zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

385
skills/secsdlc/reviewdog/SKILL.md Normal file
View File

@@ -0,0 +1,385 @@
---
name: reviewdog
description: >
Automated code review and security linting integration for CI/CD pipelines using reviewdog.
Aggregates findings from multiple security and quality tools (SAST, linters, formatters) into
unified code review comments on pull requests. Use when: (1) Integrating security scanning
into code review workflows, (2) Automating security feedback on pull requests,
(3) Consolidating multiple tool outputs into actionable review comments, (4) Enforcing
secure coding standards in CI/CD pipelines, (5) Providing inline security annotations
during development.
version: 0.1.0
maintainer: asrour
category: secsdlc
tags: [code-review, ci-cd, automation, security-feedback, pull-request, linting, sast-integration]
frameworks: [OWASP, CWE]
dependencies:
tools: [reviewdog, git]
optional: [semgrep, bandit, hadolint, checkov, gitleaks, shellcheck, eslint]
references:
- https://github.com/reviewdog/reviewdog
- https://reviewdog.github.io/
---
# Reviewdog - Automated Security Code Review
## Overview
Reviewdog is an automated code review tool that integrates security scanning and linting results
into pull request review comments. It acts as a universal adapter between various security tools
(SAST scanners, linters, formatters) and code hosting platforms (GitHub, GitLab, Bitbucket),
enabling seamless security feedback during code review.
**Key Capabilities:**
- Aggregates findings from multiple security and quality tools
- Posts inline review comments on specific code lines
- Supports 40+ linters and security scanners out-of-the-box
- Integrates with GitHub Actions, GitLab CI, CircleCI, and other CI platforms
- Filters findings to show only new issues in diff (fail-on-diff mode)
- Supports custom rulesets and security policies
## Quick Start
### Basic reviewdog usage with a security scanner:
```bash
# Install reviewdog
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest
# Run a security scanner and pipe to reviewdog
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
# Or use with Semgrep
semgrep --config=auto --json | reviewdog -f=semgrep -reporter=local
```
### GitHub Actions integration:
```yaml
- name: Run reviewdog
uses: reviewdog/action-setup@v1
- name: Security scan with reviewdog
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
```
## Core Workflow
### Step 1: Install reviewdog
Install reviewdog in your CI environment or locally:
```bash
# Via Go
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest
# Via Homebrew (macOS/Linux)
brew install reviewdog
# Via Docker
docker pull reviewdog/reviewdog:latest
```
### Step 2: Configure Security Tools
Set up the security scanners you want to integrate. Reviewdog supports multiple input formats:
**Supported Security Tools:**
- **SAST**: Semgrep, Bandit, ESLint Security, Brakeman
- **Secret Detection**: Gitleaks, TruffleHog, detect-secrets
- **IaC Security**: Checkov, tfsec, terrascan
- **Container Security**: Hadolint, Trivy, Dockle
- **General Linters**: ShellCheck, yamllint, markdownlint
### Step 3: Integrate into CI/CD Pipeline
Add reviewdog to your CI pipeline to automatically post security findings as review comments:
**GitHub Actions Example:**
```yaml
name: Security Review
on: [pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup reviewdog
uses: reviewdog/action-setup@v1
- name: Run Bandit SAST
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
pip install bandit
bandit -r . -f json | \
reviewdog -f=bandit \
-name="Bandit SAST" \
-reporter=github-pr-review \
-filter-mode=added \
-fail-on-error
```
**GitLab CI Example:**
```yaml
security_review:
stage: test
script:
- pip install bandit reviewdog
- bandit -r . -f json |
reviewdog -f=bandit
-reporter=gitlab-mr-discussion
-filter-mode=diff_context
only:
- merge_requests
```
### Step 4: Configure Review Behavior
Customize reviewdog's behavior using flags:
```bash
# Filter to show only issues in changed lines
reviewdog -filter-mode=diff_context
# Filter to show only issues in added lines
reviewdog -filter-mode=added
# Fail the build if findings are present
reviewdog -fail-on-error
# Set severity threshold
reviewdog -level=warning
```
### Step 5: Review Security Findings
Reviewdog posts findings as inline comments on the pull request:
- **Inline annotations**: Security issues appear directly on affected code lines
- **Severity indicators**: Critical, High, Medium, Low severity levels
- **Remediation guidance**: Links to CWE/OWASP references when available
- **Diff-aware filtering**: Only shows new issues introduced in the PR
## Security Considerations
- **API Token Security**: Store GitHub/GitLab tokens in secrets management (GitHub Secrets, GitLab CI/CD variables)
- Never commit tokens to version control
- Use minimum required permissions (read/write on pull requests)
- Rotate tokens regularly
- **Access Control**:
- Configure reviewdog to run only on trusted branches
- Use CODEOWNERS to require security team approval for reviewdog config changes
- Restrict who can modify `.reviewdog.yml` configuration
- **Audit Logging**:
- Log all security findings to SIEM or security monitoring platform
- Track when findings are introduced and resolved
- Monitor for bypassed security checks
- **Compliance**:
- Maintains audit trail of security reviews (SOC2, ISO27001)
- Enforces security policy compliance in code review
- Supports compliance reporting through CI/CD artifacts
- **Safe Defaults**:
- Use `fail-on-error` to block PRs with security findings
- Enable `filter-mode=added` to catch new vulnerabilities
- Configure severity thresholds appropriate to your risk tolerance
## Bundled Resources
### Scripts (`scripts/`)
- `setup_reviewdog.py` - Automated reviewdog installation and CI configuration generator
- `run_security_suite.sh` - Runs multiple security scanners through reviewdog
### References (`references/`)
- `supported_tools.md` - Complete list of supported security tools with configuration examples
- `reporter_formats.md` - Available output formats and reporter configurations
- `cwe_mapping.md` - Mapping of common tool findings to CWE categories
### Assets (`assets/`)
- `github_actions_template.yml` - GitHub Actions workflow for multi-tool security scanning
- `gitlab_ci_template.yml` - GitLab CI configuration for reviewdog integration
- `.reviewdog.yml` - Sample reviewdog configuration file
- `pre_commit_config.yaml` - Pre-commit hook integration
## Common Patterns
### Pattern 1: Multi-Tool Security Suite
Run multiple security tools and aggregate results in a single review:
```bash
#!/bin/bash
# Run comprehensive security scan
# Python security
bandit -r . -f json | reviewdog -f=bandit -name="Python SAST" -reporter=github-pr-review &
# Secrets detection
gitleaks detect --report-format json | reviewdog -f=gitleaks -name="Secret Scan" -reporter=github-pr-review &
# IaC security
checkov -d . -o json | reviewdog -f=checkov -name="IaC Security" -reporter=github-pr-review &
wait
```
### Pattern 2: Severity-Based Gating
Block PRs based on severity thresholds:
```yaml
- name: Critical findings - Block PR
run: |
semgrep --config=p/security-audit --severity=ERROR --json | \
reviewdog -f=semgrep -level=error -fail-on-error -reporter=github-pr-review
- name: Medium findings - Comment only
run: |
semgrep --config=p/security-audit --severity=WARNING --json | \
reviewdog -f=semgrep -level=warning -reporter=github-pr-review
```
### Pattern 3: Differential Security Scanning
Only flag new security issues introduced in the current PR:
```bash
# Only show findings in newly added code
reviewdog -filter-mode=added -fail-on-error
# Show findings in modified context (added + surrounding lines)
reviewdog -filter-mode=diff_context
```
### Pattern 4: Custom Security Rules
Integrate custom security policies using grep or custom parsers:
```bash
# Check for prohibited patterns
grep -nH -R "eval(" . --include="*.py" | \
reviewdog -f=grep -name="Dangerous Functions" -reporter=github-pr-review
# Custom JSON parser
./custom_security_scanner.py --json | \
reviewdog -f=rdjson -name="Custom Policy" -reporter=github-pr-review
```
## Integration Points
- **CI/CD Platforms**:
- GitHub Actions (native action available)
- GitLab CI/CD
- CircleCI
- Jenkins
- Azure Pipelines
- Bitbucket Pipelines
- **Security Tools**:
- **SAST**: Semgrep, Bandit, ESLint, Brakeman, CodeQL
- **Secrets**: Gitleaks, TruffleHog, detect-secrets
- **IaC**: Checkov, tfsec, terrascan, kics
- **Containers**: Hadolint, Trivy, Dockle
- **Code Hosting**:
- GitHub (PR comments, check runs, annotations)
- GitLab (MR discussions)
- Bitbucket (inline comments)
- Gerrit (review comments)
- **SDLC Integration**:
- **Pre-commit hooks**: Fast local feedback before push
- **PR/MR review**: Automated security review on code changes
- **Trunk protection**: Block merges with security findings
- **Security dashboard**: Aggregate findings for visibility
## Troubleshooting
### Issue: Reviewdog not posting comments
**Solution**:
- Verify GitHub token has correct permissions (`repo` scope for private repos, `public_repo` for public)
- Check CI environment has `REVIEWDOG_GITHUB_API_TOKEN` or `GITHUB_TOKEN` set
- Ensure repository settings allow PR comments from workflows
- Verify reviewdog is running in PR context (not on push to main)
### Issue: Too many false positives
**Solution**:
- Use `filter-mode=added` to only show new issues
- Configure tool-specific suppressions in `.reviewdog.yml`
- Adjust severity thresholds with `-level` flag
- Use baseline files to ignore existing issues
### Issue: Performance issues with large repositories
**Solution**:
- Run reviewdog only on changed files using `filter-mode=diff_context`
- Cache tool dependencies and databases in CI
- Run expensive scanners on scheduled jobs, lightweight ones on PR
- Use parallel execution for multiple tools
### Issue: Integration with custom security tools
**Solution**:
- Convert tool output to supported format (checkstyle, sarif, rdjson, rdjsonl)
- Use `-f=rdjson` for custom JSON output following reviewdog diagnostic format
- Create errorformat pattern for text-based outputs
- See `references/reporter_formats.md` for format specifications
## Advanced Configuration
### Custom reviewdog configuration (`.reviewdog.yml`)
```yaml
runner:
bandit:
cmd: bandit -r . -f json
format: bandit
name: Python Security
level: warning
semgrep:
cmd: semgrep --config=auto --json
format: semgrep
name: Multi-language SAST
level: error
gitleaks:
cmd: gitleaks detect --report-format json
format: gitleaks
name: Secret Detection
level: error
```
### Integration with Security Frameworks
Map findings to OWASP Top 10 and CWE:
```bash
# Semgrep with OWASP ruleset
semgrep --config "p/owasp-top-ten" --json | \
reviewdog -f=semgrep -name="OWASP Top 10" -reporter=github-pr-review
# Include CWE references in comments
reviewdog -f=semgrep -name="CWE Analysis" -reporter=github-pr-review
```
## References
- [Reviewdog Documentation](https://github.com/reviewdog/reviewdog)
- [Supported Tools and Formats](https://reviewdog.github.io/supported-tools)
- [GitHub Actions Integration](https://github.com/reviewdog/action-setup)
- [OWASP Secure Coding Practices](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/)
- [CWE Top 25](https://cwe.mitre.org/top25/)

