Initial commit

skills/secsdlc/reviewdog/assets/.gitkeep

@@ -0,0 +1,9 @@
+# Assets Directory
+
+Place files that will be used in the output Claude produces:
+- Templates
+- Configuration files
+- Images/logos
+- Boilerplate code
+
+These files are NOT loaded into context but copied/modified in output.

skills/secsdlc/reviewdog/assets/.reviewdog.yml

@@ -0,0 +1,108 @@
+# Reviewdog configuration file
+# Place this file in the root of your repository
+# Run with: reviewdog -conf=.reviewdog.yml -reporter=github-pr-review
+
+runner:
+  # Python SAST with Bandit
+  bandit:
+    cmd: bandit -r . -f json 2>/dev/null
+    format: bandit
+    name: Bandit Python Security
+    level: error
+    fail-on-error: true
+
+  # Multi-language SAST with Semgrep - Critical
+  semgrep-critical:
+    cmd: semgrep --config=auto --severity=ERROR --json --quiet 2>/dev/null
+    format: semgrep
+    name: Semgrep Critical Findings
+    level: error
+    fail-on-error: true
+
+  # Multi-language SAST with Semgrep - Warnings
+  semgrep-warnings:
+    cmd: semgrep --config=auto --severity=WARNING --json --quiet 2>/dev/null
+    format: semgrep
+    name: Semgrep Security Warnings
+    level: warning
+    fail-on-error: false
+
+  # OWASP Top 10 specific checks
+  semgrep-owasp:
+    cmd: semgrep --config "p/owasp-top-ten" --json --quiet 2>/dev/null
+    format: semgrep
+    name: OWASP Top 10 Vulnerabilities
+    level: error
+    fail-on-error: true
+
+  # Secret detection with Gitleaks
+  gitleaks:
+    cmd: |
+      gitleaks detect --report-format json --report-path /tmp/gitleaks.json --no-git 2>/dev/null || true
+      cat /tmp/gitleaks.json 2>/dev/null || echo '{"findings":[]}'
+    format: gitleaks
+    name: Secret Detection
+    level: error
+    fail-on-error: true
+
+  # Dockerfile linting with Hadolint
+  hadolint:
+    cmd: |
+      find . -type f -name "Dockerfile*" -exec hadolint --format json {} \; 2>/dev/null
+    format: hadolint
+    name: Dockerfile Security
+    level: warning
+    fail-on-error: false
+
+  # IaC security with Checkov
+  checkov:
+    cmd: checkov -d . --quiet --compact -o json 2>/dev/null
+    format: checkov
+    name: Infrastructure as Code Security
+    level: warning
+    fail-on-error: false
+
+  # Shell script analysis with ShellCheck
+  shellcheck:
+    cmd: |
+      find . -type f -name "*.sh" -exec shellcheck -f json {} \; 2>/dev/null
+    format: shellcheck
+    name: Shell Script Security
+    level: info
+    fail-on-error: false
+
+  # Custom security patterns with grep
+  dangerous-functions:
+    cmd: |
+      grep -nH -R -E "(eval|exec|system|shell_exec|passthru|popen|proc_open)\s*\(" \
+        --include="*.py" --include="*.php" --include="*.js" . 2>/dev/null || true
+    errorformat:
+      - "%f:%l:%m"
+    name: Dangerous Function Usage
+    level: warning
+
+  # Hardcoded IP addresses
+  hardcoded-ips:
+    cmd: |
+      grep -nH -R -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" \
+        --include="*.py" --include="*.js" --include="*.java" \
+        --exclude-dir=node_modules --exclude-dir=.git . 2>/dev/null || true
+    errorformat:
+      - "%f:%l:%m"
+    name: Hardcoded IP Addresses
+    level: info
+
+# Global configuration
+# Uncomment and modify as needed
+
+# Filter mode for all runners (can be overridden per runner)
+# filter-mode: added  # added, diff_context, file, nofilter
+
+# Default reporter
+# reporter: local  # local, github-pr-review, gitlab-mr-discussion, etc.
+
+# Fail level (any findings at this level or higher will cause failure)
+# fail-level: error  # error, warning, info
+
+# Diff options
+# diff: "git diff FETCH_HEAD"

