zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

348
skills/secsdlc/reviewdog/references/cwe_mapping.md Normal file
View File

@@ -0,0 +1,348 @@
# CWE Mapping for Security Tools
This reference maps common security tool findings to CWE (Common Weakness Enumeration) categories.
## Table of Contents
- [OWASP Top 10 to CWE Mapping](#owasp-top-10-to-cwe-mapping)
- [Tool-Specific CWE Coverage](#tool-specific-cwe-coverage)
- [CWE Categories](#cwe-categories)
- [Severity Mapping](#severity-mapping)
## OWASP Top 10 to CWE Mapping
Map OWASP Top 10 2021 vulnerabilities to their primary CWEs:
| OWASP Category | CWE IDs | Reviewdog Detection |
|----------------|---------|---------------------|
| **A01: Broken Access Control** | CWE-22, CWE-23, CWE-35, CWE-59, CWE-200, CWE-201, CWE-219, CWE-264, CWE-275, CWE-284, CWE-285, CWE-352, CWE-359, CWE-377, CWE-402, CWE-425, CWE-441, CWE-497, CWE-538, CWE-540, CWE-548, CWE-552, CWE-566, CWE-601, CWE-639, CWE-651, CWE-668, CWE-706, CWE-862, CWE-863, CWE-913, CWE-922, CWE-1275 | Semgrep, Bandit, Checkov |
| **A02: Cryptographic Failures** | CWE-259, CWE-327, CWE-328, CWE-329, CWE-330, CWE-331, CWE-335, CWE-336, CWE-337, CWE-338, CWE-340, CWE-347, CWE-523, CWE-720, CWE-757, CWE-759, CWE-760, CWE-780, CWE-818, CWE-916 | Bandit, Semgrep, Gitleaks |
| **A03: Injection** | CWE-20, CWE-74, CWE-75, CWE-77, CWE-78, CWE-79, CWE-80, CWE-83, CWE-87, CWE-88, CWE-89, CWE-90, CWE-91, CWE-93, CWE-94, CWE-95, CWE-96, CWE-97, CWE-98, CWE-99, CWE-100, CWE-113, CWE-116, CWE-138, CWE-184, CWE-470, CWE-471, CWE-564, CWE-610, CWE-643, CWE-644, CWE-652, CWE-917 | Semgrep, Bandit, ESLint |
| **A04: Insecure Design** | CWE-73, CWE-183, CWE-209, CWE-213, CWE-235, CWE-256, CWE-257, CWE-266, CWE-269, CWE-280, CWE-311, CWE-312, CWE-313, CWE-316, CWE-419, CWE-430, CWE-434, CWE-444, CWE-451, CWE-472, CWE-501, CWE-522, CWE-525, CWE-539, CWE-579, CWE-598, CWE-602, CWE-642, CWE-646, CWE-650, CWE-653, CWE-656, CWE-657, CWE-799, CWE-807, CWE-840, CWE-841, CWE-927, CWE-1021, CWE-1173 | Architecture review |
| **A05: Security Misconfiguration** | CWE-2, CWE-11, CWE-13, CWE-15, CWE-16, CWE-260, CWE-315, CWE-520, CWE-526, CWE-537, CWE-541, CWE-547, CWE-611, CWE-614, CWE-756, CWE-776, CWE-942, CWE-1004, CWE-1032, CWE-1174 | Checkov, Hadolint, Trivy |
| **A06: Vulnerable Components** | CWE-1104, CWE-1035 | Trivy, Dependabot, Snyk |
| **A07: Authentication Failures** | CWE-255, CWE-259, CWE-287, CWE-288, CWE-290, CWE-294, CWE-295, CWE-297, CWE-300, CWE-302, CWE-304, CWE-306, CWE-307, CWE-346, CWE-384, CWE-521, CWE-613, CWE-620, CWE-640, CWE-798, CWE-940, CWE-1216 | Semgrep, Bandit, Gitleaks |
| **A08: Software/Data Integrity** | CWE-345, CWE-353, CWE-426, CWE-494, CWE-502, CWE-565, CWE-784, CWE-829, CWE-830, CWE-915 | Bandit, Semgrep |
| **A09: Security Logging Failures** | CWE-117, CWE-223, CWE-532, CWE-778 | Semgrep |
| **A10: SSRF** | CWE-918 | Semgrep, Bandit |
## Tool-Specific CWE Coverage
### Semgrep
**Primary CWE Coverage**:
- CWE-20: Improper Input Validation
- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-site Scripting (XSS)
- CWE-89: SQL Injection
- CWE-94: Code Injection
- CWE-327: Use of Broken Cryptography
- CWE-502: Deserialization of Untrusted Data
- CWE-601: Open Redirect
- CWE-611: XXE
- CWE-798: Hardcoded Credentials
- CWE-918: SSRF
**Example Detections**:
```bash
# SQL Injection (CWE-89)
semgrep --config "p/sql-injection" --json | reviewdog -f=semgrep