9
skills/secsdlc/reviewdog/assets/.gitkeep Normal file
View File

@@ -0,0 +1,9 @@
# Assets Directory
Place files that will be used in the output Claude produces:
- Templates
- Configuration files
- Images/logos
- Boilerplate code
These files are NOT loaded into context but copied/modified in output.

108
skills/secsdlc/reviewdog/assets/.reviewdog.yml Normal file
View File

@@ -0,0 +1,108 @@
# Reviewdog configuration file
# Place this file in the root of your repository
# Run with: reviewdog -conf=.reviewdog.yml -reporter=github-pr-review
runner:
# Python SAST with Bandit
bandit:
cmd: bandit -r . -f json 2>/dev/null
format: bandit
name: Bandit Python Security
level: error
fail-on-error: true
# Multi-language SAST with Semgrep - Critical
semgrep-critical:
cmd: semgrep --config=auto --severity=ERROR --json --quiet 2>/dev/null
format: semgrep
name: Semgrep Critical Findings
level: error
fail-on-error: true
# Multi-language SAST with Semgrep - Warnings
semgrep-warnings:
cmd: semgrep --config=auto --severity=WARNING --json --quiet 2>/dev/null
format: semgrep
name: Semgrep Security Warnings
level: warning
fail-on-error: false
# OWASP Top 10 specific checks
semgrep-owasp:
cmd: semgrep --config "p/owasp-top-ten" --json --quiet 2>/dev/null
format: semgrep
name: OWASP Top 10 Vulnerabilities
level: error
fail-on-error: true
# Secret detection with Gitleaks
gitleaks:
cmd: |
gitleaks detect --report-format json --report-path /tmp/gitleaks.json --no-git 2>/dev/null || true
cat /tmp/gitleaks.json 2>/dev/null || echo '{"findings":[]}'
format: gitleaks
name: Secret Detection
level: error
fail-on-error: true
# Dockerfile linting with Hadolint
hadolint:
cmd: |
find . -type f -name "Dockerfile*" -exec hadolint --format json {} \; 2>/dev/null
format: hadolint
name: Dockerfile Security
level: warning
fail-on-error: false
# IaC security with Checkov
checkov:
cmd: checkov -d . --quiet --compact -o json 2>/dev/null
format: checkov
name: Infrastructure as Code Security
level: warning
fail-on-error: false
# Shell script analysis with ShellCheck
shellcheck:
cmd: |
find . -type f -name "*.sh" -exec shellcheck -f json {} \; 2>/dev/null
format: shellcheck
name: Shell Script Security
level: info
fail-on-error: false
# Custom security patterns with grep
dangerous-functions:
cmd: |
grep -nH -R -E "(eval|exec|system|shell_exec|passthru|popen|proc_open)\s*\(" \
--include="*.py" --include="*.php" --include="*.js" . 2>/dev/null || true
errorformat:
- "%f:%l:%m"
name: Dangerous Function Usage
level: warning
# Hardcoded IP addresses
hardcoded-ips:
cmd: |
grep -nH -R -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" \
--include="*.py" --include="*.js" --include="*.java" \
--exclude-dir=node_modules --exclude-dir=.git . 2>/dev/null || true
errorformat:
- "%f:%l:%m"
name: Hardcoded IP Addresses
level: info
# Global configuration
# Uncomment and modify as needed
# Filter mode for all runners (can be overridden per runner)
# filter-mode: added # added, diff_context, file, nofilter
# Default reporter
# reporter: local # local, github-pr-review, gitlab-mr-discussion, etc.
# Fail level (any findings at this level or higher will cause failure)
# fail-level: error # error, warning, info
# Diff options
# diff: "git diff FETCH_HEAD"

161
skills/secsdlc/reviewdog/assets/github_actions_template.yml Normal file
View File

