zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff1f4bd119e294e82b366862d68e24bd48aac597
gh-agentsecops-secopsagentkit/skills/secsdlc/reviewdog/SKILL.md
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

12 KiB
Raw Blame History

name, description, version, maintainer, category, tags, frameworks, dependencies, references
name description version maintainer category tags frameworks dependencies references
reviewdog Automated code review and security linting integration for CI/CD pipelines using reviewdog. Aggregates findings from multiple security and quality tools (SAST, linters, formatters) into unified code review comments on pull requests. Use when: (1) Integrating security scanning into code review workflows, (2) Automating security feedback on pull requests, (3) Consolidating multiple tool outputs into actionable review comments, (4) Enforcing secure coding standards in CI/CD pipelines, (5) Providing inline security annotations during development. 0.1.0 asrour secsdlc
code-review
ci-cd
automation
security-feedback
pull-request
linting
sast-integration
OWASP
CWE
tools optional
reviewdog
git
semgrep
bandit
hadolint
checkov
gitleaks
shellcheck
eslint
https://github.com/reviewdog/reviewdog
https://reviewdog.github.io/

Reviewdog - Automated Security Code Review

Overview

Reviewdog is an automated code review tool that integrates security scanning and linting results into pull request review comments. It acts as a universal adapter between various security tools (SAST scanners, linters, formatters) and code hosting platforms (GitHub, GitLab, Bitbucket), enabling seamless security feedback during code review.

Key Capabilities:

  • Aggregates findings from multiple security and quality tools
  • Posts inline review comments on specific code lines
  • Supports 40+ linters and security scanners out-of-the-box
  • Integrates with GitHub Actions, GitLab CI, CircleCI, and other CI platforms
  • Filters findings to show only new issues in diff (fail-on-diff mode)
  • Supports custom rulesets and security policies

Quick Start

Basic reviewdog usage with a security scanner:

# Install reviewdog
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest

# Run a security scanner and pipe to reviewdog
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review

# Or use with Semgrep
semgrep --config=auto --json | reviewdog -f=semgrep -reporter=local

GitHub Actions integration:

- name: Run reviewdog
  uses: reviewdog/action-setup@v1
- name: Security scan with reviewdog
  env:
    REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  run: |
    bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review

Core Workflow

Step 1: Install reviewdog

Install reviewdog in your CI environment or locally:

# Via Go
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest

# Via Homebrew (macOS/Linux)
brew install reviewdog

# Via Docker
docker pull reviewdog/reviewdog:latest

Step 2: Configure Security Tools

Set up the security scanners you want to integrate. Reviewdog supports multiple input formats:

Supported Security Tools:

  • SAST: Semgrep, Bandit, ESLint Security, Brakeman
  • Secret Detection: Gitleaks, TruffleHog, detect-secrets
  • IaC Security: Checkov, tfsec, terrascan
  • Container Security: Hadolint, Trivy, Dockle
  • General Linters: ShellCheck, yamllint, markdownlint

Step 3: Integrate into CI/CD Pipeline

Add reviewdog to your CI pipeline to automatically post security findings as review comments:

GitHub Actions Example:

name: Security Review
on: [pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Setup reviewdog
        uses: reviewdog/action-setup@v1

      - name: Run Bandit SAST
        env:
          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          pip install bandit
          bandit -r . -f json | \
            reviewdog -f=bandit \
                     -name="Bandit SAST" \
                     -reporter=github-pr-review \
                     -filter-mode=added \
                     -fail-on-error

GitLab CI Example:

security_review:
  stage: test
  script:
    - pip install bandit reviewdog
    - bandit -r . -f json |
        reviewdog -f=bandit
                 -reporter=gitlab-mr-discussion
                 -filter-mode=diff_context
  only:
    - merge_requests

Step 4: Configure Review Behavior

Customize reviewdog's behavior using flags:

# Filter to show only issues in changed lines
reviewdog -filter-mode=diff_context

# Filter to show only issues in added lines
reviewdog -filter-mode=added

# Fail the build if findings are present
reviewdog -fail-on-error

# Set severity threshold
reviewdog -level=warning

Step 5: Review Security Findings

Reviewdog posts findings as inline comments on the pull request:

  • Inline annotations: Security issues appear directly on affected code lines
  • Severity indicators: Critical, High, Medium, Low severity levels
  • Remediation guidance: Links to CWE/OWASP references when available
  • Diff-aware filtering: Only shows new issues introduced in the PR

Security Considerations

  • API Token Security: Store GitHub/GitLab tokens in secrets management (GitHub Secrets, GitLab CI/CD variables)

    • Never commit tokens to version control
    • Use minimum required permissions (read/write on pull requests)
    • Rotate tokens regularly

  • Access Control:

    • Configure reviewdog to run only on trusted branches
    • Use CODEOWNERS to require security team approval for reviewdog config changes
    • Restrict who can modify .reviewdog.yml configuration

  • Audit Logging:

    • Log all security findings to SIEM or security monitoring platform
    • Track when findings are introduced and resolved
    • Monitor for bypassed security checks

  • Compliance:

    • Maintains audit trail of security reviews (SOC2, ISO27001)
    • Enforces security policy compliance in code review
    • Supports compliance reporting through CI/CD artifacts

  • Safe Defaults:

    • Use fail-on-error to block PRs with security findings
    • Enable filter-mode=added to catch new vulnerabilities
    • Configure severity thresholds appropriate to your risk tolerance

