secsdlc
reviewdog: Automated code review and security linting integration for CI/CD pipelines using reviewdog. Aggregates findings from multiple security and quality tools (SAST, linters, formatters) into unified code review comments on pull requests. Use when: (1) Integrating security scanning into code review workflows, (2) Automating security feedback on pull requests, (3) Consolidating multiple tool outputs into actionable review comments, (4) Enforcing secure coding standards in CI/CD pipelines, (5) Providing inline security annotations during development.
Installation
Details
Usage
After installing, this skill will be available to your AI coding assistant.
Verify installation:
npx agent-skills-cli listSkill Instructions
name: reviewdog description: > Automated code review and security linting integration for CI/CD pipelines using reviewdog. Aggregates findings from multiple security and quality tools (SAST, linters, formatters) into unified code review comments on pull requests. Use when: (1) Integrating security scanning into code review workflows, (2) Automating security feedback on pull requests, (3) Consolidating multiple tool outputs into actionable review comments, (4) Enforcing secure coding standards in CI/CD pipelines, (5) Providing inline security annotations during development. version: 0.1.0 maintainer: asrour category: secsdlc tags: [code-review, ci-cd, automation, security-feedback, pull-request, linting, sast-integration] frameworks: [OWASP, CWE] dependencies: tools: [reviewdog, git] optional: [semgrep, bandit, hadolint, checkov, gitleaks, shellcheck, eslint] references:
Reviewdog - Automated Security Code Review
Overview
Reviewdog is an automated code review tool that integrates security scanning and linting results into pull request review comments. It acts as a universal adapter between various security tools (SAST scanners, linters, formatters) and code hosting platforms (GitHub, GitLab, Bitbucket), enabling seamless security feedback during code review.
Key Capabilities:
- Aggregates findings from multiple security and quality tools
- Posts inline review comments on specific code lines
- Supports 40+ linters and security scanners out-of-the-box
- Integrates with GitHub Actions, GitLab CI, CircleCI, and other CI platforms
- Filters findings to show only new issues in diff (fail-on-diff mode)
- Supports custom rulesets and security policies
Quick Start
Basic reviewdog usage with a security scanner:
# Install reviewdog
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest
# Run a security scanner and pipe to reviewdog
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
# Or use with Semgrep
semgrep --config=auto --json | reviewdog -f=semgrep -reporter=local
GitHub Actions integration:
- name: Run reviewdog
uses: reviewdog/action-setup@v1
- name: Security scan with reviewdog
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
Core Workflow
Step 1: Install reviewdog
Install reviewdog in your CI environment or locally:
# Via Go
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest
# Via Homebrew (macOS/Linux)
brew install reviewdog
# Via Docker
docker pull reviewdog/reviewdog:latest
Step 2: Configure Security Tools
Set up the security scanners you want to integrate. Reviewdog supports multiple input formats:
Supported Security Tools:
- SAST: Semgrep, Bandit, ESLint Security, Brakeman
- Secret Detection: Gitleaks, TruffleHog, detect-secrets
- IaC Security: Checkov, tfsec, terrascan
- Container Security: Hadolint, Trivy, Dockle
- General Linters: ShellCheck, yamllint, markdownlint
Step 3: Integrate into CI/CD Pipeline
Add reviewdog to your CI pipeline to automatically post security findings as review comments:
GitHub Actions Example:
name: Security Review
on: [pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup reviewdog
uses: reviewdog/action-setup@v1
- name: Run Bandit SAST
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
pip install bandit
bandit -r . -f json | \
reviewdog -f=bandit \
-name="Bandit SAST" \
-reporter=github-pr-review \
-filter-mode=added \
-fail-on-error
GitLab CI Example:
security_review:
stage: test
script:
- pip install bandit reviewdog
- bandit -r . -f json |
reviewdog -f=bandit
-reporter=gitlab-mr-discussion
-filter-mode=diff_context
only:
- merge_requests
Step 4: Configure Review Behavior
Customize reviewdog's behavior using flags:
# Filter to show only issues in changed lines
reviewdog -filter-mode=diff_context
# Filter to show only issues in added lines
reviewdog -filter-mode=added
# Fail the build if findings are present
reviewdog -fail-on-error