skills/secsdlc/reviewdog/assets/github_actions_template.yml

@@ -0,0 +1,161 @@
+name: Security Review with Reviewdog
+
+on:
+  pull_request:
+    branches: [main, develop, master]
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+  checks: write
+
+jobs:
+  security-scan:
+    name: Multi-Tool Security Scanning
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Full history for better diff analysis
+
+      - name: Setup reviewdog
+        uses: reviewdog/action-setup@v1
+        with:
+          reviewdog_version: latest
+
+      # Python setup for Bandit and Semgrep
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - name: Install security tools
+        run: |
+          pip install bandit semgrep
+
+      # Critical: Python SAST with Bandit
+      - name: Run Bandit SAST (Python)
+        if: hashFiles('**/*.py') != ''
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          bandit -r . -f json 2>/dev/null | \
+            reviewdog -f=bandit \
+                     -name="Bandit Security Scan" \
+                     -reporter=github-pr-review \
+                     -filter-mode=added \
+                     -fail-on-error=true \
+                     -level=error
+
+      # Critical: Multi-language SAST with Semgrep
+      - name: Run Semgrep SAST
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          semgrep --config=auto --severity=ERROR --json --quiet 2>/dev/null | \
+            reviewdog -f=semgrep \
+                     -name="Semgrep Critical" \
+                     -reporter=github-pr-review \
+                     -filter-mode=added \
+                     -fail-on-error=true \
+                     -level=error
+
+      # High: Semgrep warnings
+      - name: Run Semgrep Warnings
+        if: always()
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          semgrep --config=auto --severity=WARNING --json --quiet 2>/dev/null | \
+            reviewdog -f=semgrep \
+                     -name="Semgrep Warnings" \
+                     -reporter=github-pr-check \
+                     -filter-mode=diff_context \
+                     -level=warning
+
+      # Critical: Secret detection with Gitleaks
+      - name: Run Gitleaks Secret Scan
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          docker run --rm -v ${{ github.workspace }}:/repo \
+            zricethezav/gitleaks:latest detect \
+            --source=/repo \
+            --report-format=json \
+            --report-path=/repo/gitleaks.json \
+            --no-git || true
+
+          if [ -f gitleaks.json ]; then
+            cat gitleaks.json | \
+              reviewdog -f=gitleaks \
+                       -name="Secret Detection" \
+                       -reporter=github-pr-review \
+                       -filter-mode=added \
+                       -fail-on-error=true \
+                       -level=error
+          fi
+
+      # Container: Dockerfile linting with Hadolint
+      - name: Run Hadolint (Dockerfile)
+        if: hashFiles('**/Dockerfile*') != ''
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Find all Dockerfiles
+          find . -type f \( -name "Dockerfile*" -o -name "*.dockerfile" \) | while read dockerfile; do
+            docker run --rm -i hadolint/hadolint < "$dockerfile" | \
+              reviewdog -f=checkstyle \
+                       -name="Hadolint: $dockerfile" \
+                       -reporter=github-pr-review \
+                       -filter-mode=diff_context \
+                       -level=warning || true
+          done
+
+      # IaC: Terraform/CloudFormation security with Checkov
+      - name: Run Checkov (IaC Security)
+        if: hashFiles('**/*.tf', '**/*.yml', '**/*.yaml') != ''
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          docker run --rm -v ${{ github.workspace }}:/workspace \
+            bridgecrew/checkov:latest \
+            -d /workspace \
+            --quiet \
+            --compact \
+            -o json 2>/dev/null | \
+              reviewdog -f=checkov \
+                       -name="Checkov IaC Security" \
+                       -reporter=github-pr-review \
+                       -filter-mode=diff_context \
+                       -level=warning || true
+
+      # Shell scripts: ShellCheck
+      - name: Run ShellCheck
+        if: hashFiles('**/*.sh') != ''
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          find . -type f -name "*.sh" | while read script; do
+            shellcheck -f json "$script" 2>/dev/null | \
+              reviewdog -f=shellcheck \
+                       -name="ShellCheck" \
+                       -reporter=github-pr-check \
+                       -filter-mode=diff_context || true
+          done
+
+  security-summary:
+    name: Security Scan Summary
+    runs-on: ubuntu-latest
+    needs: security-scan
+    if: always()
+
+    steps:
+      - name: Post summary
+        run: |
+          echo "## Security Scan Completed" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "All security scans have been executed." >> $GITHUB_STEP_SUMMARY
+          echo "Review the checks above for any findings." >> $GITHUB_STEP_SUMMARY