# XSS (CWE-79)
semgrep --config "p/xss" --json | reviewdog -f=semgrep
# Command Injection (CWE-78)
semgrep --config "p/command-injection" --json | reviewdog -f=semgrep
```
---
### Bandit (Python)
**Primary CWE Coverage**:
- CWE-78: OS Command Injection (shell=True)
- CWE-89: SQL Injection
- CWE-259: Hard-coded Password
- CWE-295: Improper Certificate Validation
- CWE-327: Broken Crypto (MD5, SHA1)
- CWE-338: Weak PRNG
- CWE-502: Pickle Deserialization
- CWE-798: Hardcoded Credentials
**Bandit Test ID to CWE**:
| Bandit Test | CWE | Description |
|-------------|-----|-------------|
| B201 | CWE-209 | Flask debug mode |
| B301 | CWE-502 | Pickle usage |
| B302 | CWE-327 | MD5 usage |
| B303 | CWE-327 | SHA1 usage |
| B304 | CWE-327 | Insecure ciphers |
| B305 | CWE-327 | Insecure cipher modes |
| B306 | CWE-378 | Insecure temp file |
| B307 | CWE-78 | eval() usage |
| B308 | CWE-94 | mark_safe usage |
| B310 | CWE-601 | URL open |
| B311 | CWE-338 | Weak random |
| B324 | CWE-327 | hashlib.new insecure |
| B501 | CWE-295 | Cert validation disabled |
| B601 | CWE-78 | Paramiko exec |
| B602 | CWE-78 | Shell injection |
| B603 | CWE-78 | Subprocess w/o shell |
| B604 | CWE-78 | Shell=True |
| B605 | CWE-78 | Shell command strings |
| B607 | CWE-78 | Partial path process |
**Example**:
```bash
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
```
---
### Gitleaks
**Primary CWE Coverage**:
- CWE-798: Use of Hard-coded Credentials
**Detected Secret Types**:
- API keys and tokens
- AWS credentials
- Database passwords
- Private keys (SSH, PGP, certificates)
- OAuth tokens
- JWT secrets
**Example**:
```bash
gitleaks detect --report-format json | reviewdog -f=gitleaks -reporter=github-pr-review
```
---
### Checkov (IaC)
**Primary CWE Coverage**:
- CWE-250: Execution with Unnecessary Privileges
- CWE-284: Improper Access Control
- CWE-326: Inadequate Encryption Strength
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-668: Exposure of Resource
**Common Findings**:
```bash
# S3 bucket public access (CWE-284, CWE-668)
# Unencrypted storage (CWE-326)
# Overly permissive IAM (CWE-250, CWE-284)
# Missing encryption in transit (CWE-319)
checkov -d . --framework terraform -o json | reviewdog -f=checkov
```
---
### Hadolint (Dockerfile)
**Primary CWE Coverage**:
- CWE-250: Execution with Unnecessary Privileges (USER root)
- CWE-798: Hardcoded Credentials in ENV
**Common Issues**:
- DL3000-DL3999: Dockerfile best practices
- DL4000-DL4999: Security issues
**Example**:
```bash
hadolint Dockerfile --format json | reviewdog -f=hadolint
```
---
### ShellCheck
**Primary CWE Coverage**:
- CWE-78: OS Command Injection
- CWE-377: Insecure Temporary File
**Example**:
```bash
shellcheck -f json script.sh | reviewdog -f=shellcheck
```
---
## CWE Categories
### CWE Top 25 (2023)
The most dangerous software weaknesses:
| Rank | CWE-ID | Name | Reviewdog Tools |
|------|--------|------|-----------------|
| 1 | CWE-787 | Out-of-bounds Write | - |
| 2 | CWE-79 | Cross-site Scripting | Semgrep, ESLint |
| 3 | CWE-89 | SQL Injection | Semgrep, Bandit |
| 4 | CWE-20 | Improper Input Validation | Semgrep, Bandit |
| 5 | CWE-125 | Out-of-bounds Read | - |
| 6 | CWE-78 | OS Command Injection | Semgrep, Bandit, ShellCheck |
| 7 | CWE-416 | Use After Free | - |
| 8 | CWE-22 | Path Traversal | Semgrep, Bandit |
| 9 | CWE-352 | CSRF | Semgrep |
