-tools \
+                clang20-extra-tools \
                 openjdk17 \
                 helm \
                 gcompat \
@@ -508,7 +504,6 @@ RUN uv pip install --system --no-cache pip==${PIP_PIP_VERSION} virtualenv==${PIP
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/mypy" && VIRTUAL_ENV="/venvs/mypy" uv pip install --no-cache mypy==${PIP_MYPY_VERSION} \
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/ruff" && VIRTUAL_ENV="/venvs/ruff" uv pip install --no-cache ruff==${PIP_RUFF_VERSION} \
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/ruff-format" && VIRTUAL_ENV="/venvs/ruff-format" uv pip install --no-cache ruff==${PIP_RUFF_VERSION} \
-    && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/checkov" && VIRTUAL_ENV="/venvs/checkov" uv pip install --no-cache checkov==${PIP_CHECKOV_VERSION} \
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/semgrep" && VIRTUAL_ENV="/venvs/semgrep" uv pip install --no-cache semgrep==${PIP_SEMGREP_VERSION} \
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/rst-lint" && VIRTUAL_ENV="/venvs/rst-lint" uv pip install --no-cache Pygments==${PIP_PYGMENTS_VERSION} restructuredtext_lint==${PIP_RESTRUCTUREDTEXT_LINT_VERSION} \
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/rstcheck" && VIRTUAL_ENV="/venvs/rstcheck" uv pip install --no-cache click==${PIP_RSTCHECK_CLICK_VERSION} rstcheck[toml,sphinx]==${PIP_RSTCHECK_VERSION} \
@@ -520,7 +515,7 @@ RUN uv pip install --system --no-cache pip==${PIP_PIP_VERSION} virtualenv==${PIP
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/yamllint" && VIRTUAL_ENV="/venvs/yamllint" uv pip install --no-cache yamllint==${PIP_YAMLLINT_VERSION}  \
     && find /venvs \( -type f \( -iname \*.pyc -o -iname \*.pyo \) -o -type d -iname __pycache__ \) -delete \
     && rm -rf /root/.cache
-ENV PATH="${PATH}":/venvs/ansible-lint/bin:/venvs/cpplint/bin:/venvs/cfn-lint/bin:/venvs/stylelint/bin:/venvs/djlint/bin:/venvs/pylint/bin:/venvs/black/bin:/venvs/flake8/bin:/venvs/isort/bin:/venvs/bandit/bin:/venvs/mypy/bin:/venvs/ruff/bin:/venvs/ruff-format/bin:/venvs/checkov/bin:/venvs/semgrep/bin:/venvs/rst-lint/bin:/venvs/rstcheck/bin:/venvs/rstfmt/bin:/venvs/snakemake/bin:/venvs/snakefmt/bin:/venvs/proselint/bin:/venvs/sqlfluff/bin:/venvs/yamllint/bin
+ENV PATH="${PATH}":/venvs/ansible-lint/bin:/venvs/cpplint/bin:/venvs/cfn-lint/bin:/venvs/stylelint/bin:/venvs/djlint/bin:/venvs/pylint/bin:/venvs/black/bin:/venvs/flake8/bin:/venvs/isort/bin:/venvs/bandit/bin:/venvs/mypy/bin:/venvs/ruff/bin:/venvs/ruff-format/bin:/venvs/semgrep/bin:/venvs/rst-lint/bin:/venvs/rstcheck/bin:/venvs/rstfmt/bin:/venvs/snakemake/bin:/venvs/snakefmt/bin:/venvs/proselint/bin:/venvs/sqlfluff/bin:/venvs/yamllint/bin
 #PIPVENV__END
 
 ############################
@@ -605,7 +600,6 @@ ENV PATH="/node-deps/node_modules/.bin:${PATH}" \
 #GEM__START
 RUN echo 'gem: --no-document' >> ~/.gemrc && \
     gem install \
-          puppet-lint:${GEM_PUPPET_LINT_VERSION} \
           rubocop:${GEM_RUBOCOP_VERSION} \
           rubocop-github:${GEM_RUBOCOP_GITHUB_VERSION} \
           rubocop-performance:${GEM_RUBOCOP_PERFORMANCE_VERSION} \
@@ -1015,8 +1009,6 @@ RUN pwsh -c 'Install-Module -Name PSScriptAnalyzer -RequiredVersion ${PSSA_VERSI
 # protolint installation
 # Managed with COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/
 #
-# puppet-lint installation
-#
 # pylint installation
 #
 # black installation
@@ -1049,8 +1041,6 @@ RUN mkdir -p /home/r-library \
 
 ENV PATH="~/.raku/bin:/opt/rakudo-pkg/bin:/opt/rakudo-pkg/share/perl6/site/bin:$PATH"
 #
-# checkov installation
-#
 # devskim installation
 # Next line commented because already managed by another linter
 # RUN apk add --no-cache dotnet9-sdk

Dockerfile-custom-flavor

@@ -10,7 +10,7 @@ FROM ghcr.io/astral-sh/uv:0.8.17 AS uv
 ##################
 # Get base image #
 ##################
-FROM python:3.13-alpine3.21
+FROM python:3.13-alpine3.22
 
