ReddRadar
Agent skill
reviewdog
Automated code review and security linting integration for CI/CD pipelines using reviewdog. Aggregates findings from multiple security and quality tools (SAST, linters, formatters) into unified code review comments on pull requests. Use when: (1) Integrating security scanning into code review workflows, (2) Automating security feedback on pull requests, (3) Consolidating multiple tool outputs into actionable review comments, (4) Enforcing secure coding standards in CI/CD pipelines, (5) Providing inline security annotations during development.
Install this agent skill to your Project
npx add-skill https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/secsdlc/reviewdog
SKILL.md
Reviewdog - Automated Security Code Review
Overview
Reviewdog is an automated code review tool that integrates security scanning and linting results into pull request review comments. It acts as a universal adapter between various security tools (SAST scanners, linters, formatters) and code hosting platforms (GitHub, GitLab, Bitbucket), enabling seamless security feedback during code review.
Key Capabilities:
- Aggregates findings from multiple security and quality tools
- Posts inline review comments on specific code lines
- Supports 40+ linters and security scanners out-of-the-box
- Integrates with GitHub Actions, GitLab CI, CircleCI, and other CI platforms
- Filters findings to show only new issues in diff (fail-on-diff mode)
- Supports custom rulesets and security policies
Quick Start
Basic reviewdog usage with a security scanner:
# Install reviewdog
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest
# Run a security scanner and pipe to reviewdog
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
# Or use with Semgrep
semgrep --config=auto --json | reviewdog -f=semgrep -reporter=local
GitHub Actions integration:
- name: Run reviewdog
uses: reviewdog/action-setup@v1
- name: Security scan with reviewdog
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
bandit -r . -f json | reviewdog -f=bandit -reporter=github-pr-review
Core Workflow
Step 1: Install reviewdog
Install reviewdog in your CI environment or locally:
# Via Go
go install github.com/reviewdog/reviewdog/cmd/reviewdog@latest
# Via Homebrew (macOS/Linux)
brew install reviewdog
# Via Docker
docker pull reviewdog/reviewdog:latest
Step 2: Configure Security Tools
Set up the security scanners you want to integrate. Reviewdog supports multiple input formats:
Supported Security Tools:
- SAST: Semgrep, Bandit, ESLint Security, Brakeman
- Secret Detection: Gitleaks, TruffleHog, detect-secrets
- IaC Security: Checkov, tfsec, terrascan
- Container Security: Hadolint, Trivy, Dockle
- General Linters: ShellCheck, yamllint, markdownlint
Step 3: Integrate into CI/CD Pipeline
Add reviewdog to your CI pipeline to automatically post security findings as review comments:
GitHub Actions Example:
name: Security Review
on: [pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup reviewdog
uses: reviewdog/action-setup@v1
- name: Run Bandit SAST
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
pip install bandit
bandit -r . -f json | \
reviewdog -f=bandit \
-name="Bandit SAST" \
-reporter=github-pr-review \
-filter-mode=added \
-fail-on-error
GitLab CI Example:
security_review:
stage: test
script:
- pip install bandit reviewdog
- bandit -r . -f json |
reviewdog -f=bandit
-reporter=gitlab-mr-discussion
-filter-mode=diff_context
only:
- merge_requests
Step 4: Configure Review Behavior
Customize reviewdog's behavior using flags:
# Filter to show only issues in changed lines
reviewdog -filter-mode=diff_context
# Filter to show only issues in added lines
reviewdog -filter-mode=added
# Fail the build if findings are present
reviewdog -fail-on-error
# Set severity threshold
reviewdog -level=warning
Step 5: Review Security Findings
Reviewdog posts findings as inline comments on the pull request:
- Inline annotations: Security issues appear directly on affected code lines
- Severity indicators: Critical, High, Medium, Low severity levels
- Remediation guidance: Links to CWE/OWASP references when available
- Diff-aware filtering: Only shows new issues introduced in the PR
Security Considerations
-
API Token Security: Store GitHub/GitLab tokens in secrets management (GitHub Secrets, GitLab CI/CD variables)
- Never commit tokens to version control
- Use minimum required permissions (read/write on pull requests)
- Rotate tokens regularly
-
Access Control:
- Configure reviewdog to run only on trusted branches
- Use CODEOWNERS to require security team approval for reviewdog config changes
- Restrict who can modify
.reviewdog.ymlconfiguration
-
Audit Logging:
- Log all security findings to SIEM or security monitoring platform
- Track when findings are introduced and resolved
- Monitor for bypassed security checks
-
Compliance:
- Maintains audit trail of security reviews (SOC2, ISO27001)
- Enforces security policy compliance in code review
- Supports compliance reporting through CI/CD artifacts
-
Safe Defaults:
- Use
fail-on-errorto block PRs with security findings - Enable
filter-mode=addedto catch new vulnerabilities - Configure severity thresholds appropriate to your risk tolerance
- Use
Bundled Resources
Scripts (scripts/)
setup_reviewdog.py- Automated reviewdog installation and CI configuration generatorrun_security_suite.sh- Runs multiple security scanners through reviewdog