| 10 | CWE-434 | Unrestricted Upload | Semgrep |
| 11 | CWE-862 | Missing Authorization | Semgrep |
| 12 | CWE-476 | NULL Pointer Dereference | - |
| 13 | CWE-287 | Improper Authentication | Semgrep, Bandit |
| 14 | CWE-190 | Integer Overflow | - |
| 15 | CWE-502 | Deserialization | Bandit, Semgrep |
| 16 | CWE-77 | Command Injection | Semgrep, Bandit |
| 17 | CWE-119 | Memory Buffer Errors | - |
| 18 | CWE-798 | Hardcoded Credentials | Gitleaks, Bandit, Semgrep |
| 19 | CWE-918 | SSRF | Semgrep |
| 20 | CWE-306 | Missing Authentication | Semgrep |
| 21 | CWE-362 | Race Condition | - |
| 22 | CWE-269 | Improper Privilege Mgmt | Checkov, Semgrep |
| 23 | CWE-94 | Code Injection | Semgrep, Bandit |
| 24 | CWE-863 | Incorrect Authorization | Semgrep |
| 25 | CWE-276 | Incorrect Permissions | Checkov, Semgrep |
---
## Severity Mapping
Map CWE to severity levels for reviewdog filtering:
### Critical (fail-on-error)
- CWE-78: OS Command Injection
- CWE-79: Cross-site Scripting
- CWE-89: SQL Injection
- CWE-94: Code Injection
- CWE-502: Deserialization of Untrusted Data
- CWE-798: Hardcoded Credentials
- CWE-918: SSRF
**Reviewdog Configuration**:
```bash
semgrep --severity=ERROR --json | \
reviewdog -f=semgrep -level=error -fail-on-error=true
```
---
### High (block PR merge)
- CWE-22: Path Traversal
- CWE-77: Command Injection
- CWE-287: Improper Authentication
- CWE-306: Missing Authentication
- CWE-327: Broken Cryptography
- CWE-601: Open Redirect
- CWE-611: XXE
- CWE-862: Missing Authorization
- CWE-863: Incorrect Authorization
**Reviewdog Configuration**:
```bash
semgrep --severity=WARNING --json | \
reviewdog -f=semgrep -level=error -fail-on-error=true
```
---
### Medium (comment, don't block)
- CWE-200: Information Exposure
- CWE-209: Error Message Information Leak
- CWE-284: Improper Access Control
- CWE-295: Improper Certificate Validation
- CWE-338: Weak PRNG
- CWE-352: CSRF
- CWE-434: Unrestricted File Upload
- CWE-532: Information Exposure Through Log Files
**Reviewdog Configuration**:
```bash
semgrep --severity=WARNING --json | \
reviewdog -f=semgrep -level=warning
```
---
### Low/Info (informational)
- CWE-1104: Use of Unmaintained Third Party Components
- CWE-710: Improper Coding Practices
- Configuration best practices
- Code quality issues
**Reviewdog Configuration**:
```bash
semgrep --severity=INFO --json | \
reviewdog -f=semgrep -level=info
```
---
## Example: Comprehensive CWE-Based Scanning
```yaml
name: CWE-Based Security Scan
on: [pull_request]
jobs:
critical-cwe:
name: Critical CWE (78, 79, 89, 94, 502, 798, 918)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: reviewdog/action-setup@v1
- name: Scan for Critical CWE
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# CWE-78, 89, 94 - Injection
semgrep --config "p/security-audit" \
--severity=ERROR \
--json | \
reviewdog -f=semgrep \
-name="Critical: Injection (CWE-78,89,94)" \
-reporter=github-pr-review \
-fail-on-error=true
# CWE-798 - Hardcoded credentials
gitleaks detect --report-format json | \
reviewdog -f=gitleaks \
-name="Critical: Hardcoded Secrets (CWE-798)" \
-reporter=github-pr-review \
-fail-on-error=true
high-cwe:
name: High CWE (22, 287, 327, 601, 862)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: reviewdog/action-setup@v1
- name: Scan for High CWE
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
semgrep --config "p/owasp-top-ten" \
--json | \
reviewdog -f=semgrep \