@@ -0,0 +1,161 @@
name: Security Review with Reviewdog
on:
pull_request:
branches: [main, develop, master]
types: [opened, synchronize, reopened]
permissions:
contents: read
pull-requests: write
checks: write
jobs:
security-scan:
name: Multi-Tool Security Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0 # Full history for better diff analysis
- name: Setup reviewdog
uses: reviewdog/action-setup@v1
with:
reviewdog_version: latest
# Python setup for Bandit and Semgrep
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install security tools
run: |
pip install bandit semgrep
# Critical: Python SAST with Bandit
- name: Run Bandit SAST (Python)
if: hashFiles('**/*.py') != ''
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
bandit -r . -f json 2>/dev/null | \
reviewdog -f=bandit \
-name="Bandit Security Scan" \
-reporter=github-pr-review \
-filter-mode=added \
-fail-on-error=true \
-level=error
# Critical: Multi-language SAST with Semgrep
- name: Run Semgrep SAST
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
semgrep --config=auto --severity=ERROR --json --quiet 2>/dev/null | \
reviewdog -f=semgrep \
-name="Semgrep Critical" \
-reporter=github-pr-review \
-filter-mode=added \
-fail-on-error=true \
-level=error
# High: Semgrep warnings
- name: Run Semgrep Warnings
if: always()
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
semgrep --config=auto --severity=WARNING --json --quiet 2>/dev/null | \
reviewdog -f=semgrep \
-name="Semgrep Warnings" \
-reporter=github-pr-check \
-filter-mode=diff_context \
-level=warning
# Critical: Secret detection with Gitleaks
- name: Run Gitleaks Secret Scan
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
docker run --rm -v ${{ github.workspace }}:/repo \
zricethezav/gitleaks:latest detect \
--source=/repo \
--report-format=json \
--report-path=/repo/gitleaks.json \
--no-git || true
if [ -f gitleaks.json ]; then
cat gitleaks.json | \
reviewdog -f=gitleaks \
-name="Secret Detection" \
-reporter=github-pr-review \
-filter-mode=added \
-fail-on-error=true \
-level=error
fi
# Container: Dockerfile linting with Hadolint
- name: Run Hadolint (Dockerfile)
if: hashFiles('**/Dockerfile*') != ''
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Find all Dockerfiles
find . -type f \( -name "Dockerfile*" -o -name "*.dockerfile" \) | while read dockerfile; do
docker run --rm -i hadolint/hadolint < "$dockerfile" | \
reviewdog -f=checkstyle \
-name="Hadolint: $dockerfile" \
-reporter=github-pr-review \
-filter-mode=diff_context \
-level=warning || true
done
# IaC: Terraform/CloudFormation security with Checkov
- name: Run Checkov (IaC Security)
if: hashFiles('**/*.tf', '**/*.yml', '**/*.yaml') != ''
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
docker run --rm -v ${{ github.workspace }}:/workspace \
bridgecrew/checkov:latest \
-d /workspace \
--quiet \
--compact \
-o json 2>/dev/null | \
reviewdog -f=checkov \
-name="Checkov IaC Security" \
-reporter=github-pr-review \
-filter-mode=diff_context \
-level=warning || true
# Shell scripts: ShellCheck
- name: Run ShellCheck
if: hashFiles('**/*.sh') != ''
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
find . -type f -name "*.sh" | while read script; do
shellcheck -f json "$script" 2>/dev/null | \
reviewdog -f=shellcheck \
-name="ShellCheck" \
-reporter=github-pr-check \
-filter-mode=diff_context || true
done
security-summary:
name: Security Scan Summary
runs-on: ubuntu-latest
needs: security-scan
if: always()
steps:
- name: Post summary
run: |
echo "## Security Scan Completed" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "All security scans have been executed." >> $GITHUB_STEP_SUMMARY
echo "Review the checks above for any findings." >> $GITHUB_STEP_SUMMARY

175
skills/secsdlc/reviewdog/assets/gitlab_ci_template.yml Normal file
View File

@@ -0,0 +1,175 @@
stages:
- security
variables:
REVIEWDOG_REPORTER: "gitlab-mr-discussion"
REVIEWDOG_FILTER_MODE: "added"
# Reusable reviewdog setup
.reviewdog_setup:
before_script:
- apk add --no-cache git curl
- |
# Install reviewdog
curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b /usr/local/bin
# Python SAST with Bandit
bandit_scan:
extends: .reviewdog_setup
stage: security
image: python:3.11-alpine
before_script:
- !reference [.reviewdog_setup, before_script]
- pip install bandit
script:
- |
bandit -r . -f json 2>/dev/null | \
reviewdog -f=bandit \
-name="Bandit Security" \
-reporter=$REVIEWDOG_REPORTER \
-filter-mode=$REVIEWDOG_FILTER_MODE \
-fail-on-error=true \
-level=error
only:
- merge_requests
allow_failure: false
# Multi-language SAST with Semgrep
semgrep_scan:
extends: .reviewdog_setup
stage: security
image: python:3.11-alpine
before_script:
- !reference [.reviewdog_setup, before_script]
- pip install semgrep
script:
# Critical findings - block MR
- |
semgrep --config=auto --severity=ERROR --json --quiet 2>/dev/null | \
reviewdog -f=semgrep \
-name="Semgrep Critical" \
-reporter=$REVIEWDOG_REPORTER \
-filter-mode=$REVIEWDOG_FILTER_MODE \
-fail-on-error=true \
-level=error
# Warnings - don't block
- |
semgrep --config=auto --severity=WARNING --json --quiet 2>/dev/null | \
reviewdog -f=semgrep \
-name="Semgrep Warnings" \
-reporter=$REVIEWDOG_REPORTER \
-filter-mode=diff_context \
-level=warning || true
only:
- merge_requests
allow_failure: false
# Secret detection with Gitleaks
gitleaks_scan:
extends: .reviewdog_setup
stage: security
image: zricethezav/gitleaks:latest
script:
- gitleaks detect --report-format json --report-path gitleaks.json --no-git || true
- |
if [ -f gitleaks.json ]; then
cat gitleaks.json | \
reviewdog -f=gitleaks \
-name="Secret Detection" \
-reporter=$REVIEWDOG_REPORTER \
-filter-mode=$REVIEWDOG_FILTER_MODE \
-fail-on-error=true \
-level=error
fi
only:
- merge_requests
allow_failure: false
# Dockerfile security with Hadolint
hadolint_scan:
extends: .reviewdog_setup
stage: security
image: hadolint/hadolint:latest-alpine
script:
- |
find . -type f \( -name "Dockerfile*" -o -name "*.dockerfile" \) | while read dockerfile; do
hadolint "$dockerfile" --format json 2>/dev/null | \
reviewdog -f=hadolint \
-name="Hadolint: $dockerfile" \
-reporter=$REVIEWDOG_REPORTER \
-filter-mode=diff_context \
-level=warning || true
done
only:
- merge_requests
changes:
- "**/Dockerfile*"
- "**/*.dockerfile"
allow_failure: true
# IaC security with Checkov
checkov_scan:
extends: .reviewdog_setup
stage: security
image: bridgecrew/checkov:latest
script:
- |
checkov -d . --quiet --compact -o json 2>/dev/null | \
reviewdog -f=checkov \
-name="Checkov IaC Security" \
-reporter=$REVIEWDOG_REPORTER \
-filter-mode=diff_context \
-level=warning || true
only:
- merge_requests
changes:
- "**/*.tf"
- "**/*.yml"
- "**/*.yaml"
allow_failure: true
# ShellCheck for shell scripts
shellcheck_scan:
extends: .reviewdog_setup
stage: security
image: koalaman/shellcheck-alpine:latest
script:
- |
find . -type f -name "*.sh" | while read script; do
shellcheck -f json "$script" 2>/dev/null | \
reviewdog -f=shellcheck \
-name="ShellCheck" \
-reporter=$REVIEWDOG_REPORTER \
-filter-mode=diff_context || true
done
only:
- merge_requests
changes:
- "**/*.sh"
allow_failure: true
# Combined security suite (alternative approach)
security_suite:
extends: .reviewdog_setup
stage: security
image: python:3.11-alpine
before_script:
- !reference [.reviewdog_setup, before_script]
- pip install bandit semgrep
script:
# Run all tools in parallel
- |
(bandit -r . -f json 2>/dev/null | \
reviewdog -f=bandit -name="Bandit" -reporter=$REVIEWDOG_REPORTER \
-filter-mode=$REVIEWDOG_FILTER_MODE -fail-on-error=true) &
(semgrep --config=auto --json --quiet 2>/dev/null | \
reviewdog -f=semgrep -name="Semgrep" -reporter=$REVIEWDOG_REPORTER \
-filter-mode=$REVIEWDOG_FILTER_MODE) &
wait
only:
- merge_requests
allow_failure: false
# Comment this job out if using individual jobs above
when: manual