 RUN apk -U --no-cache upgrade \
     && apk add --no-cache \

Dockerfile-quick

@@ -16,7 +16,7 @@ FROM $MEGALINTER_BASE_IMAGE as base
 # Build wheel for megalinter python package
 ##################
 FROM ghcr.io/astral-sh/uv:0.8.17 AS uv
-FROM python:3.13-alpine3.21 AS build-ml-core
+FROM python:3.13-alpine3.22 AS build-ml-core
 WORKDIR /
 COPY pyproject.toml .
 COPY --from=uv /uv /bin/uv

flavors/c_cpp/Dockerfile

@@ -60,7 +60,7 @@ FROM lycheeverse/lychee:${SPELL_LYCHEE_VERSION} AS lychee
 # Build wheel for megalinter python package
 ##################
 FROM ghcr.io/astral-sh/uv:0.8.17 AS uv
-FROM python:3.13-alpine3.21 AS build-ml-core
+FROM python:3.13-alpine3.22 AS build-ml-core
 WORKDIR /
 COPY --from=uv /uv /uvx /bin/
 # Install dependencies
@@ -77,7 +77,7 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 ##################
 # Get base image #
 ##################
-FROM python:3.13-alpine3.21
+FROM python:3.13-alpine3.22
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -133,8 +133,6 @@ ARG KUBERNETES_KUBESCAPE_VERSION=3.0.40
 ARG NPM_MARKDOWNLINT_CLI_VERSION=0.45.0
 # renovate: datasource=npm depName=markdown-table-formatter
 ARG NPM_MARKDOWN_TABLE_FORMATTER_VERSION=1.6.1
-# renovate: datasource=pypi depName=checkov
-ARG PIP_CHECKOV_VERSION=3.2.413
 # renovate: datasource=github-tags depName=anchore/grype
 ARG REPOSITORY_GRYPE_VERSION=0.99.1
 # renovate: datasource=npm depName=@ls-lint/ls-lint
@@ -213,7 +211,7 @@ RUN apk -U --no-cache upgrade \
                 openjdk21 \
                 py3-pyflakes \
                 cppcheck \
-                clang19-extra-tools \
+                clang20-extra-tools \
                 openjdk17 \
                 helm \
                 gcompat \
@@ -264,7 +262,6 @@ RUN uv pip install --system --no-cache pip==${PIP_PIP_VERSION} virtualenv==${PIP
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/cpplint" && VIRTUAL_ENV="/venvs/cpplint" uv pip install --no-cache cpplint==${PIP_CPPLINT_VERSION} \
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/stylelint" && VIRTUAL_ENV="/venvs/stylelint" uv pip install --no-cache cpplint==${PIP_CPPLINT_VERSION} \
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/djlint" && VIRTUAL_ENV="/venvs/djlint" uv pip install --no-cache djlint==${PIP_DJLINT_VERSION} \
-    && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/checkov" && VIRTUAL_ENV="/venvs/checkov" uv pip install --no-cache checkov==${PIP_CHECKOV_VERSION} \
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/semgrep" && VIRTUAL_ENV="/venvs/semgrep" uv pip install --no-cache semgrep==${PIP_SEMGREP_VERSION} \
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/snakemake" && VIRTUAL_ENV="/venvs/snakemake" uv pip install --no-cache snakemake==${PIP_SNAKEMAKE_VERSION} \
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/snakefmt" && VIRTUAL_ENV="/venvs/snakefmt" uv pip install --no-cache snakefmt==${PIP_SNAKEFMT_VERSION} \
@@ -273,7 +270,7 @@ RUN uv pip install --system --no-cache pip==${PIP_PIP_VERSION} virtualenv==${PIP
     && uv venv --seed --no-project --no-managed-python --no-cache "/venvs/yamllint" && VIRTUAL_ENV="/venvs/yamllint" uv pip install --no-cache yamllint==${PIP_YAMLLINT_VERSION}  \
     && find /venvs \( -type f \( -iname \*.pyc -o -iname \*.pyo \) -o -type d -iname __pycache__ \) -delete \
     && rm -rf /root/.cache
-ENV PATH="${PATH}":/venvs/ansible-lint/bin:/venvs/cpplint/bin:/venvs/stylelint/bin:/venvs/djlint/bin:/venvs/checkov/bin:/venvs/semgrep/bin:/venvs/snakemake/bin:/venvs/snakefmt/bin:/venvs/proselint/bin:/venvs/sqlfluff/bin:/venvs/yamllint/bin
+ENV PATH="${PATH}":/venvs/ansible-lint/bin:/venvs/cpplint/bin:/venvs/stylelint/bin:/venvs/djlint/bin:/venvs/semgrep/bin:/venvs/snakemake/bin:/venvs/snakefmt/bin:/venvs/proselint/bin:/venvs/sqlfluff/bin:/venvs/yamllint/bin
 #PIPVENV__END
 
 ############################
@@ -445,8 +442,6 @@ RUN curl --retry 5 --retry-delay 5 -sSLO https://github.com/pinterest/ktlint/rel
 # protolint installation
 # Managed with COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/
 #
-# checkov installation
-#
 # gitleaks installation
 # Managed with COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/
 #

flavors/c_cpp/flavor.json

@@ -38,7 +38,6 @@
         "MARKDOWN_MARKDOWNLINT",
         "MARKDOWN_MARKDOWN_TABLE_FORMATTER",
         "PROTOBUF_PROTOLINT",
-        "REPOSITORY_CHECKOV",
         "REPOSITORY_GIT_DIFF",
         "REPOSITORY_GITLEAKS",
         "REPOSITORY_GRYPE",

flavors/ci_light/Dockerfile

@@ -39,7 +39,7 @@ FROM trufflesecurity/trufflehog:${REPOSITORY_TRUFFLEHOG_VERSION} AS trufflehog
 # Build wheel for megalinter python package
 ##################
 FROM ghcr.io/astral-sh/uv:0.8.17 AS uv
-FROM python:3.13-alpine3.21 AS build-ml-core
+FROM python:3.13-alpine3.22 AS build-ml-core
 WORKDIR /
 COPY --from=uv /uv /uvx /bin/
 # Install dependencies
@@ -56,7 +56,7 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 ##################
 # Get base image #
 ##################
-FROM python:3.13-alpine3.21
+FROM python:3.13-alpine3.22
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##