| name | reviewdog |
| description | Automated code review and security linting integration for CI/CD pipelines using reviewdog. Aggregates findings from multiple security and quality tools (SAST, linters, formatters) into unified code review comments on pull requests. Use when: (1) Integrating security scanning into code review workflows, (2) Automating security feedback on pull requests, (3) Consolidating multiple tool outputs into actionable review comments, (4) Enforcing secure coding standards in CI/CD pipelines, (5) Providing inline security annotations during development.
|
| version | 0.1.0 |
| maintainer | asrour |
| category | secsdlc |
| tags | ["code-review","ci-cd","automation","security-feedback","pull-request","linting","sast-integration"] |
| frameworks | ["OWASP","CWE"] |
| dependencies | {"tools":["reviewdog","git"],"optional":["semgrep","bandit","hadolint","checkov","gitleaks","shellcheck","eslint"]} |
| references | ["https://github.com/reviewdog/reviewdog","https://reviewdog.github.io/"] |
Reviewdog - Automated Security Code Review
Overview
Reviewdog is an automated code review tool that integrates security scanning and linting results
into pull request review comments. It acts as a universal adapter between various security tools
(SAST scanners, linters, formatters) and code hosting platforms (GitHub, GitLab, Bitbucket),
enabling seamless security feedback during code review.
Key Capabilities:
- Aggregates findings from multiple security and quality tools
- Posts inline review comments on specific code lines
- Supports 40+ linters and security scanners out-of-the-box
- Integrates with GitHub Actions, GitLab CI, CircleCI, and other CI platforms
- Filters findings to show only new issues in diff (fail-on-diff mode)
- Supports custom rulesets and security policies
Quick Start
Basic reviewdog usage with a security scanner:
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
semgrep --config=auto --json | reviewdog -f=semgrep -reporter=local
GitHub Actions integration:
- name: Run reviewdog
uses: reviewdog/action-setup@v1
- name: Security scan with reviewdog
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
Core Workflow
Step 1: Install reviewdog
Install reviewdog in your CI environment or locally:
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest
brew install reviewdog
docker pull reviewdog/reviewdog:latest
Step 2: Configure Security Tools
Set up the security scanners you want to integrate. Reviewdog supports multiple input formats:
Supported Security Tools:
- SAST: Semgrep, Bandit, ESLint Security, Brakeman
- Secret Detection: Gitleaks, TruffleHog, detect-secrets
- IaC Security: Checkov, tfsec, terrascan
- Container Security: Hadolint, Trivy, Dockle
- General Linters: ShellCheck, yamllint, markdownlint
Step 3: Integrate into CI/CD Pipeline
Add reviewdog to your CI pipeline to automatically post security findings as review comments:
GitHub Actions Example:
name: Security Review
on: [pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup reviewdog
uses: reviewdog/action-setup@v1
- name: Run Bandit SAST
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
pip install bandit
bandit -r . -f json | \
reviewdog -f=bandit \
-name="Bandit SAST" \
-reporter=github-pr-review \
-filter-mode=added \
-fail-on-error
GitLab CI Example:
security_review:
stage: test
script:
- pip install bandit reviewdog
- bandit -r . -f json |
reviewdog -f=bandit
-reporter=gitlab-mr-discussion
-filter-mode=diff_context
only:
- merge_requests
Step 4: Configure Review Behavior
Customize reviewdog's behavior using flags:
reviewdog -filter-mode=diff_context
reviewdog -filter-mode=added
reviewdog -fail-on-error
reviewdog -level=warning
Step 5: Review Security Findings
Reviewdog posts findings as inline comments on the pull request:
- Inline annotations: Security issues appear directly on affected code lines
- Severity indicators: Critical, High, Medium, Low severity levels
- Remediation guidance: Links to CWE/OWASP references when available
- Diff-aware filtering: Only shows new issues introduced in the PR
Security Considerations
Bundled Resources
Scripts (scripts/)
setup_reviewdog.py - Automated reviewdog installation and CI configuration generator
run_security_suite.sh - Runs multiple security scanners through reviewdog
References (references/)
supported_tools.md - Complete list of supported security tools with configuration examples