-name="High: OWASP/CWE" \
-reporter=github-pr-review \
-level=error
```
---
## References
- [CWE Top 25](https://cwe.mitre.org/top25/)
- [CWE OWASP Top 10 Mapping](https://owasp.org/Top10/)
- [CWE List](https://cwe.mitre.org/data/index.html)
- [CAPEC](https://capec.mitre.org/) - Attack patterns for CWEs

457
skills/secsdlc/reviewdog/references/reporter_formats.md Normal file
View File

@@ -0,0 +1,457 @@
# Reviewdog Reporter Formats
This reference documents the available reporter formats and output modes for reviewdog.
## Table of Contents
- [Reporter Types](#reporter-types)
- [GitHub Reporters](#github-reporters)
- [GitLab Reporters](#gitlab-reporters)
- [Generic Reporters](#generic-reporters)
- [Input Formats](#input-formats)
- [Configuration Examples](#configuration-examples)
## Reporter Types
Reviewdog supports multiple reporter formats for different CI/CD platforms and use cases.
### Quick Reference
| Reporter | Platform | Use Case | Requires Token |
|----------|----------|----------|----------------|
| `local` | Any | Local development, terminal output | No |
| `github-check` | GitHub | Check Runs API | Yes |
| `github-pr-check` | GitHub | Check Runs on PR | Yes |
| `github-pr-review` | GitHub | PR review comments | Yes |
| `gitlab-mr-discussion` | GitLab | MR discussion threads | Yes |
| `gitlab-mr-commit` | GitLab | MR commit comments | Yes |
| `bitbucket-code-report` | Bitbucket | Code Insights | Yes |
| `gerrit-change-review` | Gerrit | Change review comments | Yes |
## GitHub Reporters
### github-check
Posts findings as GitHub Check Runs (visible in PR checks tab).
**Usage**:
```bash
reviewdog -reporter=github-check
```
**Environment Variables**:
```bash
export REVIEWDOG_GITHUB_API_TOKEN="ghp_xxxxxxxxxxxx"
# or use GitHub Actions built-in token
export REVIEWDOG_GITHUB_API_TOKEN="${GITHUB_TOKEN}"
```
**Permissions Required**:
- `checks: write`
- `contents: read`
**Output**:
- Appears in "Checks" tab of PR
- Shows annotation count
- Can block PR merge if configured
**Example**:
```yaml
- name: Run security scan
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
bandit -r . -f json | reviewdog -f=bandit -reporter=github-check
```
---
### github-pr-check
Similar to `github-check` but specifically for pull requests.
**Usage**:
```bash
reviewdog -reporter=github-pr-check
```
**Differences from github-check**:
- Only runs on PRs (not on push to branches)
- Better integration with PR workflow
- Recommended for most PR-based workflows
---
### github-pr-review
Posts findings as inline PR review comments.
**Usage**:
```bash
reviewdog -reporter=github-pr-review
```
**Permissions Required**:
- `pull-requests: write`
- `contents: read`
**Features**:
- Inline comments on specific lines
- Grouped by file
- Shows in "Files changed" tab
- Can suggest changes
**Filter Modes**:
```bash
# Only comment on added lines
reviewdog -reporter=github-pr-review -filter-mode=added
# Comment on modified context (added + surrounding)
reviewdog -reporter=github-pr-review -filter-mode=diff_context
# Comment on all findings in changed files
reviewdog -reporter=github-pr-review -filter-mode=file
```
**Example with Suggested Changes**:
```bash
# Some tools can suggest fixes
semgrep --config=auto --json | \
reviewdog -f=semgrep -reporter=github-pr-review
```
---
## GitLab Reporters
### gitlab-mr-discussion
Posts findings as GitLab merge request discussion threads.