101
skills/secsdlc/reviewdog/assets/pre_commit_config.yaml Normal file
View File

@@ -0,0 +1,101 @@
# Pre-commit hooks configuration with reviewdog
# Install: pip install pre-commit
# Setup: pre-commit install
# Run manually: pre-commit run --all-files
repos:
# Reviewdog with Bandit (Python security)
- repo: local
hooks:
- id: reviewdog-bandit
name: Reviewdog - Bandit Security Scan
entry: bash -c 'bandit -r . -f json 2>/dev/null | reviewdog -f=bandit -reporter=local -fail-on-error=true -level=error'
language: system
types: [python]
pass_filenames: false
require_serial: true
# Reviewdog with Semgrep (multi-language)
- repo: local
hooks:
- id: reviewdog-semgrep-critical
name: Reviewdog - Semgrep Critical
entry: bash -c 'semgrep --config=auto --severity=ERROR --json --quiet 2>/dev/null | reviewdog -f=semgrep -reporter=local -fail-on-error=true -level=error'
language: system
types: [python, javascript, typescript, java, go, ruby, php]
pass_filenames: false
require_serial: true
- id: reviewdog-semgrep-warnings
name: Reviewdog - Semgrep Warnings
entry: bash -c 'semgrep --config=auto --severity=WARNING --json --quiet 2>/dev/null | reviewdog -f=semgrep -reporter=local -level=warning || true'
language: system
types: [python, javascript, typescript, java, go, ruby, php]
pass_filenames: false
require_serial: true
# Reviewdog with Gitleaks (secrets)
- repo: local
hooks:
- id: reviewdog-gitleaks
name: Reviewdog - Secret Detection
entry: bash -c 'gitleaks detect --report-format json --report-path /tmp/gitleaks.json --no-git 2>/dev/null || true; if [ -f /tmp/gitleaks.json ]; then cat /tmp/gitleaks.json | reviewdog -f=gitleaks -reporter=local -fail-on-error=true -level=error; fi'
language: system
pass_filenames: false
require_serial: true
# Reviewdog with Hadolint (Dockerfile)
- repo: local
hooks:
- id: reviewdog-hadolint
name: Reviewdog - Hadolint Dockerfile
entry: bash -c 'find . -type f -name "Dockerfile*" -exec hadolint --format json {} \; 2>/dev/null | reviewdog -f=hadolint -reporter=local -level=warning || true'
language: system
types: [dockerfile]
pass_filenames: false
require_serial: true
# Reviewdog with ShellCheck
- repo: local
hooks:
- id: reviewdog-shellcheck
name: Reviewdog - ShellCheck
entry: bash -c 'shellcheck -f json "$@" 2>/dev/null | reviewdog -f=shellcheck -reporter=local || true'
language: system
types: [shell]
require_serial: true
# Standard pre-commit hooks (optional, complement reviewdog)
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: check-yaml
- id: check-json
- id: check-added-large-files
args: ['--maxkb=500']
- id: detect-private-key
- id: trailing-whitespace
- id: end-of-file-fixer
# Python code formatting (optional)
- repo: https://github.com/psf/black
rev: 23.12.1
hooks:
- id: black
language_version: python3
# Python import sorting (optional)
- repo: https://github.com/pycqa/isort
rev: 5.13.2
hooks:
- id: isort
# Configuration
default_language_version:
python: python3.11
# Fail fast on first error
fail_fast: false
# Minimum pre-commit version
minimum_pre_commit_version: '2.20.0'