reporter_formats.md - Available output formats and reporter configurations
cwe_mapping.md - Mapping of common tool findings to CWE categories
Assets (assets/)
github_actions_template.yml - GitHub Actions workflow for multi-tool security scanning
gitlab_ci_template.yml - GitLab CI configuration for reviewdog integration
.reviewdog.yml - Sample reviewdog configuration file
pre_commit_config.yaml - Pre-commit hook integration
Common Patterns
Pattern 1: Multi-Tool Security Suite
Run multiple security tools and aggregate results in a single review:
#!/bin/bash
bandit -r . -f json | reviewdog -f=bandit -name="Python SAST" -reporter=github-pr-review &
gitleaks detect --report-format json | reviewdog -f=gitleaks -name="Secret Scan" -reporter=github-pr-review &
checkov -d . -o json | reviewdog -f=checkov -name="IaC Security" -reporter=github-pr-review &
wait
Pattern 2: Severity-Based Gating
Block PRs based on severity thresholds:
- name: Critical findings - Block PR
run: |
semgrep --config=p/security-audit --severity=ERROR --json | \
reviewdog -f=semgrep -level=error -fail-on-error -reporter=github-pr-review
- name: Medium findings - Comment only
run: |
semgrep --config=p/security-audit --severity=WARNING --json | \
reviewdog -f=semgrep -level=warning -reporter=github-pr-review
Pattern 3: Differential Security Scanning
Only flag new security issues introduced in the current PR:
reviewdog -filter-mode=added -fail-on-error
reviewdog -filter-mode=diff_context
Pattern 4: Custom Security Rules
Integrate custom security policies using grep or custom parsers:
grep -nH -R "eval(" . --include="*.py" | \
reviewdog -f=grep -name="Dangerous Functions" -reporter=github-pr-review
./custom_security_scanner.py --json | \
reviewdog -f=rdjson -name="Custom Policy" -reporter=github-pr-review
Integration Points
-
CI/CD Platforms:
- GitHub Actions (native action available)
- GitLab CI/CD
- CircleCI
- Jenkins
- Azure Pipelines
- Bitbucket Pipelines
-
Security Tools:
- SAST: Semgrep, Bandit, ESLint, Brakeman, CodeQL
- Secrets: Gitleaks, TruffleHog, detect-secrets
- IaC: Checkov, tfsec, terrascan, kics
- Containers: Hadolint, Trivy, Dockle
-
Code Hosting:
- GitHub (PR comments, check runs, annotations)
- GitLab (MR discussions)
- Bitbucket (inline comments)
- Gerrit (review comments)
-
SDLC Integration:
- Pre-commit hooks: Fast local feedback before push
- PR/MR review: Automated security review on code changes
- Trunk protection: Block merges with security findings
- Security dashboard: Aggregate findings for visibility
Troubleshooting
Issue: Reviewdog not posting comments
Solution:
- Verify GitHub token has correct permissions (
repo scope for private repos, public_repo for public)
- Check CI environment has
REVIEWDOG_GITHUB_API_TOKEN or GITHUB_TOKEN set
- Ensure repository settings allow PR comments from workflows
- Verify reviewdog is running in PR context (not on push to main)
Issue: Too many false positives
Solution:
- Use
filter-mode=added to only show new issues
- Configure tool-specific suppressions in
.reviewdog.yml
- Adjust severity thresholds with
-level flag
- Use baseline files to ignore existing issues
Issue: Performance issues with large repositories
Solution:
- Run reviewdog only on changed files using
filter-mode=diff_context
- Cache tool dependencies and databases in CI
- Run expensive scanners on scheduled jobs, lightweight ones on PR
- Use parallel execution for multiple tools
Issue: Integration with custom security tools
Solution:
- Convert tool output to supported format (checkstyle, sarif, rdjson, rdjsonl)
- Use
-f=rdjson for custom JSON output following reviewdog diagnostic format
- Create errorformat pattern for text-based outputs
- See
references/reporter_formats.md for format specifications
Advanced Configuration
Custom reviewdog configuration (.reviewdog.yml)
runner:
bandit:
cmd: bandit -r . -f json
format: bandit
name: Python Security
level: warning
semgrep:
cmd: semgrep --config=auto --json
format: semgrep
name: Multi-language SAST
level: error
gitleaks:
cmd: gitleaks detect --report-format json
format: gitleaks
name: Secret Detection
level: error
Integration with Security Frameworks
Map findings to OWASP Top 10 and CWE:
semgrep --config "p/owasp-top-ten" --json | \
reviewdog -f=semgrep -name="OWASP Top 10" -reporter=github-pr-review
reviewdog -f=semgrep -name="CWE Analysis" -reporter=github-pr-review
References