Reviewdog - Automated Security Code Review
Overview
Reviewdog is an automated code review tool that integrates security scanning and linting results into pull request review comments. It acts as a universal adapter between various security tools (SAST scanners, linters, formatters) and code hosting platforms (GitHub, GitLab, Bitbucket), enabling seamless security feedback during code review.
Key Capabilities:
- Aggregates findings from multiple security and quality tools
- Posts inline review comments on specific code lines
- Supports 40+ linters and security scanners out-of-the-box
- Integrates with GitHub Actions, GitLab CI, CircleCI, and other CI platforms
- Filters findings to show only new issues in diff (fail-on-diff mode)
- Supports custom rulesets and security policies
Quick Start
Basic reviewdog usage with a security scanner:
# Install reviewdog
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest
# Run a security scanner and pipe to reviewdog
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
# Or use with Semgrep
semgrep --config=auto --json | reviewdog -f=semgrep -reporter=local
GitHub Actions integration:
- name: Run reviewdog
uses: reviewdog/action-setup@v1
- name: Security scan with reviewdog
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
Core Workflow
Step 1: Install reviewdog
Install reviewdog in your CI environment or locally:
# Via Go
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest
# Via Homebrew (macOS/Linux)
brew install reviewdog
# Via Docker
docker pull reviewdog/reviewdog:latest
Step 2: Configure Security Tools
Set up the security scanners you want to integrate. Reviewdog supports multiple input formats:
Supported Security Tools:
- SAST: Semgrep, Bandit, ESLint Security, Brakeman
- Secret Detection: Gitleaks, TruffleHog, detect-secrets
- IaC Security: Checkov, tfsec, terrascan
- Container Security: Hadolint, Trivy, Dockle
- General Linters: ShellCheck, yamllint, markdownlint
Step 3: Integrate into CI/CD Pipeline
Add reviewdog to your CI pipeline to automatically post security findings as review comments:
GitHub Actions Example:
name: Security Review
on: [pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup reviewdog
uses: reviewdog/action-setup@v1
- name: Run Bandit SAST
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
pip install bandit
bandit -r . -f json | \
reviewdog -f=bandit \
-name="Bandit SAST" \
-reporter=github-pr-review \
-filter-mode=added \
-fail-on-error
GitLab CI Example:
security_review:
stage: test
script:
- pip install bandit reviewdog
- bandit -r . -f json |
reviewdog -f=bandit
-reporter=gitlab-mr-discussion
-filter-mode=diff_context
only:
- merge_requests
Step 4: Configure Review Behavior
Customize reviewdog's behavior using flags:
# Filter to show only issues in changed lines
reviewdog -filter-mode=diff_context
# Filter to show only issues in added lines
reviewdog -filter-mode=added
# Fail the build if findings are present
reviewdog -fail-on-error
# Set severity threshold
reviewdog -level=warning
Step 5: Review Security Findings
Reviewdog posts findings as inline comments on the pull request:
- Inline annotations: Security issues appear directly on affected code lines
- Severity indicators: Critical, High, Medium, Low severity levels
- Remediation guidance: Links to CWE/OWASP references when available
- Diff-aware filtering: Only shows new issues introduced in the PR
Security Considerations
-
API Token Security: Store GitHub/GitLab tokens in secrets management (GitHub Secrets, GitLab CI/CD variables)
- Never commit tokens to version control
- Use minimum required permissions (read/write on pull requests)
- Rotate tokens regularly
-
Access Control:
- Configure reviewdog to run only on trusted branches
- Use CODEOWNERS to require security team approval for reviewdog config changes
- Restrict who can modify
.reviewdog.ymlconfiguration
-
Audit Logging:
- Log all security findings to SIEM or security monitoring platform
- Track when findings are introduced and resolved
- Monitor for bypassed security checks
-
Compliance:
- Maintains audit trail of security reviews (SOC2, ISO27001)
- Enforces security policy compliance in code review
- Supports compliance reporting through CI/CD artifacts
-
Safe Defaults:
- Use
fail-on-errorto block PRs with security findings - Enable
filter-mode=addedto catch new vulnerabilities - Configure severity thresholds appropriate to your risk tolerance
- Use
Bundled Resources
Scripts (scripts/)
setup_reviewdog.py- Automated reviewdog installation and CI configuration generatorrun_security_suite.sh- Runs multiple security scanners through reviewdog
References (references/)