348
skills/secsdlc/reviewdog/references/cwe_mapping.md Normal file
View File

@@ -0,0 +1,348 @@
# CWE Mapping for Security Tools
This reference maps common security tool findings to CWE (Common Weakness Enumeration) categories.
## Table of Contents
- [OWASP Top 10 to CWE Mapping](#owasp-top-10-to-cwe-mapping)
- [Tool-Specific CWE Coverage](#tool-specific-cwe-coverage)
- [CWE Categories](#cwe-categories)
- [Severity Mapping](#severity-mapping)
## OWASP Top 10 to CWE Mapping
Map OWASP Top 10 2021 vulnerabilities to their primary CWEs:
| OWASP Category | CWE IDs | Reviewdog Detection |
|----------------|---------|---------------------|
| **A01: Broken Access Control** | CWE-22, CWE-23, CWE-35, CWE-59, CWE-200, CWE-201, CWE-219, CWE-264, CWE-275, CWE-284, CWE-285, CWE-352, CWE-359, CWE-377, CWE-402, CWE-425, CWE-441, CWE-497, CWE-538, CWE-540, CWE-548, CWE-552, CWE-566, CWE-601, CWE-639, CWE-651, CWE-668, CWE-706, CWE-862, CWE-863, CWE-913, CWE-922, CWE-1275 | Semgrep, Bandit, Checkov |
| **A02: Cryptographic Failures** | CWE-259, CWE-327, CWE-328, CWE-329, CWE-330, CWE-331, CWE-335, CWE-336, CWE-337, CWE-338, CWE-340, CWE-347, CWE-523, CWE-720, CWE-757, CWE-759, CWE-760, CWE-780, CWE-818, CWE-916 | Bandit, Semgrep, Gitleaks |
| **A03: Injection** | CWE-20, CWE-74, CWE-75, CWE-77, CWE-78, CWE-79, CWE-80, CWE-83, CWE-87, CWE-88, CWE-89, CWE-90, CWE-91, CWE-93, CWE-94, CWE-95, CWE-96, CWE-97, CWE-98, CWE-99, CWE-100, CWE-113, CWE-116, CWE-138, CWE-184, CWE-470, CWE-471, CWE-564, CWE-610, CWE-643, CWE-644, CWE-652, CWE-917 | Semgrep, Bandit, ESLint |
| **A04: Insecure Design** | CWE-73, CWE-183, CWE-209, CWE-213, CWE-235, CWE-256, CWE-257, CWE-266, CWE-269, CWE-280, CWE-311, CWE-312, CWE-313, CWE-316, CWE-419, CWE-430, CWE-434, CWE-444, CWE-451, CWE-472, CWE-501, CWE-522, CWE-525, CWE-539, CWE-579, CWE-598, CWE-602, CWE-642, CWE-646, CWE-650, CWE-653, CWE-656, CWE-657, CWE-799, CWE-807, CWE-840, CWE-841, CWE-927, CWE-1021, CWE-1173 | Architecture review |
| **A05: Security Misconfiguration** | CWE-2, CWE-11, CWE-13, CWE-15, CWE-16, CWE-260, CWE-315, CWE-520, CWE-526, CWE-537, CWE-541, CWE-547, CWE-611, CWE-614, CWE-756, CWE-776, CWE-942, CWE-1004, CWE-1032, CWE-1174 | Checkov, Hadolint, Trivy |
| **A06: Vulnerable Components** | CWE-1104, CWE-1035 | Trivy, Dependabot, Snyk |
| **A07: Authentication Failures** | CWE-255, CWE-259, CWE-287, CWE-288, CWE-290, CWE-294, CWE-295, CWE-297, CWE-300, CWE-302, CWE-304, CWE-306, CWE-307, CWE-346, CWE-384, CWE-521, CWE-613, CWE-620, CWE-640, CWE-798, CWE-940, CWE-1216 | Semgrep, Bandit, Gitleaks |
| **A08: Software/Data Integrity** | CWE-345, CWE-353, CWE-426, CWE-494, CWE-502, CWE-565, CWE-784, CWE-829, CWE-830, CWE-915 | Bandit, Semgrep |
| **A09: Security Logging Failures** | CWE-117, CWE-223, CWE-532, CWE-778 | Semgrep |
| **A10: SSRF** | CWE-918 | Semgrep, Bandit |
## Tool-Specific CWE Coverage
### Semgrep
**Primary CWE Coverage**:
- CWE-20: Improper Input Validation
- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-site Scripting (XSS)
- CWE-89: SQL Injection
- CWE-94: Code Injection
- CWE-327: Use of Broken Cryptography
- CWE-502: Deserialization of Untrusted Data
- CWE-601: Open Redirect
- CWE-611: XXE
- CWE-798: Hardcoded Credentials
- CWE-918: SSRF
**Example Detections**:
```bash
# SQL Injection (CWE-89)
semgrep --config "p/sql-injection" --json | reviewdog -f=semgrep
# XSS (CWE-79)
semgrep --config "p/xss" --json | reviewdog -f=semgrep
# Command Injection (CWE-78)
semgrep --config "p/command-injection" --json | reviewdog -f=semgrep
```
---
### Bandit (Python)
**Primary CWE Coverage**:
- CWE-78: OS Command Injection (shell=True)
- CWE-89: SQL Injection
- CWE-259: Hard-coded Password
- CWE-295: Improper Certificate Validation
- CWE-327: Broken Crypto (MD5, SHA1)
- CWE-338: Weak PRNG
- CWE-502: Pickle Deserialization
- CWE-798: Hardcoded Credentials
**Bandit Test ID to CWE**:
| Bandit Test | CWE | Description |
|-------------|-----|-------------|
| B201 | CWE-209 | Flask debug mode |
| B301 | CWE-502 | Pickle usage |
| B302 | CWE-327 | MD5 usage |
| B303 | CWE-327 | SHA1 usage |
| B304 | CWE-327 | Insecure ciphers |
| B305 | CWE-327 | Insecure cipher modes |
| B306 | CWE-378 | Insecure temp file |
| B307 | CWE-78 | eval() usage |
| B308 | CWE-94 | mark_safe usage |
| B310 | CWE-601 | URL open |
| B311 | CWE-338 | Weak random |
| B324 | CWE-327 | hashlib.new insecure |
| B501 | CWE-295 | Cert validation disabled |
| B601 | CWE-78 | Paramiko exec |
| B602 | CWE-78 | Shell injection |
| B603 | CWE-78 | Subprocess w/o shell |
| B604 | CWE-78 | Shell=True |
| B605 | CWE-78 | Shell command strings |
| B607 | CWE-78 | Partial path process |
**Example**:
```bash
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
```
---
### Gitleaks
**Primary CWE Coverage**:
- CWE-798: Use of Hard-coded Credentials
**Detected Secret Types**:
- API keys and tokens
- AWS credentials
- Database passwords
- Private keys (SSH, PGP, certificates)
- OAuth tokens
- JWT secrets
**Example**:
```bash
gitleaks detect --report-format json | reviewdog -f=gitleaks -reporter=github-pr-review
```
---
### Checkov (IaC)
**Primary CWE Coverage**:
- CWE-250: Execution with Unnecessary Privileges
- CWE-284: Improper Access Control