**Usage**:
```bash
reviewdog -reporter=gitlab-mr-discussion
```
**Environment Variables**:
```bash
export REVIEWDOG_GITLAB_API_TOKEN="glpat-xxxxxxxxxxxx"
export CI_API_V4_URL="https://gitlab.com/api/v4"
export CI_MERGE_REQUEST_IID="123"
export CI_PROJECT_ID="456"
```
**Permissions Required**:
- API access with `api` scope
- Write access to merge requests
**Features**:
- Creates discussion threads on specific lines
- Supports threaded conversations
- Can mark as resolved
**Example (.gitlab-ci.yml)**:
```yaml
security_review:
script:
- bandit -r . -f json | reviewdog -f=bandit -reporter=gitlab-mr-discussion
variables:
REVIEWDOG_GITLAB_API_TOKEN: $GITLAB_TOKEN
only:
- merge_requests
```
---
### gitlab-mr-commit
Posts findings as commit comments on merge request.
**Usage**:
```bash
reviewdog -reporter=gitlab-mr-commit
```
**Differences from gitlab-mr-discussion**:
- Comments attached to specific commits
- Less conversational
- Good for historical tracking
---
## Generic Reporters
### local
Outputs findings to terminal/console (default for local development).
**Usage**:
```bash
reviewdog -reporter=local
```
**Output Format**:
```
app/models.py:42:10: [error] SQL Injection vulnerability (CWE-89) [bandit]
app/views.py:15:5: [warning] Use of hardcoded password (CWE-798) [semgrep]
```
**Features**:
- No API token required
- Color-coded severity levels
- File path and line numbers
- Works in any CI environment
**Example**:
```bash
# Quick local scan
semgrep --config=auto --json | reviewdog -f=semgrep -reporter=local
```
---
### bitbucket-code-report
Posts findings to Bitbucket Code Insights.
**Usage**:
```bash
reviewdog -reporter=bitbucket-code-report
```
**Environment Variables**:
```bash
export BITBUCKET_USER="username"
export BITBUCKET_PASSWORD="app_password"
```
---
### gerrit-change-review
Posts findings as Gerrit change review comments.
**Usage**:
```bash
reviewdog -reporter=gerrit-change-review
```
**Environment Variables**:
```bash
export GERRIT_USERNAME="user"
export GERRIT_PASSWORD="password"
export GERRIT_CHANGE_ID="I1234567890abcdef"
export GERRIT_REVISION_ID="1"
export GERRIT_ADDRESS="https://gerrit.example.com"
```
---
## Input Formats
Reviewdog supports multiple input formats from security tools:
### Supported Formats
| Format | Tools | Description |
|--------|-------|-------------|
| `checkstyle` | Generic XML | Checkstyle XML format |
| `sarif` | Many SAST tools | Static Analysis Results Interchange Format |
| `rdjson` | Custom tools | Reviewdog Diagnostic Format (JSON) |
| `rdjsonl` | Custom tools | Reviewdog Diagnostic Format (JSON Lines) |
| `diff` | diff, git-diff | Unified diff format |
| `bandit` | Bandit | Bandit JSON output |
| `semgrep` | Semgrep | Semgrep JSON output |
| `gitleaks` | Gitleaks | Gitleaks JSON output |
| `hadolint` | Hadolint | Hadolint JSON output |
| `checkov` | Checkov | Checkov JSON output |
| `shellcheck` | ShellCheck | ShellCheck JSON output |
| `eslint` | ESLint | ESLint JSON output |
### rdjson Format (Custom Tools)
Use this format to integrate custom security scanners:
```json
{
"source": {
"name": "my-security-scanner",
"url": "https://github.com/example/scanner"
},
"severity": "ERROR",
"diagnostics": [
{
"message": "Vulnerability description",
"location": {
"path": "src/app.py",
"range": {
"start": {"line": 42, "column": 10},
"end": {"line": 42, "column": 30}
}
},
"severity": "ERROR",
"code": {
"value": "CWE-89",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
"suggestions": [
