zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff1f4bd119e294e82b366862d68e24bd48aac597
gh-agentsecops-secopsagentkit/skills/secsdlc/reviewdog/references/supported_tools.md
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

8.4 KiB
Raw Blame History

Supported Security Tools for Reviewdog

This reference documents security tools that integrate with reviewdog, their configuration, and usage patterns.

Table of Contents

SAST Tools

Semgrep

Description: Multi-language static analysis for finding bugs and enforcing secure coding standards.

Installation:

pip install semgrep

Reviewdog Integration:

semgrep --config=auto --json | reviewdog -f=semgrep -reporter=github-pr-review

Custom Rules:

# OWASP Top 10
semgrep --config "p/owasp-top-ten" --json | reviewdog -f=semgrep

# Security audit
semgrep --config "p/security-audit" --json | reviewdog -f=semgrep

# Custom rules
semgrep --config ./custom-rules.yml --json | reviewdog -f=semgrep

CWE Coverage: CWE-20, CWE-22, CWE-78, CWE-79, CWE-89, CWE-94, CWE-611, CWE-798

Bandit

Description: Python security linter for finding common security issues.

Installation:

pip install bandit

Reviewdog Integration:

bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review

Configuration (.bandit):

exclude_dirs:
  - /test
  - /tests
  - /.venv

tests:
  - B201  # Flask debug mode
  - B301  # Pickle usage
  - B601  # Shell injection
  - B602  # Subprocess with shell=True

CWE Coverage: CWE-78, CWE-79, CWE-89, CWE-259, CWE-327, CWE-338, CWE-502

ESLint (with security plugins)

Description: JavaScript/TypeScript linter with security-focused plugins.

Installation:

npm install -D eslint eslint-plugin-security eslint-plugin-no-secrets

Reviewdog Integration:

eslint . --format=checkstyle | reviewdog -f=checkstyle -reporter=github-pr-review

Configuration (.eslintrc.json):

{
  "plugins": ["security", "no-secrets"],
  "extends": ["plugin:security/recommended"],
  "rules": {
    "no-eval": "error",
    "security/detect-object-injection": "warn",
    "security/detect-non-literal-regexp": "warn"
  }
}

CWE Coverage: CWE-79, CWE-94, CWE-798, CWE-1004

Secret Detection

Gitleaks

Description: SAST tool for detecting hardcoded secrets like passwords, API keys, and tokens.

Installation:

# Via Homebrew
brew install gitleaks

# Via Docker
docker pull zricethezav/gitleaks:latest

Reviewdog Integration:

gitleaks detect --report-format json | reviewdog -f=gitleaks -reporter=github-pr-review

Configuration (.gitleaks.toml):

[extend]
useDefault = true

[[rules]]
id = "custom-api-key"
description = "Custom API Key Pattern"
regex = '''(?i)api[_-]?key[_-]?=.{20,}'''

CWE Coverage: CWE-798 (Use of Hard-coded Credentials)

TruffleHog

Description: Find credentials accidentally committed to git repositories.

Installation:

pip install truffleHog

Reviewdog Integration:

trufflehog --json . | reviewdog -f=trufflehog -reporter=github-pr-review

CWE Coverage: CWE-798

Infrastructure as Code

Checkov

Description: Static code analysis for IaC (Terraform, CloudFormation, Kubernetes, etc.).

Installation:

pip install checkov

Reviewdog Integration:

checkov -d . -o json | reviewdog -f=checkov -reporter=github-pr-review

Filter by Severity:

# Only critical/high
checkov -d . --severity CRITICAL,HIGH -o json | reviewdog -f=checkov

CWE Coverage: CWE-250, CWE-284, CWE-326, CWE-601, CWE-668

tfsec

Description: Security scanner for Terraform code.

Installation:

brew install tfsec

Reviewdog Integration:

tfsec . --format json | reviewdog -f=tfsec -reporter=github-pr-review

CWE Coverage: CWE-250, CWE-326, CWE-521

Terrascan

Description: Detect compliance and security violations across IaC.

Installation:

brew install terrascan

Reviewdog Integration:

terrascan scan -o json | reviewdog -f=terrascan -reporter=github-pr-review

CWE Coverage: CWE-250, CWE-284, CWE-693

Container Security

Hadolint

Description: Dockerfile linter for best practices and security issues.