- CWE-326: Inadequate Encryption Strength
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-668: Exposure of Resource
**Common Findings**:
```bash
# S3 bucket public access (CWE-284, CWE-668)
# Unencrypted storage (CWE-326)
# Overly permissive IAM (CWE-250, CWE-284)
# Missing encryption in transit (CWE-319)
checkov -d . --framework terraform -o json | reviewdog -f=checkov
```
---
### Hadolint (Dockerfile)
**Primary CWE Coverage**:
- CWE-250: Execution with Unnecessary Privileges (USER root)
- CWE-798: Hardcoded Credentials in ENV
**Common Issues**:
- DL3000-DL3999: Dockerfile best practices
- DL4000-DL4999: Security issues
**Example**:
```bash
hadolint Dockerfile --format json | reviewdog -f=hadolint
```
---
### ShellCheck
**Primary CWE Coverage**:
- CWE-78: OS Command Injection
- CWE-377: Insecure Temporary File
**Example**:
```bash
shellcheck -f json script.sh | reviewdog -f=shellcheck
```
---
## CWE Categories
### CWE Top 25 (2023)
The most dangerous software weaknesses:
| Rank | CWE-ID | Name | Reviewdog Tools |
|------|--------|------|-----------------|
| 1 | CWE-787 | Out-of-bounds Write | - |
| 2 | CWE-79 | Cross-site Scripting | Semgrep, ESLint |
| 3 | CWE-89 | SQL Injection | Semgrep, Bandit |
| 4 | CWE-20 | Improper Input Validation | Semgrep, Bandit |
| 5 | CWE-125 | Out-of-bounds Read | - |
| 6 | CWE-78 | OS Command Injection | Semgrep, Bandit, ShellCheck |
| 7 | CWE-416 | Use After Free | - |
| 8 | CWE-22 | Path Traversal | Semgrep, Bandit |
| 9 | CWE-352 | CSRF | Semgrep |
| 10 | CWE-434 | Unrestricted Upload | Semgrep |
| 11 | CWE-862 | Missing Authorization | Semgrep |
| 12 | CWE-476 | NULL Pointer Dereference | - |
| 13 | CWE-287 | Improper Authentication | Semgrep, Bandit |
| 14 | CWE-190 | Integer Overflow | - |
| 15 | CWE-502 | Deserialization | Bandit, Semgrep |
| 16 | CWE-77 | Command Injection | Semgrep, Bandit |
| 17 | CWE-119 | Memory Buffer Errors | - |
| 18 | CWE-798 | Hardcoded Credentials | Gitleaks, Bandit, Semgrep |
| 19 | CWE-918 | SSRF | Semgrep |
| 20 | CWE-306 | Missing Authentication | Semgrep |
| 21 | CWE-362 | Race Condition | - |
| 22 | CWE-269 | Improper Privilege Mgmt | Checkov, Semgrep |
| 23 | CWE-94 | Code Injection | Semgrep, Bandit |
| 24 | CWE-863 | Incorrect Authorization | Semgrep |
| 25 | CWE-276 | Incorrect Permissions | Checkov, Semgrep |
---
## Severity Mapping
Map CWE to severity levels for reviewdog filtering:
### Critical (fail-on-error)
- CWE-78: OS Command Injection
- CWE-79: Cross-site Scripting
- CWE-89: SQL Injection
- CWE-94: Code Injection
- CWE-502: Deserialization of Untrusted Data
- CWE-798: Hardcoded Credentials
- CWE-918: SSRF
**Reviewdog Configuration**:
```bash
semgrep --severity=ERROR --json | \
reviewdog -f=semgrep -level=error -fail-on-error=true
```
---
### High (block PR merge)
- CWE-22: Path Traversal
- CWE-77: Command Injection
- CWE-287: Improper Authentication
- CWE-306: Missing Authentication
- CWE-327: Broken Cryptography
- CWE-601: Open Redirect
- CWE-611: XXE
- CWE-862: Missing Authorization
- CWE-863: Incorrect Authorization
**Reviewdog Configuration**:
```bash
semgrep --severity=WARNING --json | \
reviewdog -f=semgrep -level=error -fail-on-error=true
```
---
### Medium (comment, don't block)
- CWE-200: Information Exposure
- CWE-209: Error Message Information Leak
- CWE-284: Improper Access Control
- CWE-295: Improper Certificate Validation
- CWE-338: Weak PRNG
- CWE-352: CSRF
- CWE-434: Unrestricted File Upload
- CWE-532: Information Exposure Through Log Files
**Reviewdog Configuration**:
```bash
semgrep --severity=WARNING --json | \
reviewdog -f=semgrep -level=warning
```
---
### Low/Info (informational)
- CWE-1104: Use of Unmaintained Third Party Components
- CWE-710: Improper Coding Practices
- Configuration best practices
- Code quality issues
**Reviewdog Configuration**:
```bash
semgrep --severity=INFO --json | \
reviewdog -f=semgrep -level=info
```
---
## Example: Comprehensive CWE-Based Scanning
```yaml
name: CWE-Based Security Scan
on: [pull_request]
jobs:
critical-cwe:
name: Critical CWE (78, 79, 89, 94, 502, 798, 918)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: reviewdog/action-setup@v1
- name: Scan for Critical CWE
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# CWE-78, 89, 94 - Injection
semgrep --config "p/security-audit" \
--severity=ERROR \
--json | \
reviewdog -f=semgrep \
-name="Critical: Injection (CWE-78,89,94)" \
-reporter=github-pr-review \
-fail-on-error=true
# CWE-798 - Hardcoded credentials
gitleaks detect --report-format json | \
reviewdog -f=gitleaks \
-name="Critical: Hardcoded Secrets (CWE-798)" \
-reporter=github-pr-review \
-fail-on-error=true
high-cwe:
name: High CWE (22, 287, 327, 601, 862)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: reviewdog/action-setup@v1
- name: Scan for High CWE
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
semgrep --config "p/owasp-top-ten" \
--json | \
reviewdog -f=semgrep \
-name="High: OWASP/CWE" \
-reporter=github-pr-review \
-level=error
```
---
## References
- [CWE Top 25](https://cwe.mitre.org/top25/)
- [CWE OWASP Top 10 Mapping](https://owasp.org/Top10/)
- [CWE List](https://cwe.mitre.org/data/index.html)
- [CAPEC](https://capec.mitre.org/) - Attack patterns for CWEs