# Set severity threshold
reviewdog -level=warning
Step 5: Review Security Findings
Reviewdog posts findings as inline comments on the pull request:
- Inline annotations: Security issues appear directly on affected code lines
- Severity indicators: Critical, High, Medium, Low severity levels
- Remediation guidance: Links to CWE/OWASP references when available
- Diff-aware filtering: Only shows new issues introduced in the PR
Security Considerations
-
API Token Security: Store GitHub/GitLab tokens in secrets management (GitHub Secrets, GitLab CI/CD variables)
- Never commit tokens to version control
- Use minimum required permissions (read/write on pull requests)
- Rotate tokens regularly
-
Access Control:
- Configure reviewdog to run only on trusted branches
- Use CODEOWNERS to require security team approval for reviewdog config changes
- Restrict who can modify
.reviewdog.ymlconfiguration
-
Audit Logging:
- Log all security findings to SIEM or security monitoring platform
- Track when findings are introduced and resolved
- Monitor for bypassed security checks
-
Compliance:
- Maintains audit trail of security reviews (SOC2, ISO27001)
- Enforces security policy compliance in code review
- Supports compliance reporting through CI/CD artifacts
-
Safe Defaults:
- Use
fail-on-errorto block PRs with security findings - Enable
filter-mode=addedto catch new vulnerabilities - Configure severity thresholds appropriate to your risk tolerance
- Use
Bundled Resources
Scripts (scripts/)
setup_reviewdog.py- Automated reviewdog installation and CI configuration generatorrun_security_suite.sh- Runs multiple security scanners through reviewdog
References (references/)
supported_tools.md- Complete list of supported security tools with configuration examplesreporter_formats.md- Available output formats and reporter configurationscwe_mapping.md- Mapping of common tool findings to CWE categories
Assets (assets/)
github_actions_template.yml- GitHub Actions workflow for multi-tool security scanninggitlab_ci_template.yml- GitLab CI configuration for reviewdog integration.reviewdog.yml- Sample reviewdog configuration filepre_commit_config.yaml- Pre-commit hook integration
Common Patterns
Pattern 1: Multi-Tool Security Suite
Run multiple security tools and aggregate results in a single review:
#!/bin/bash
# Run comprehensive security scan
# Python security
bandit -r . -f json | reviewdog -f=bandit -name="Python SAST" -reporter=github-pr-review &
# Secrets detection
gitleaks detect --report-format json | reviewdog -f=gitleaks -name="Secret Scan" -reporter=github-pr-review &
# IaC security
checkov -d . -o json | reviewdog -f=checkov -name="IaC Security" -reporter=github-pr-review &
wait
Pattern 2: Severity-Based Gating
Block PRs based on severity thresholds:
- name: Critical findings - Block PR
run: |
semgrep --config=p/security-audit --severity=ERROR --json | \
reviewdog -f=semgrep -level=error -fail-on-error -reporter=github-pr-review
- name: Medium findings - Comment only
run: |
semgrep --config=p/security-audit --severity=WARNING --json | \
reviewdog -f=semgrep -level=warning -reporter=github-pr-review
Pattern 3: Differential Security Scanning
Only flag new security issues introduced in the current PR:
# Only show findings in newly added code
reviewdog -filter-mode=added -fail-on-error
# Show findings in modified context (added + surrounding lines)
reviewdog -filter-mode=diff_context
Pattern 4: Custom Security Rules
Integrate custom security policies using grep or custom parsers:
# Check for prohibited patterns
grep -nH -R "eval(" . --include="*.py" | \
reviewdog -f=grep -name="Dangerous Functions" -reporter=github-pr-review
# Custom JSON parser
./custom_security_scanner.py --json | \
reviewdog -f=rdjson -name="Custom Policy" -reporter=github-pr-review
Integration Points
-
CI/CD Platforms:
- GitHub Actions (native action available)
- GitLab CI/CD
- CircleCI
- Jenkins
- Azure Pipelines
- Bitbucket Pipelines
-
Security Tools:
- SAST: Semgrep, Bandit, ESLint, Brakeman, CodeQL
- Secrets: Gitleaks, TruffleHog, detect-secrets
- IaC: Checkov, tfsec, terrascan, kics
- Containers: Hadolint, Trivy, Dockle
-
Code Hosting:
- GitHub (PR comments, check runs, annotations)
- GitLab (MR discussions)
- Bitbucket (inline comments)
- Gerrit (review comments)
-
SDLC Integration:
- Pre-commit hooks: Fast local feedback before push
- PR/MR review: Automated security review on code changes
- Trunk protection: Block merges with security findings
- Security dashboard: Aggregate findings for visibility
Troubleshooting
Issue: Reviewdog not posting comments