skills/secsdlc/reviewdog/assets/gitlab_ci_template.yml

@@ -0,0 +1,175 @@
+stages:
+  - security
+
+variables:
+  REVIEWDOG_REPORTER: "gitlab-mr-discussion"
+  REVIEWDOG_FILTER_MODE: "added"
+
+# Reusable reviewdog setup
+.reviewdog_setup:
+  before_script:
+    - apk add --no-cache git curl
+    - |
+      # Install reviewdog
+      curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b /usr/local/bin
+
+# Python SAST with Bandit
+bandit_scan:
+  extends: .reviewdog_setup
+  stage: security
+  image: python:3.11-alpine
+  before_script:
+    - !reference [.reviewdog_setup, before_script]
+    - pip install bandit
+  script:
+    - |
+      bandit -r . -f json 2>/dev/null | \
+        reviewdog -f=bandit \
+                 -name="Bandit Security" \
+                 -reporter=$REVIEWDOG_REPORTER \
+                 -filter-mode=$REVIEWDOG_FILTER_MODE \
+                 -fail-on-error=true \
+                 -level=error
+  only:
+    - merge_requests
+  allow_failure: false
+
+# Multi-language SAST with Semgrep
+semgrep_scan:
+  extends: .reviewdog_setup
+  stage: security
+  image: python:3.11-alpine
+  before_script:
+    - !reference [.reviewdog_setup, before_script]
+    - pip install semgrep
+  script:
+    # Critical findings - block MR
+    - |
+      semgrep --config=auto --severity=ERROR --json --quiet 2>/dev/null | \
+        reviewdog -f=semgrep \
+                 -name="Semgrep Critical" \
+                 -reporter=$REVIEWDOG_REPORTER \
+                 -filter-mode=$REVIEWDOG_FILTER_MODE \
+                 -fail-on-error=true \
+                 -level=error
+    # Warnings - don't block
+    - |
+      semgrep --config=auto --severity=WARNING --json --quiet 2>/dev/null | \
+        reviewdog -f=semgrep \
+                 -name="Semgrep Warnings" \
+                 -reporter=$REVIEWDOG_REPORTER \
+                 -filter-mode=diff_context \
+                 -level=warning || true
+  only:
+    - merge_requests
+  allow_failure: false
+
+# Secret detection with Gitleaks
+gitleaks_scan:
+  extends: .reviewdog_setup
+  stage: security
+  image: zricethezav/gitleaks:latest
+  script:
+    - gitleaks detect --report-format json --report-path gitleaks.json --no-git || true
+    - |
+      if [ -f gitleaks.json ]; then
+        cat gitleaks.json | \
+          reviewdog -f=gitleaks \
+                   -name="Secret Detection" \
+                   -reporter=$REVIEWDOG_REPORTER \
+                   -filter-mode=$REVIEWDOG_FILTER_MODE \
+                   -fail-on-error=true \
+                   -level=error
+      fi
+  only:
+    - merge_requests
+  allow_failure: false
+
+# Dockerfile security with Hadolint
+hadolint_scan:
+  extends: .reviewdog_setup
+  stage: security
+  image: hadolint/hadolint:latest-alpine
+  script:
+    - |
+      find . -type f \( -name "Dockerfile*" -o -name "*.dockerfile" \) | while read dockerfile; do
+        hadolint "$dockerfile" --format json 2>/dev/null | \
+          reviewdog -f=hadolint \
+                   -name="Hadolint: $dockerfile" \
+                   -reporter=$REVIEWDOG_REPORTER \
+                   -filter-mode=diff_context \
+                   -level=warning || true
+      done
+  only:
+    - merge_requests
+    changes:
+      - "**/Dockerfile*"
+      - "**/*.dockerfile"
+  allow_failure: true
+
+# IaC security with Checkov
+checkov_scan:
+  extends: .reviewdog_setup
+  stage: security
+  image: bridgecrew/checkov:latest
+  script:
+    - |
+      checkov -d . --quiet --compact -o json 2>/dev/null | \
+        reviewdog -f=checkov \
+                 -name="Checkov IaC Security" \
+                 -reporter=$REVIEWDOG_REPORTER \
+                 -filter-mode=diff_context \
+                 -level=warning || true
+  only:
+    - merge_requests
+    changes:
+      - "**/*.tf"
+      - "**/*.yml"
+      - "**/*.yaml"
+  allow_failure: true
+
+# ShellCheck for shell scripts
+shellcheck_scan:
+  extends: .reviewdog_setup
+  stage: security
+  image: koalaman/shellcheck-alpine:latest
+  script:
+    - |
+      find . -type f -name "*.sh" | while read script; do
+        shellcheck -f json "$script" 2>/dev/null | \
+          reviewdog -f=shellcheck \
+                   -name="ShellCheck" \
+                   -reporter=$REVIEWDOG_REPORTER \
+                   -filter-mode=diff_context || true
+      done
+  only:
+    - merge_requests
+    changes:
+      - "**/*.sh"
+  allow_failure: true
+
+# Combined security suite (alternative approach)
+security_suite:
+  extends: .reviewdog_setup
+  stage: security
+  image: python:3.11-alpine
+  before_script:
+    - !reference [.reviewdog_setup, before_script]
+    - pip install bandit semgrep
+  script:
+    # Run all tools in parallel
+    - |
+      (bandit -r . -f json 2>/dev/null | \
+        reviewdog -f=bandit -name="Bandit" -reporter=$REVIEWDOG_REPORTER \
+                 -filter-mode=$REVIEWDOG_FILTER_MODE -fail-on-error=true) &
+
+      (semgrep --config=auto --json --quiet 2>/dev/null | \
+        reviewdog -f=semgrep -name="Semgrep" -reporter=$REVIEWDOG_REPORTER \
+                 -filter-mode=$REVIEWDOG_FILTER_MODE) &
+
+      wait
+  only:
+    - merge_requests
+  allow_failure: false
+  # Comment this job out if using individual jobs above
+  when: manual