Bundled Resources

Scripts (scripts/)

  • setup_reviewdog.py - Automated reviewdog installation and CI configuration generator
  • run_security_suite.sh - Runs multiple security scanners through reviewdog

References (references/)

  • supported_tools.md - Complete list of supported security tools with configuration examples
  • reporter_formats.md - Available output formats and reporter configurations
  • cwe_mapping.md - Mapping of common tool findings to CWE categories

Assets (assets/)

  • github_actions_template.yml - GitHub Actions workflow for multi-tool security scanning
  • gitlab_ci_template.yml - GitLab CI configuration for reviewdog integration
  • .reviewdog.yml - Sample reviewdog configuration file
  • pre_commit_config.yaml - Pre-commit hook integration

Common Patterns

Pattern 1: Multi-Tool Security Suite

Run multiple security tools and aggregate results in a single review:

#!/bin/bash
# Run comprehensive security scan

# Python security
bandit -r . -f json | reviewdog -f=bandit -name="Python SAST" -reporter=github-pr-review &

# Secrets detection
gitleaks detect --report-format json | reviewdog -f=gitleaks -name="Secret Scan" -reporter=github-pr-review &

# IaC security
checkov -d . -o json | reviewdog -f=checkov -name="IaC Security" -reporter=github-pr-review &

wait

Pattern 2: Severity-Based Gating

Block PRs based on severity thresholds:

- name: Critical findings - Block PR
  run: |
    semgrep --config=p/security-audit --severity=ERROR --json | \
      reviewdog -f=semgrep -level=error -fail-on-error -reporter=github-pr-review

- name: Medium findings - Comment only
  run: |
    semgrep --config=p/security-audit --severity=WARNING --json | \
      reviewdog -f=semgrep -level=warning -reporter=github-pr-review

Pattern 3: Differential Security Scanning

Only flag new security issues introduced in the current PR:

# Only show findings in newly added code
reviewdog -filter-mode=added -fail-on-error

# Show findings in modified context (added + surrounding lines)
reviewdog -filter-mode=diff_context

Pattern 4: Custom Security Rules

Integrate custom security policies using grep or custom parsers:

# Check for prohibited patterns
grep -nH -R "eval(" . --include="*.py" | \
  reviewdog -f=grep -name="Dangerous Functions" -reporter=github-pr-review

# Custom JSON parser
./custom_security_scanner.py --json | \
  reviewdog -f=rdjson -name="Custom Policy" -reporter=github-pr-review

Integration Points

  • CI/CD Platforms:

    • GitHub Actions (native action available)
    • GitLab CI/CD
    • CircleCI
    • Jenkins
    • Azure Pipelines
    • Bitbucket Pipelines

  • Security Tools:

    • SAST: Semgrep, Bandit, ESLint, Brakeman, CodeQL
    • Secrets: Gitleaks, TruffleHog, detect-secrets
    • IaC: Checkov, tfsec, terrascan, kics
    • Containers: Hadolint, Trivy, Dockle

  • Code Hosting:

    • GitHub (PR comments, check runs, annotations)
    • GitLab (MR discussions)
    • Bitbucket (inline comments)
    • Gerrit (review comments)

  • SDLC Integration:

    • Pre-commit hooks: Fast local feedback before push
    • PR/MR review: Automated security review on code changes
    • Trunk protection: Block merges with security findings
    • Security dashboard: Aggregate findings for visibility

Troubleshooting

Issue: Reviewdog not posting comments

Solution:

  • Verify GitHub token has correct permissions (repo scope for private repos, public_repo for public)
  • Check CI environment has REVIEWDOG_GITHUB_API_TOKEN or GITHUB_TOKEN set
  • Ensure repository settings allow PR comments from workflows
  • Verify reviewdog is running in PR context (not on push to main)

Issue: Too many false positives

Solution:

  • Use filter-mode=added to only show new issues
  • Configure tool-specific suppressions in .reviewdog.yml
  • Adjust severity thresholds with -level flag
  • Use baseline files to ignore existing issues

Issue: Performance issues with large repositories

Solution:

  • Run reviewdog only on changed files using filter-mode=diff_context
  • Cache tool dependencies and databases in CI
  • Run expensive scanners on scheduled jobs, lightweight ones on PR
  • Use parallel execution for multiple tools

Issue: Integration with custom security tools

Solution:

  • Convert tool output to supported format (checkstyle, sarif, rdjson, rdjsonl)
  • Use -f=rdjson for custom JSON output following reviewdog diagnostic format
  • Create errorformat pattern for text-based outputs
  • See references/reporter_formats.md for format specifications

Advanced Configuration

Custom reviewdog configuration (.reviewdog.yml)

runner:
  bandit:
    cmd: bandit -r . -f json
    format: bandit
    name: Python Security
    level: warning

  semgrep:
    cmd: semgrep --config=auto --json
    format: semgrep
    name: Multi-language SAST
    level: error

  gitleaks:
    cmd: gitleaks detect --report-format json
    format: gitleaks
    name: Secret Detection
    level: error

Integration with Security Frameworks

Map findings to OWASP Top 10 and CWE:

# Semgrep with OWASP ruleset
semgrep --config "p/owasp-top-ten" --json | \
  reviewdog -f=semgrep -name="OWASP Top 10" -reporter=github-pr-review

# Include CWE references in comments
reviewdog -f=semgrep -name="CWE Analysis" -reporter=github-pr-review

References

Reference in New Issue View Git Blame Copy Permalink