Installation:

brew install hadolint

Reviewdog Integration:

hadolint Dockerfile --format json | reviewdog -f=hadolint -reporter=github-pr-review

Common Issues Detected:

  • Running as root (CWE-250)
  • Exposed secrets in ENV (CWE-798)
  • Outdated base images
  • Missing health checks

CWE Coverage: CWE-250, CWE-798

Trivy

Description: Comprehensive container and IaC security scanner.

Installation:

brew install trivy

Reviewdog Integration:

trivy fs --format json . | reviewdog -f=trivy -reporter=github-pr-review

Scan Types:

# Container images
trivy image --format json myimage:tag | reviewdog -f=trivy

# Filesystem
trivy fs --security-checks vuln,secret --format json . | reviewdog -f=trivy

# Kubernetes manifests
trivy k8s --report=summary --format json | reviewdog -f=trivy

CWE Coverage: Varies by vulnerability database

Linters and Formatters

ShellCheck

Description: Static analysis tool for shell scripts.

Installation:

brew install shellcheck

Reviewdog Integration:

shellcheck -f json script.sh | reviewdog -f=shellcheck -reporter=github-pr-review

Security Checks:

  • Command injection (CWE-78)
  • Unsafe variable expansion
  • Insecure temporary files (CWE-377)

CWE Coverage: CWE-78, CWE-377

yamllint

Description: YAML linter for syntax and best practices.

Installation:

pip install yamllint

Reviewdog Integration:

yamllint -f parsable . | reviewdog -f=yamllint -reporter=github-pr-review

markdownlint

Description: Markdown linter for documentation quality.

Installation:

npm install -g markdownlint-cli

Reviewdog Integration:

markdownlint -j . | reviewdog -f=markdownlint -reporter=github-pr-review

Multi-Tool Configurations

Comprehensive Security Scan

Run all security tools in a single reviewdog session:

# .reviewdog.yml
runner:
  semgrep:
    cmd: semgrep --config=auto --json
    format: semgrep
    name: Semgrep SAST
    level: error

  bandit:
    cmd: bandit -r . -f json
    format: bandit
    name: Python Security
    level: warning

  gitleaks:
    cmd: gitleaks detect --report-format json
    format: gitleaks
    name: Secret Detection
    level: error

  hadolint:
    cmd: hadolint Dockerfile --format json
    format: hadolint
    name: Dockerfile Security
    level: warning

  checkov:
    cmd: checkov -d . -o json --quiet
    format: checkov
    name: IaC Security
    level: error

Run with:

reviewdog -conf=.reviewdog.yml -reporter=github-pr-review

Tool Selection Guide

Choose tools based on your tech stack:

Python Projects:

  • Bandit (SAST)
  • Semgrep (Multi-language SAST)
  • Gitleaks (Secrets)

JavaScript/TypeScript:

  • ESLint + security plugins
  • Semgrep
  • Gitleaks

Infrastructure/Cloud:

  • Checkov (Terraform, K8s, CloudFormation)
  • tfsec (Terraform-specific)
  • Hadolint (Dockerfiles)
  • Trivy (Containers + IaC)

Multi-language/Polyglot:

  • Semgrep (20+ languages)
  • Gitleaks (Universal secrets)
  • ShellCheck (Shell scripts)

Custom Tool Integration

To integrate a custom security tool:

  1. Convert output to supported format (checkstyle, sarif, rdjson)
  2. Use rdjson for custom tools:
{
  "source": {
    "name": "custom-scanner",
    "url": "https://example.com"
  },
  "diagnostics": [
    {
      "message": "SQL Injection vulnerability detected",
      "location": {
        "path": "app/models.py",
        "range": {
          "start": {"line": 42, "column": 10}
        }
      },
      "severity": "ERROR",
      "code": {
        "value": "CWE-89",
        "url": "https://cwe.mitre.org/data/definitions/89.html"
      }
    }
  ]
}
  1. Pipe to reviewdog:
./custom_scanner --json | reviewdog -f=rdjson -name="Custom Scanner"

References

Reference in New Issue View Git Blame Copy Permalink