457
skills/secsdlc/reviewdog/references/reporter_formats.md Normal file
View File

@@ -0,0 +1,457 @@
# Reviewdog Reporter Formats
This reference documents the available reporter formats and output modes for reviewdog.
## Table of Contents
- [Reporter Types](#reporter-types)
- [GitHub Reporters](#github-reporters)
- [GitLab Reporters](#gitlab-reporters)
- [Generic Reporters](#generic-reporters)
- [Input Formats](#input-formats)
- [Configuration Examples](#configuration-examples)
## Reporter Types
Reviewdog supports multiple reporter formats for different CI/CD platforms and use cases.
### Quick Reference
| Reporter | Platform | Use Case | Requires Token |
|----------|----------|----------|----------------|
| `local` | Any | Local development, terminal output | No |
| `github-check` | GitHub | Check Runs API | Yes |
| `github-pr-check` | GitHub | Check Runs on PR | Yes |
| `github-pr-review` | GitHub | PR review comments | Yes |
| `gitlab-mr-discussion` | GitLab | MR discussion threads | Yes |
| `gitlab-mr-commit` | GitLab | MR commit comments | Yes |
| `bitbucket-code-report` | Bitbucket | Code Insights | Yes |
| `gerrit-change-review` | Gerrit | Change review comments | Yes |
## GitHub Reporters
### github-check
Posts findings as GitHub Check Runs (visible in PR checks tab).
**Usage**:
```bash
reviewdog -reporter=github-check
```
**Environment Variables**:
```bash
export REVIEWDOG_GITHUB_API_TOKEN="ghp_xxxxxxxxxxxx"
# or use GitHub Actions built-in token
export REVIEWDOG_GITHUB_API_TOKEN="${GITHUB_TOKEN}"
```
**Permissions Required**:
- `checks: write`
- `contents: read`
**Output**:
- Appears in "Checks" tab of PR
- Shows annotation count
- Can block PR merge if configured
**Example**:
```yaml
- name: Run security scan
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
bandit -r . -f json | reviewdog -f=bandit -reporter=github-check
```
---
### github-pr-check
Similar to `github-check` but specifically for pull requests.
**Usage**:
```bash
reviewdog -reporter=github-pr-check
```
**Differences from github-check**:
- Only runs on PRs (not on push to branches)
- Better integration with PR workflow
- Recommended for most PR-based workflows
---
### github-pr-review
Posts findings as inline PR review comments.
**Usage**:
```bash
reviewdog -reporter=github-pr-review
```
**Permissions Required**:
- `pull-requests: write`
- `contents: read`
**Features**:
- Inline comments on specific lines
- Grouped by file
- Shows in "Files changed" tab
- Can suggest changes
**Filter Modes**:
```bash
# Only comment on added lines
reviewdog -reporter=github-pr-review -filter-mode=added
# Comment on modified context (added + surrounding)
reviewdog -reporter=github-pr-review -filter-mode=diff_context
# Comment on all findings in changed files
reviewdog -reporter=github-pr-review -filter-mode=file
```
**Example with Suggested Changes**:
```bash
# Some tools can suggest fixes
semgrep --config=auto --json | \
reviewdog -f=semgrep -reporter=github-pr-review
```
---
## GitLab Reporters
### gitlab-mr-discussion
Posts findings as GitLab merge request discussion threads.
**Usage**:
```bash
reviewdog -reporter=gitlab-mr-discussion
```
**Environment Variables**:
```bash
export REVIEWDOG_GITLAB_API_TOKEN="glpat-xxxxxxxxxxxx"
export CI_API_V4_URL="https://gitlab.com/api/v4"
export CI_MERGE_REQUEST_IID="123"
export CI_PROJECT_ID="456"
```
**Permissions Required**:
- API access with `api` scope
- Write access to merge requests
**Features**:
- Creates discussion threads on specific lines
- Supports threaded conversations
- Can mark as resolved
**Example (.gitlab-ci.yml)**:
```yaml
security_review:
script:
- bandit -r . -f json | reviewdog -f=bandit -reporter=gitlab-mr-discussion
variables:
REVIEWDOG_GITLAB_API_TOKEN: $GITLAB_TOKEN
only:
- merge_requests
```
---
### gitlab-mr-commit
Posts findings as commit comments on merge request.
**Usage**:
```bash
reviewdog -reporter=gitlab-mr-commit
```
**Differences from gitlab-mr-discussion**:
- Comments attached to specific commits
- Less conversational
- Good for historical tracking
---
## Generic Reporters
### local
Outputs findings to terminal/console (default for local development).
**Usage**:
```bash
reviewdog -reporter=local
```
**Output Format**:
```
app/models.py:42:10: [error] SQL Injection vulnerability (CWE-89) [bandit]
app/views.py:15:5: [warning] Use of hardcoded password (CWE-798) [semgrep]
```
**Features**:
- No API token required
- Color-coded severity levels
- File path and line numbers
- Works in any CI environment
**Example**:
```bash
# Quick local scan
semgrep --config=auto --json | reviewdog -f=semgrep -reporter=local
```
---
### bitbucket-code-report
Posts findings to Bitbucket Code Insights.
**Usage**:
```bash
reviewdog -reporter=bitbucket-code-report
```
**Environment Variables**:
```bash
export BITBUCKET_USER="username"
export BITBUCKET_PASSWORD="app_password"
```
---
### gerrit-change-review
Posts findings as Gerrit change review comments.
**Usage**:
```bash
reviewdog -reporter=gerrit-change-review
```
**Environment Variables**:
```bash
export GERRIT_USERNAME="user"
export GERRIT_PASSWORD="password"
export GERRIT_CHANGE_ID="I1234567890abcdef"
export GERRIT_REVISION_ID="1"
export GERRIT_ADDRESS="https://gerrit.example.com"
```
---
## Input Formats
Reviewdog supports multiple input formats from security tools:
### Supported Formats
| Format | Tools | Description |
|--------|-------|-------------|
| `checkstyle` | Generic XML | Checkstyle XML format |
| `sarif` | Many SAST tools | Static Analysis Results Interchange Format |
| `rdjson` | Custom tools | Reviewdog Diagnostic Format (JSON) |
| `rdjsonl` | Custom tools | Reviewdog Diagnostic Format (JSON Lines) |
| `diff` | diff, git-diff | Unified diff format |
| `bandit` | Bandit | Bandit JSON output |
| `semgrep` | Semgrep | Semgrep JSON output |
| `gitleaks` | Gitleaks | Gitleaks JSON output |
| `hadolint` | Hadolint | Hadolint JSON output |
| `checkov` | Checkov | Checkov JSON output |
| `shellcheck` | ShellCheck | ShellCheck JSON output |
| `eslint` | ESLint | ESLint JSON output |
### rdjson Format (Custom Tools)
Use this format to integrate custom security scanners:
```json
{
"source": {
"name": "my-security-scanner",
"url": "https://github.com/example/scanner"
},
"severity": "ERROR",
"diagnostics": [
{
"message": "Vulnerability description",
"location": {
"path": "src/app.py",
"range": {
"start": {"line": 42, "column": 10},
"end": {"line": 42, "column": 30}
}
},
"severity": "ERROR",
"code": {
"value": "CWE-89",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
"suggestions": [
{
"text": "Use parameterized queries",
"range": {
"start": {"line": 42, "column": 10},
"end": {"line": 42, "column": 30}
},
"replacement": "cursor.execute('SELECT * FROM users WHERE id = ?', (user_id,))"
}
]
}
]
}
```
**Severity Levels**:
- `ERROR` - High severity, should block PR
- `WARNING` - Medium severity, should review
- `INFO` - Low severity, informational
**Usage**:
```bash
./my-scanner --output json | reviewdog -f=rdjson -reporter=github-pr-review
```
---
## Configuration Examples
### Multi-Reporter Setup
Run the same scan with different reporters based on environment:
```bash
#!/bin/bash
if [ -n "$GITHUB_ACTIONS" ]; then
REPORTER="github-pr-review"
elif [ -n "$GITLAB_CI" ]; then
REPORTER="gitlab-mr-discussion"
else
REPORTER="local"
fi
semgrep --config=auto --json | \
reviewdog -f=semgrep -reporter="$REPORTER"
```
---
### .reviewdog.yml Configuration
Define multiple runners with different reporters:
```yaml
runner:
critical-findings:
cmd: semgrep --severity=ERROR --json
format: semgrep
name: Critical Security Issues
level: error
reporter: github-pr-review
warnings:
cmd: semgrep --severity=WARNING --json
format: semgrep
name: Security Warnings
level: warning
reporter: github-pr-check
info:
cmd: semgrep --severity=INFO --json
format: semgrep
name: Security Info
level: info
reporter: local
```
---
### Advanced GitHub Actions Example
```yaml
name: Security Review
on:
pull_request:
types: [opened, synchronize, reopened]
permissions:
contents: read
pull-requests: write
checks: write
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup reviewdog
uses: reviewdog/action-setup@v1
# Critical findings - Block PR
- name: Critical Security Scan
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
semgrep --severity=ERROR --json | \
reviewdog -f=semgrep \
-name="Critical" \
-reporter=github-pr-review \
-filter-mode=added \
-fail-on-error=true \
-level=error
# Warnings - Comment but don't block
- name: Security Warnings
if: always()
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
semgrep --severity=WARNING --json | \
reviewdog -f=semgrep \
-name="Warnings" \
-reporter=github-pr-check \
-filter-mode=diff_context \
-level=warning
```
---
## Troubleshooting
### Issue: Comments not appearing
**Check**:
1. Token has correct permissions
2. Reporter matches CI platform
3. Running in PR/MR context (not on main branch)
4. Filter mode is not too restrictive
### Issue: Duplicate comments
**Solution**:
- Use `filter-mode=added` to only comment on new code
- Configure reviewdog to run only once per PR
### Issue: Rate limiting
**Solution**:
- Batch findings with `github-pr-check` instead of individual comments
- Use GitHub App token instead of PAT for higher rate limits
---
## References
- [Reviewdog Reporter Documentation](https://github.com/reviewdog/reviewdog#reporters)
- [rdjson Format Specification](https://github.com/reviewdog/reviewdog/tree/master/proto/rdf)
- [SARIF Specification](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html)