skills/secsdlc/reviewdog/assets/pre_commit_config.yaml

@@ -0,0 +1,101 @@
+# Pre-commit hooks configuration with reviewdog
+# Install: pip install pre-commit
+# Setup: pre-commit install
+# Run manually: pre-commit run --all-files
+
+repos:
+  # Reviewdog with Bandit (Python security)
+  - repo: local
+    hooks:
+      - id: reviewdog-bandit
+        name: Reviewdog - Bandit Security Scan
+        entry: bash -c 'bandit -r . -f json 2>/dev/null | reviewdog -f=bandit -reporter=local -fail-on-error=true -level=error'
+        language: system
+        types: [python]
+        pass_filenames: false
+        require_serial: true
+
+  # Reviewdog with Semgrep (multi-language)
+  - repo: local
+    hooks:
+      - id: reviewdog-semgrep-critical
+        name: Reviewdog - Semgrep Critical
+        entry: bash -c 'semgrep --config=auto --severity=ERROR --json --quiet 2>/dev/null | reviewdog -f=semgrep -reporter=local -fail-on-error=true -level=error'
+        language: system
+        types: [python, javascript, typescript, java, go, ruby, php]
+        pass_filenames: false
+        require_serial: true
+
+      - id: reviewdog-semgrep-warnings
+        name: Reviewdog - Semgrep Warnings
+        entry: bash -c 'semgrep --config=auto --severity=WARNING --json --quiet 2>/dev/null | reviewdog -f=semgrep -reporter=local -level=warning || true'
+        language: system
+        types: [python, javascript, typescript, java, go, ruby, php]
+        pass_filenames: false
+        require_serial: true
+
+  # Reviewdog with Gitleaks (secrets)
+  - repo: local
+    hooks:
+      - id: reviewdog-gitleaks
+        name: Reviewdog - Secret Detection
+        entry: bash -c 'gitleaks detect --report-format json --report-path /tmp/gitleaks.json --no-git 2>/dev/null || true; if [ -f /tmp/gitleaks.json ]; then cat /tmp/gitleaks.json | reviewdog -f=gitleaks -reporter=local -fail-on-error=true -level=error; fi'
+        language: system
+        pass_filenames: false
+        require_serial: true
+
+  # Reviewdog with Hadolint (Dockerfile)
+  - repo: local
+    hooks:
+      - id: reviewdog-hadolint
+        name: Reviewdog - Hadolint Dockerfile
+        entry: bash -c 'find . -type f -name "Dockerfile*" -exec hadolint --format json {} \; 2>/dev/null | reviewdog -f=hadolint -reporter=local -level=warning || true'
+        language: system
+        types: [dockerfile]
+        pass_filenames: false
+        require_serial: true
+
+  # Reviewdog with ShellCheck
+  - repo: local
+    hooks:
+      - id: reviewdog-shellcheck
+        name: Reviewdog - ShellCheck
+        entry: bash -c 'shellcheck -f json "$@" 2>/dev/null | reviewdog -f=shellcheck -reporter=local || true'
+        language: system
+        types: [shell]
+        require_serial: true
+
+  # Standard pre-commit hooks (optional, complement reviewdog)
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: check-yaml
+      - id: check-json
+      - id: check-added-large-files
+        args: ['--maxkb=500']
+      - id: detect-private-key
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+
+  # Python code formatting (optional)
+  - repo: https://github.com/psf/black
+    rev: 23.12.1
+    hooks:
+      - id: black
+        language_version: python3
+
+  # Python import sorting (optional)
+  - repo: https://github.com/pycqa/isort
+    rev: 5.13.2
+    hooks:
+      - id: isort
+
+# Configuration
+default_language_version:
+  python: python3.11
+
+# Fail fast on first error
+fail_fast: false
+
+# Minimum pre-commit version
+minimum_pre_commit_version: '2.20.0'