{
"text": "Use parameterized queries",
"range": {
"start": {"line": 42, "column": 10},
"end": {"line": 42, "column": 30}
},
"replacement": "cursor.execute('SELECT * FROM users WHERE id = ?', (user_id,))"
}
]
}
]
}
```
**Severity Levels**:
- `ERROR` - High severity, should block PR
- `WARNING` - Medium severity, should review
- `INFO` - Low severity, informational
**Usage**:
```bash
./my-scanner --output json | reviewdog -f=rdjson -reporter=github-pr-review
```
---
## Configuration Examples
### Multi-Reporter Setup
Run the same scan with different reporters based on environment:
```bash
#!/bin/bash
if [ -n "$GITHUB_ACTIONS" ]; then
REPORTER="github-pr-review"
elif [ -n "$GITLAB_CI" ]; then
REPORTER="gitlab-mr-discussion"
else
REPORTER="local"
fi
semgrep --config=auto --json | \
reviewdog -f=semgrep -reporter="$REPORTER"
```
---
### .reviewdog.yml Configuration
Define multiple runners with different reporters:
```yaml
runner:
critical-findings:
cmd: semgrep --severity=ERROR --json
format: semgrep
name: Critical Security Issues
level: error
reporter: github-pr-review
warnings:
cmd: semgrep --severity=WARNING --json
format: semgrep
name: Security Warnings
level: warning
reporter: github-pr-check
info:
cmd: semgrep --severity=INFO --json
format: semgrep
name: Security Info
level: info
reporter: local
```
---
### Advanced GitHub Actions Example
```yaml
name: Security Review
on:
pull_request:
types: [opened, synchronize, reopened]
permissions:
contents: read
pull-requests: write
checks: write
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup reviewdog
uses: reviewdog/action-setup@v1
# Critical findings - Block PR
- name: Critical Security Scan
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
semgrep --severity=ERROR --json | \
reviewdog -f=semgrep \
-name="Critical" \
-reporter=github-pr-review \
-filter-mode=added \
-fail-on-error=true \
-level=error
# Warnings - Comment but don't block
- name: Security Warnings
if: always()
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
semgrep --severity=WARNING --json | \
reviewdog -f=semgrep \
-name="Warnings" \
-reporter=github-pr-check \
-filter-mode=diff_context \
-level=warning
```
---
## Troubleshooting
### Issue: Comments not appearing
**Check**:
1. Token has correct permissions
2. Reporter matches CI platform
3. Running in PR/MR context (not on main branch)
4. Filter mode is not too restrictive
### Issue: Duplicate comments
**Solution**:
- Use `filter-mode=added` to only comment on new code
- Configure reviewdog to run only once per PR
### Issue: Rate limiting
**Solution**:
- Batch findings with `github-pr-check` instead of individual comments
- Use GitHub App token instead of PAT for higher rate limits
---
## References
- [Reviewdog Reporter Documentation](https://github.com/reviewdog/reviewdog#reporters)
- [rdjson Format Specification](https://github.com/reviewdog/reviewdog/tree/master/proto/rdf)
- [SARIF Specification](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html)

453
skills/secsdlc/reviewdog/references/supported_tools.md Normal file
View File

@@ -0,0 +1,453 @@
# Supported Security Tools for Reviewdog
This reference documents security tools that integrate with reviewdog, their configuration, and usage patterns.
## Table of Contents
- [SAST Tools](#sast-tools)
- [Secret Detection](#secret-detection)
- [Infrastructure as Code](#infrastructure-as-code)
- [Container Security](#container-security)
- [Linters and Formatters](#linters-and-formatters)
