109 lines
3.1 KiB
YAML
109 lines
3.1 KiB
YAML
# Reviewdog configuration file
|
|
# Place this file in the root of your repository
|
|
# Run with: reviewdog -conf=.reviewdog.yml -reporter=github-pr-review
|
|
|
|
runner:
|
|
# Python SAST with Bandit
|
|
bandit:
|
|
cmd: bandit -r . -f json 2>/dev/null
|
|
format: bandit
|
|
name: Bandit Python Security
|
|
level: error
|
|
fail-on-error: true
|
|
|
|
# Multi-language SAST with Semgrep - Critical
|
|
semgrep-critical:
|
|
cmd: semgrep --config=auto --severity=ERROR --json --quiet 2>/dev/null
|
|
format: semgrep
|
|
name: Semgrep Critical Findings
|
|
level: error
|
|
fail-on-error: true
|
|
|
|
# Multi-language SAST with Semgrep - Warnings
|
|
semgrep-warnings:
|
|
cmd: semgrep --config=auto --severity=WARNING --json --quiet 2>/dev/null
|
|
format: semgrep
|
|
name: Semgrep Security Warnings
|
|
level: warning
|
|
fail-on-error: false
|
|
|
|
# OWASP Top 10 specific checks
|
|
semgrep-owasp:
|
|
cmd: semgrep --config "p/owasp-top-ten" --json --quiet 2>/dev/null
|
|
format: semgrep
|
|
name: OWASP Top 10 Vulnerabilities
|
|
level: error
|
|
fail-on-error: true
|
|
|
|
# Secret detection with Gitleaks
|
|
gitleaks:
|
|
cmd: |
|
|
gitleaks detect --report-format json --report-path /tmp/gitleaks.json --no-git 2>/dev/null || true
|
|
cat /tmp/gitleaks.json 2>/dev/null || echo '{"findings":[]}'
|
|
format: gitleaks
|
|
name: Secret Detection
|
|
level: error
|
|
fail-on-error: true
|
|
|
|
# Dockerfile linting with Hadolint
|
|
hadolint:
|
|
cmd: |
|
|
find . -type f -name "Dockerfile*" -exec hadolint --format json {} \; 2>/dev/null
|
|
format: hadolint
|
|
name: Dockerfile Security
|
|
level: warning
|
|
fail-on-error: false
|
|
|
|
# IaC security with Checkov
|
|
checkov:
|
|
cmd: checkov -d . --quiet --compact -o json 2>/dev/null
|
|
format: checkov
|
|
name: Infrastructure as Code Security
|
|
level: warning
|
|
fail-on-error: false
|
|
|
|
# Shell script analysis with ShellCheck
|
|
shellcheck:
|
|
cmd: |
|
|
find . -type f -name "*.sh" -exec shellcheck -f json {} \; 2>/dev/null
|
|
format: shellcheck
|
|
name: Shell Script Security
|
|
level: info
|
|
fail-on-error: false
|
|
|
|
# Custom security patterns with grep
|
|
dangerous-functions:
|
|
cmd: |
|
|
grep -nH -R -E "(eval|exec|system|shell_exec|passthru|popen|proc_open)\s*\(" \
|
|
--include="*.py" --include="*.php" --include="*.js" . 2>/dev/null || true
|
|
errorformat:
|
|
- "%f:%l:%m"
|
|
name: Dangerous Function Usage
|
|
level: warning
|
|
|
|
# Hardcoded IP addresses
|
|
hardcoded-ips:
|
|
cmd: |
|
|
grep -nH -R -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" \
|
|
--include="*.py" --include="*.js" --include="*.java" \
|
|
--exclude-dir=node_modules --exclude-dir=.git . 2>/dev/null || true
|
|
errorformat:
|
|
- "%f:%l:%m"
|
|
name: Hardcoded IP Addresses
|
|
level: info
|
|
|
|
# Global configuration
|
|
# Uncomment and modify as needed
|
|
|
|
# Filter mode for all runners (can be overridden per runner)
|
|
# filter-mode: added # added, diff_context, file, nofilter
|
|
|
|
# Default reporter
|
|
# reporter: local # local, github-pr-review, gitlab-mr-discussion, etc.
|
|
|
|
# Fail level (any findings at this level or higher will cause failure)
|
|
# fail-level: error # error, warning, info
|
|
|
|
# Diff options
|
|
# diff: "git diff FETCH_HEAD"
|