supported_tools.md- Complete list of supported security tools with configuration examplesreporter_formats.md- Available output formats and reporter configurationscwe_mapping.md- Mapping of common tool findings to CWE categories
Assets (assets/)
github_actions_template.yml- GitHub Actions workflow for multi-tool security scanninggitlab_ci_template.yml- GitLab CI configuration for reviewdog integration.reviewdog.yml- Sample reviewdog configuration filepre_commit_config.yaml- Pre-commit hook integration
Common Patterns
Pattern 1: Multi-Tool Security Suite
Run multiple security tools and aggregate results in a single review:
#!/bin/bash
# Run comprehensive security scan
# Python security
bandit -r . -f json | reviewdog -f=bandit -name="Python SAST" -reporter=github-pr-review &
# Secrets detection
gitleaks detect --report-format json | reviewdog -f=gitleaks -name="Secret Scan" -reporter=github-pr-review &
# IaC security
checkov -d . -o json | reviewdog -f=checkov -name="IaC Security" -reporter=github-pr-review &
wait
Pattern 2: Severity-Based Gating
Block PRs based on severity thresholds:
- name: Critical findings - Block PR
run: |
semgrep --config=p/security-audit --severity=ERROR --json | \
reviewdog -f=semgrep -level=error -fail-on-error -reporter=github-pr-review
- name: Medium findings - Comment only
run: |
semgrep --config=p/security-audit --severity=WARNING --json | \
reviewdog -f=semgrep -level=warning -reporter=github-pr-review
Pattern 3: Differential Security Scanning
Only flag new security issues introduced in the current PR:
# Only show findings in newly added code
reviewdog -filter-mode=added -fail-on-error
# Show findings in modified context (added + surrounding lines)
reviewdog -filter-mode=diff_context
Pattern 4: Custom Security Rules
Integrate custom security policies using grep or custom parsers:
# Check for prohibited patterns
grep -nH -R "eval(" . --include="*.py" | \
reviewdog -f=grep -name="Dangerous Functions" -reporter=github-pr-review
# Custom JSON parser
./custom_security_scanner.py --json | \
reviewdog -f=rdjson -name="Custom Policy" -reporter=github-pr-review
Integration Points
-
CI/CD Platforms:
- GitHub Actions (native action available)
- GitLab CI/CD
- CircleCI
- Jenkins
- Azure Pipelines
- Bitbucket Pipelines
-
Security Tools:
- SAST: Semgrep, Bandit, ESLint, Brakeman, CodeQL
- Secrets: Gitleaks, TruffleHog, detect-secrets
- IaC: Checkov, tfsec, terrascan, kics
- Containers: Hadolint, Trivy, Dockle
-
Code Hosting:
- GitHub (PR comments, check runs, annotations)
- GitLab (MR discussions)
- Bitbucket (inline comments)
- Gerrit (review comments)
-
SDLC Integration:
- Pre-commit hooks: Fast local feedback before push
- PR/MR review: Automated security review on code changes
- Trunk protection: Block merges with security findings
- Security dashboard: Aggregate findings for visibility
Troubleshooting
Issue: Reviewdog not posting comments
Solution:
- Verify GitHub token has correct permissions (
reposcope for private repos,public_repofor public) - Check CI environment has
REVIEWDOG_GITHUB_API_TOKENorGITHUB_TOKENset - Ensure repository settings allow PR comments from workflows
- Verify reviewdog is running in PR context (not on push to main)
Issue: Too many false positives
Solution:
- Use
filter-mode=addedto only show new issues - Configure tool-specific suppressions in
.reviewdog.yml - Adjust severity thresholds with
-levelflag - Use baseline files to ignore existing issues
Issue: Performance issues with large repositories
Solution:
- Run reviewdog only on changed files using
filter-mode=diff_context - Cache tool dependencies and databases in CI
- Run expensive scanners on scheduled jobs, lightweight ones on PR
- Use parallel execution for multiple tools
Issue: Integration with custom security tools
Solution:
- Convert tool output to supported format (checkstyle, sarif, rdjson, rdjsonl)
- Use
-f=rdjsonfor custom JSON output following reviewdog diagnostic format - Create errorformat pattern for text-based outputs
- See
references/reporter_formats.mdfor format specifications
Advanced Configuration
Custom reviewdog configuration (.reviewdog.yml)
runner:
bandit:
cmd: bandit -r . -f json
format: bandit
name: Python Security
level: warning
semgrep:
cmd: semgrep --config=auto --json
format: semgrep
name: Multi-language SAST
level: error
gitleaks:
cmd: gitleaks detect --report-format json
format: gitleaks
name: Secret Detection
level: error
Integration with Security Frameworks
Map findings to OWASP Top 10 and CWE:
# Semgrep with OWASP ruleset
semgrep --config "p/owasp-top-ten" --json | \
reviewdog -f=semgrep -name="OWASP Top 10" -reporter=github-pr-review
# Include CWE references in comments
reviewdog -f=semgrep -name="CWE Analysis" -reporter=github-pr-review