453
skills/secsdlc/reviewdog/references/supported_tools.md Normal file
View File

@@ -0,0 +1,453 @@
# Supported Security Tools for Reviewdog
This reference documents security tools that integrate with reviewdog, their configuration, and usage patterns.
## Table of Contents
- [SAST Tools](#sast-tools)
- [Secret Detection](#secret-detection)
- [Infrastructure as Code](#infrastructure-as-code)
- [Container Security](#container-security)
- [Linters and Formatters](#linters-and-formatters)
## SAST Tools
### Semgrep
**Description**: Multi-language static analysis for finding bugs and enforcing secure coding standards.
**Installation**:
```bash
pip install semgrep
```
**Reviewdog Integration**:
```bash
semgrep --config=auto --json | reviewdog -f=semgrep -reporter=github-pr-review
```
**Custom Rules**:
```bash
# OWASP Top 10
semgrep --config "p/owasp-top-ten" --json | reviewdog -f=semgrep
# Security audit
semgrep --config "p/security-audit" --json | reviewdog -f=semgrep
# Custom rules
semgrep --config ./custom-rules.yml --json | reviewdog -f=semgrep
```
**CWE Coverage**: CWE-20, CWE-22, CWE-78, CWE-79, CWE-89, CWE-94, CWE-611, CWE-798
---
### Bandit
**Description**: Python security linter for finding common security issues.
**Installation**:
```bash
pip install bandit
```
**Reviewdog Integration**:
```bash
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
```
**Configuration (.bandit)**:
```yaml
exclude_dirs:
- /test
- /tests
- /.venv
tests:
- B201 # Flask debug mode
- B301 # Pickle usage
- B601 # Shell injection
- B602 # Subprocess with shell=True
```
**CWE Coverage**: CWE-78, CWE-79, CWE-89, CWE-259, CWE-327, CWE-338, CWE-502
---
### ESLint (with security plugins)
**Description**: JavaScript/TypeScript linter with security-focused plugins.
**Installation**:
```bash
npm install -D eslint eslint-plugin-security eslint-plugin-no-secrets
```
**Reviewdog Integration**:
```bash
eslint . --format=checkstyle | reviewdog -f=checkstyle -reporter=github-pr-review
```
**Configuration (.eslintrc.json)**:
```json
{
"plugins": ["security", "no-secrets"],
"extends": ["plugin:security/recommended"],
"rules": {
"no-eval": "error",
"security/detect-object-injection": "warn",
"security/detect-non-literal-regexp": "warn"
}
}
```
**CWE Coverage**: CWE-79, CWE-94, CWE-798, CWE-1004
---
## Secret Detection
### Gitleaks
**Description**: SAST tool for detecting hardcoded secrets like passwords, API keys, and tokens.
**Installation**:
```bash
# Via Homebrew
brew install gitleaks
# Via Docker
docker pull zricethezav/gitleaks:latest
```
**Reviewdog Integration**:
```bash
gitleaks detect --report-format json | reviewdog -f=gitleaks -reporter=github-pr-review
```
**Configuration (.gitleaks.toml)**:
```toml
[extend]
useDefault = true
[[rules]]
id = "custom-api-key"
description = "Custom API Key Pattern"
regex = '''(?i)api[_-]?key[_-]?=.{20,}'''
```
**CWE Coverage**: CWE-798 (Use of Hard-coded Credentials)
---
### TruffleHog
**Description**: Find credentials accidentally committed to git repositories.
**Installation**:
```bash
pip install truffleHog
```
**Reviewdog Integration**:
```bash
trufflehog --json . | reviewdog -f=trufflehog -reporter=github-pr-review
```
**CWE Coverage**: CWE-798
---
## Infrastructure as Code
### Checkov
**Description**: Static code analysis for IaC (Terraform, CloudFormation, Kubernetes, etc.).
**Installation**:
```bash
pip install checkov
```
**Reviewdog Integration**:
```bash
checkov -d . -o json | reviewdog -f=checkov -reporter=github-pr-review
```
**Filter by Severity**:
```bash
# Only critical/high
checkov -d . --severity CRITICAL,HIGH -o json | reviewdog -f=checkov
```
**CWE Coverage**: CWE-250, CWE-284, CWE-326, CWE-601, CWE-668
---
### tfsec
**Description**: Security scanner for Terraform code.
**Installation**:
```bash
brew install tfsec
```
**Reviewdog Integration**:
```bash
tfsec . --format json | reviewdog -f=tfsec -reporter=github-pr-review
```
**CWE Coverage**: CWE-250, CWE-326, CWE-521
---
### Terrascan
**Description**: Detect compliance and security violations across IaC.
**Installation**:
```bash
brew install terrascan
```
**Reviewdog Integration**:
```bash
terrascan scan -o json | reviewdog -f=terrascan -reporter=github-pr-review
```
**CWE Coverage**: CWE-250, CWE-284, CWE-693
---
## Container Security
### Hadolint
**Description**: Dockerfile linter for best practices and security issues.
**Installation**:
```bash
brew install hadolint
```
**Reviewdog Integration**:
```bash
hadolint Dockerfile --format json | reviewdog -f=hadolint -reporter=github-pr-review
```
**Common Issues Detected**:
- Running as root (CWE-250)
- Exposed secrets in ENV (CWE-798)
- Outdated base images
- Missing health checks
**CWE Coverage**: CWE-250, CWE-798
---
### Trivy
**Description**: Comprehensive container and IaC security scanner.
**Installation**:
```bash
brew install trivy
```
**Reviewdog Integration**:
```bash
trivy fs --format json . | reviewdog -f=trivy -reporter=github-pr-review
```
**Scan Types**:
```bash
# Container images
trivy image --format json myimage:tag | reviewdog -f=trivy
# Filesystem
trivy fs --security-checks vuln,secret --format json . | reviewdog -f=trivy
# Kubernetes manifests
trivy k8s --report=summary --format json | reviewdog -f=trivy
```
**CWE Coverage**: Varies by vulnerability database
---
## Linters and Formatters
### ShellCheck
**Description**: Static analysis tool for shell scripts.
**Installation**:
```bash
brew install shellcheck
```
**Reviewdog Integration**:
```bash
shellcheck -f json script.sh | reviewdog -f=shellcheck -reporter=github-pr-review
```
**Security Checks**:
- Command injection (CWE-78)
- Unsafe variable expansion
- Insecure temporary files (CWE-377)
**CWE Coverage**: CWE-78, CWE-377
---
### yamllint
**Description**: YAML linter for syntax and best practices.
**Installation**:
```bash
pip install yamllint
```
**Reviewdog Integration**:
```bash
yamllint -f parsable . | reviewdog -f=yamllint -reporter=github-pr-review
```
---
### markdownlint
**Description**: Markdown linter for documentation quality.
**Installation**:
```bash
npm install -g markdownlint-cli
```
**Reviewdog Integration**:
```bash
markdownlint -j . | reviewdog -f=markdownlint -reporter=github-pr-review
```
---
## Multi-Tool Configurations
### Comprehensive Security Scan
Run all security tools in a single reviewdog session:
```yaml
# .reviewdog.yml
runner:
semgrep:
cmd: semgrep --config=auto --json
format: semgrep
name: Semgrep SAST
level: error
bandit:
cmd: bandit -r . -f json
format: bandit
name: Python Security
level: warning
gitleaks:
cmd: gitleaks detect --report-format json
format: gitleaks
name: Secret Detection
level: error
hadolint:
cmd: hadolint Dockerfile --format json
format: hadolint
name: Dockerfile Security
level: warning
checkov:
cmd: checkov -d . -o json --quiet
format: checkov
name: IaC Security
level: error
```
Run with:
```bash
reviewdog -conf=.reviewdog.yml -reporter=github-pr-review
```
---
## Tool Selection Guide
Choose tools based on your tech stack:
**Python Projects**:
- Bandit (SAST)
- Semgrep (Multi-language SAST)
- Gitleaks (Secrets)
**JavaScript/TypeScript**:
- ESLint + security plugins
- Semgrep
- Gitleaks
**Infrastructure/Cloud**:
- Checkov (Terraform, K8s, CloudFormation)
- tfsec (Terraform-specific)
- Hadolint (Dockerfiles)
- Trivy (Containers + IaC)
**Multi-language/Polyglot**:
- Semgrep (20+ languages)
- Gitleaks (Universal secrets)
- ShellCheck (Shell scripts)
---
## Custom Tool Integration
To integrate a custom security tool:
1. **Convert output to supported format** (checkstyle, sarif, rdjson)
2. **Use rdjson for custom tools**:
```json
{
"source": {
"name": "custom-scanner",
"url": "https://example.com"
},
"diagnostics": [
{
"message": "SQL Injection vulnerability detected",
"location": {
"path": "app/models.py",
"range": {
"start": {"line": 42, "column": 10}
}
},
"severity": "ERROR",
"code": {
"value": "CWE-89",
"url": "https://cwe.mitre.org/data/definitions/89.html"
}
}
]
}
```
3. **Pipe to reviewdog**:
```bash
./custom_scanner --json | reviewdog -f=rdjson -name="Custom Scanner"
```
---
## References
- [Reviewdog Supported Tools](https://reviewdog.github.io/supported-tools)
- [rdjson Format Specification](https://github.com/reviewdog/reviewdog/tree/master/proto/rdf)
- [SARIF Format](https://sarifweb.azurewebsites.net/)