## SAST Tools
### Semgrep
**Description**: Multi-language static analysis for finding bugs and enforcing secure coding standards.
**Installation**:
```bash
pip install semgrep
```
**Reviewdog Integration**:
```bash
semgrep --config=auto --json | reviewdog -f=semgrep -reporter=github-pr-review
```
**Custom Rules**:
```bash
# OWASP Top 10
semgrep --config "p/owasp-top-ten" --json | reviewdog -f=semgrep
# Security audit
semgrep --config "p/security-audit" --json | reviewdog -f=semgrep
# Custom rules
semgrep --config ./custom-rules.yml --json | reviewdog -f=semgrep
```
**CWE Coverage**: CWE-20, CWE-22, CWE-78, CWE-79, CWE-89, CWE-94, CWE-611, CWE-798
---
### Bandit
**Description**: Python security linter for finding common security issues.
**Installation**:
```bash
pip install bandit
```
**Reviewdog Integration**:
```bash
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
```
**Configuration (.bandit)**:
```yaml
exclude_dirs:
- /test
- /tests
- /.venv
tests:
- B201 # Flask debug mode
- B301 # Pickle usage
- B601 # Shell injection
- B602 # Subprocess with shell=True
```
**CWE Coverage**: CWE-78, CWE-79, CWE-89, CWE-259, CWE-327, CWE-338, CWE-502
---
### ESLint (with security plugins)
**Description**: JavaScript/TypeScript linter with security-focused plugins.
**Installation**:
```bash
npm install -D eslint eslint-plugin-security eslint-plugin-no-secrets
```
**Reviewdog Integration**:
```bash
eslint . --format=checkstyle | reviewdog -f=checkstyle -reporter=github-pr-review
```
**Configuration (.eslintrc.json)**:
```json
{
"plugins": ["security", "no-secrets"],
"extends": ["plugin:security/recommended"],
"rules": {
"no-eval": "error",
"security/detect-object-injection": "warn",
"security/detect-non-literal-regexp": "warn"
}
}
```
**CWE Coverage**: CWE-79, CWE-94, CWE-798, CWE-1004
---
## Secret Detection
### Gitleaks
**Description**: SAST tool for detecting hardcoded secrets like passwords, API keys, and tokens.
**Installation**:
```bash
# Via Homebrew
brew install gitleaks
# Via Docker
docker pull zricethezav/gitleaks:latest
```
**Reviewdog Integration**:
```bash
gitleaks detect --report-format json | reviewdog -f=gitleaks -reporter=github-pr-review
```
**Configuration (.gitleaks.toml)**:
```toml
[extend]
useDefault = true
[[rules]]
id = "custom-api-key"
description = "Custom API Key Pattern"
regex = '''(?i)api[_-]?key[_-]?=.{20,}'''
```
**CWE Coverage**: CWE-798 (Use of Hard-coded Credentials)
---
### TruffleHog
**Description**: Find credentials accidentally committed to git repositories.
**Installation**:
```bash
pip install truffleHog
```
**Reviewdog Integration**:
```bash
trufflehog --json . | reviewdog -f=trufflehog -reporter=github-pr-review
```
**CWE Coverage**: CWE-798
---
## Infrastructure as Code
### Checkov
**Description**: Static code analysis for IaC (Terraform, CloudFormation, Kubernetes, etc.).
**Installation**:
```bash
pip install checkov
```
**Reviewdog Integration**:
```bash
checkov -d . -o json | reviewdog -f=checkov -reporter=github-pr-review
```
**Filter by Severity**:
```bash
# Only critical/high
checkov -d . --severity CRITICAL,HIGH -o json | reviewdog -f=checkov
```
**CWE Coverage**: CWE-250, CWE-284, CWE-326, CWE-601, CWE-668
---
### tfsec
**Description**: Security scanner for Terraform code.
**Installation**:
```bash
brew install tfsec
```
**Reviewdog Integration**:
```bash
tfsec . --format json | reviewdog -f=tfsec -reporter=github-pr-review
```
**CWE Coverage**: CWE-250, CWE-326, CWE-521
---
### Terrascan
**Description**: Detect compliance and security violations across IaC.
**Installation**:
```bash
brew install terrascan
```
**Reviewdog Integration**:
```bash
terrascan scan -o json | reviewdog -f=terrascan -reporter=github-pr-review
```
**CWE Coverage**: CWE-250, CWE-284, CWE-693
---
## Container Security
### Hadolint
**Description**: Dockerfile linter for best practices and security issues.
**Installation**:
```bash
brew install hadolint
```
**Reviewdog Integration**:
```bash
hadolint Dockerfile --format json | reviewdog -f=hadolint -reporter=github-pr-review
```
**Common Issues Detected**:
- Running as root (CWE-250)
- Exposed secrets in ENV (CWE-798)