Solution:
- Verify GitHub token has correct permissions (
reposcope for private repos,public_repofor public) - Check CI environment has
REVIEWDOG_GITHUB_API_TOKENorGITHUB_TOKENset - Ensure repository settings allow PR comments from workflows
- Verify reviewdog is running in PR context (not on push to main)
Issue: Too many false positives
Solution:
- Use
filter-mode=addedto only show new issues - Configure tool-specific suppressions in
.reviewdog.yml - Adjust severity thresholds with
-levelflag - Use baseline files to ignore existing issues
Issue: Performance issues with large repositories
Solution:
- Run reviewdog only on changed files using
filter-mode=diff_context - Cache tool dependencies and databases in CI
- Run expensive scanners on scheduled jobs, lightweight ones on PR
- Use parallel execution for multiple tools
Issue: Integration with custom security tools
Solution:
- Convert tool output to supported format (checkstyle, sarif, rdjson, rdjsonl)
- Use
-f=rdjsonfor custom JSON output following reviewdog diagnostic format - Create errorformat pattern for text-based outputs
- See
references/reporter_formats.mdfor format specifications
Advanced Configuration
Custom reviewdog configuration (.reviewdog.yml)
runner:
bandit:
cmd: bandit -r . -f json
format: bandit
name: Python Security
level: warning
semgrep:
cmd: semgrep --config=auto --json
format: semgrep
name: Multi-language SAST
level: error
gitleaks:
cmd: gitleaks detect --report-format json
format: gitleaks
name: Secret Detection
level: error
Integration with Security Frameworks
Map findings to OWASP Top 10 and CWE:
# Semgrep with OWASP ruleset
semgrep --config "p/owasp-top-ten" --json | \
reviewdog -f=semgrep -name="OWASP Top 10" -reporter=github-pr-review
# Include CWE references in comments
reviewdog -f=semgrep -name="CWE Analysis" -reporter=github-pr-review
References
More by AgentSecOps
View allapi-spectral: API specification linting and security validation using Stoplight's Spectral with support for OpenAPI, AsyncAPI, and Arazzo specifications. Validates API definitions against security best practices, OWASP API Security Top 10, and custom organizational standards. Use when: (1) Validating OpenAPI/AsyncAPI specifications for security issues and design flaws, (2) Enforcing API design standards and governance policies across API portfolios, (3) Creating custom security rules for API specifications in CI/CD pipelines, (4) Detecting authentication, authorization, and data exposure issues in API definitions, (5) Ensuring API specifications comply with organizational security standards and regulatory requirements.
dast-ffuf: Fast web fuzzer for DAST testing with directory enumeration, parameter fuzzing, and virtual host discovery. Written in Go for high-performance HTTP fuzzing with extensive filtering capabilities. Supports multiple fuzzing modes (clusterbomb, pitchfork, sniper) and recursive scanning. Use when: (1) Discovering hidden directories, files, and endpoints on web applications, (2) Fuzzing GET and POST parameters to identify injection vulnerabilities, (3) Enumerating virtual hosts and subdomains, (4) Testing authentication endpoints with credential fuzzing, (5) Finding backup files and sensitive data exposures, (6) Performing comprehensive web application reconnaissance.
dast-nuclei: Fast, template-based vulnerability scanning using ProjectDiscovery's Nuclei with extensive community templates covering CVEs, OWASP Top 10, misconfigurations, and security issues across web applications, APIs, and infrastructure. Use when: (1) Performing rapid vulnerability scanning with automated CVE detection, (2) Testing for known vulnerabilities and security misconfigurations in web apps and APIs, (3) Running template-based security checks in CI/CD pipelines with customizable severity thresholds, (4) Creating custom security templates for organization-specific vulnerability patterns, (5) Scanning multiple targets efficiently with concurrent execution and rate limiting controls.
skill-name: [REQUIRED] Comprehensive description of what this skill does and when to use it. Include: (1) Primary functionality, (2) Specific use cases, (3) Security operations context. Must include specific "Use when:" clause for skill discovery. Example: "SAST vulnerability analysis and remediation guidance using Semgrep and industry security standards. Use when: (1) Analyzing static code for security vulnerabilities, (2) Prioritizing security findings by severity, (3) Providing secure coding remediation, (4) Integrating security checks into CI/CD pipelines." Maximum 1024 characters.