- Outdated base images
- Missing health checks
**CWE Coverage**: CWE-250, CWE-798
---
### Trivy
**Description**: Comprehensive container and IaC security scanner.
**Installation**:
```bash
brew install trivy
```
**Reviewdog Integration**:
```bash
trivy fs --format json . | reviewdog -f=trivy -reporter=github-pr-review
```
**Scan Types**:
```bash
# Container images
trivy image --format json myimage:tag | reviewdog -f=trivy
# Filesystem
trivy fs --security-checks vuln,secret --format json . | reviewdog -f=trivy
# Kubernetes manifests
trivy k8s --report=summary --format json | reviewdog -f=trivy
```
**CWE Coverage**: Varies by vulnerability database
---
## Linters and Formatters
### ShellCheck
**Description**: Static analysis tool for shell scripts.
**Installation**:
```bash
brew install shellcheck
```
**Reviewdog Integration**:
```bash
shellcheck -f json script.sh | reviewdog -f=shellcheck -reporter=github-pr-review
```
**Security Checks**:
- Command injection (CWE-78)
- Unsafe variable expansion
- Insecure temporary files (CWE-377)
**CWE Coverage**: CWE-78, CWE-377
---
### yamllint
**Description**: YAML linter for syntax and best practices.
**Installation**:
```bash
pip install yamllint
```
**Reviewdog Integration**:
```bash
yamllint -f parsable . | reviewdog -f=yamllint -reporter=github-pr-review
```
---
### markdownlint
**Description**: Markdown linter for documentation quality.
**Installation**:
```bash
npm install -g markdownlint-cli
```
**Reviewdog Integration**:
```bash
markdownlint -j . | reviewdog -f=markdownlint -reporter=github-pr-review
```
---
## Multi-Tool Configurations
### Comprehensive Security Scan
Run all security tools in a single reviewdog session:
```yaml
# .reviewdog.yml
runner:
semgrep:
cmd: semgrep --config=auto --json
format: semgrep
name: Semgrep SAST
level: error
bandit:
cmd: bandit -r . -f json
format: bandit
name: Python Security
level: warning
gitleaks:
cmd: gitleaks detect --report-format json
format: gitleaks
name: Secret Detection
level: error
hadolint:
cmd: hadolint Dockerfile --format json
format: hadolint
name: Dockerfile Security
level: warning
checkov:
cmd: checkov -d . -o json --quiet
format: checkov
name: IaC Security
level: error
```
Run with:
```bash
reviewdog -conf=.reviewdog.yml -reporter=github-pr-review
```
---
## Tool Selection Guide
Choose tools based on your tech stack:
**Python Projects**:
- Bandit (SAST)
- Semgrep (Multi-language SAST)
- Gitleaks (Secrets)
**JavaScript/TypeScript**:
- ESLint + security plugins
- Semgrep
- Gitleaks
**Infrastructure/Cloud**:
- Checkov (Terraform, K8s, CloudFormation)
- tfsec (Terraform-specific)
- Hadolint (Dockerfiles)
- Trivy (Containers + IaC)
**Multi-language/Polyglot**:
- Semgrep (20+ languages)
- Gitleaks (Universal secrets)
- ShellCheck (Shell scripts)
---
## Custom Tool Integration
To integrate a custom security tool:
1. **Convert output to supported format** (checkstyle, sarif, rdjson)
2. **Use rdjson for custom tools**:
```json
{
"source": {
"name": "custom-scanner",
"url": "https://example.com"
},
"diagnostics": [
{
"message": "SQL Injection vulnerability detected",
"location": {
"path": "app/models.py",
"range": {
"start": {"line": 42, "column": 10}
}
},
"severity": "ERROR",
"code": {
"value": "CWE-89",
"url": "https://cwe.mitre.org/data/definitions/89.html"
}
}
]
}
```
3. **Pipe to reviewdog**:
```bash
./custom_scanner --json | reviewdog -f=rdjson -name="Custom Scanner"
```
---
## References
- [Reviewdog Supported Tools](https://reviewdog.github.io/supported-tools)
- [rdjson Format Specification](https://github.com/reviewdog/reviewdog/tree/master/proto/rdf)
- [SARIF Format](https://sarifweb.azurewebsites.net/)