References (references/)
supported_tools.md- Complete list of supported security tools with configuration examplesreporter_formats.md- Available output formats and reporter configurationscwe_mapping.md- Mapping of common tool findings to CWE categories
Assets (assets/)
github_actions_template.yml- GitHub Actions workflow for multi-tool security scanninggitlab_ci_template.yml- GitLab CI configuration for reviewdog integration.reviewdog.yml- Sample reviewdog configuration filepre_commit_config.yaml- Pre-commit hook integration
Common Patterns
Pattern 1: Multi-Tool Security Suite
Run multiple security tools and aggregate results in a single review:
#!/bin/bash
# Run comprehensive security scan
# Python security
bandit -r . -f json | reviewdog -f=bandit -name="Python SAST" -reporter=github-pr-review &
# Secrets detection
gitleaks detect --report-format json | reviewdog -f=gitleaks -name="Secret Scan" -reporter=github-pr-review &
# IaC security
checkov -d . -o json | reviewdog -f=checkov -name="IaC Security" -reporter=github-pr-review &
wait
Pattern 2: Severity-Based Gating
Block PRs based on severity thresholds:
- name: Critical findings - Block PR
run: |
semgrep --config=p/security-audit --severity=ERROR --json | \
reviewdog -f=semgrep -level=error -fail-on-error -reporter=github-pr-review
- name: Medium findings - Comment only
run: |
semgrep --config=p/security-audit --severity=WARNING --json | \
reviewdog -f=semgrep -level=warning -reporter=github-pr-review
Pattern 3: Differential Security Scanning
Only flag new security issues introduced in the current PR:
# Only show findings in newly added code
reviewdog -filter-mode=added -fail-on-error
# Show findings in modified context (added + surrounding lines)
reviewdog -filter-mode=diff_context
Pattern 4: Custom Security Rules
Integrate custom security policies using grep or custom parsers:
# Check for prohibited patterns
grep -nH -R "eval(" . --include="*.py" | \
reviewdog -f=grep -name="Dangerous Functions" -reporter=github-pr-review
# Custom JSON parser
./custom_security_scanner.py --json | \
reviewdog -f=rdjson -name="Custom Policy" -reporter=github-pr-review
Integration Points
-
CI/CD Platforms:
- GitHub Actions (native action available)
- GitLab CI/CD
- CircleCI
- Jenkins
- Azure Pipelines
- Bitbucket Pipelines
-
Security Tools:
- SAST: Semgrep, Bandit, ESLint, Brakeman, CodeQL
- Secrets: Gitleaks, TruffleHog, detect-secrets
- IaC: Checkov, tfsec, terrascan, kics
- Containers: Hadolint, Trivy, Dockle
-
Code Hosting:
- GitHub (PR comments, check runs, annotations)
- GitLab (MR discussions)
- Bitbucket (inline comments)
- Gerrit (review comments)
-
SDLC Integration:
- Pre-commit hooks: Fast local feedback before push
- PR/MR review: Automated security review on code changes
- Trunk protection: Block merges with security findings
- Security dashboard: Aggregate findings for visibility
Troubleshooting
Issue: Reviewdog not posting comments
Solution:
- Verify GitHub token has correct permissions (
reposcope for private repos,public_repofor public) - Check CI environment has
REVIEWDOG_GITHUB_API_TOKENorGITHUB_TOKENset - Ensure repository settings allow PR comments from workflows
- Verify reviewdog is running in PR context (not on push to main)
Issue: Too many false positives
Solution:
- Use
filter-mode=addedto only show new issues - Configure tool-specific suppressions in
.reviewdog.yml - Adjust severity thresholds with
-levelflag - Use baseline files to ignore existing issues
Issue: Performance issues with large repositories
Solution:
- Run reviewdog only on changed files using
filter-mode=diff_context - Cache tool dependencies and databases in CI
- Run expensive scanners on scheduled jobs, lightweight ones on PR
- Use parallel execution for multiple tools
Issue: Integration with custom security tools
Solution:
- Convert tool output to supported format (checkstyle, sarif, rdjson, rdjsonl)
- Use
-f=rdjsonfor custom JSON output following reviewdog diagnostic format - Create errorformat pattern for text-based outputs
- See
references/reporter_formats.mdfor format specifications
Advanced Configuration
Custom reviewdog configuration (.reviewdog.yml)
runner:
bandit:
cmd: bandit -r . -f json
format: bandit
name: Python Security
level: warning
semgrep:
cmd: semgrep --config=auto --json
format: semgrep
name: Multi-language SAST
level: error
gitleaks:
cmd: gitleaks detect --report-format json
format: gitleaks
name: Secret Detection
level: error
Integration with Security Frameworks
Map findings to OWASP Top 10 and CWE:
# Semgrep with OWASP ruleset
semgrep --config "p/owasp-top-ten" --json | \
reviewdog -f=semgrep -name="OWASP Top 10" -reporter=github-pr-review
# Include CWE references in comments
reviewdog -f=semgrep -name="CWE Analysis" -reporter=github-pr-review
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
AgentSecOps/SecOpsAgentKit
policy-opa
Policy-as-code enforcement and compliance validation using Open Policy Agent (OPA). Use when: (1) Enforcing security and compliance policies across infrastructure and applications, (2) Validating Kubernetes admission control policies, (3) Implementing policy-as-code for compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA), (4) Testing and evaluating OPA Rego policies, (5) Integrating policy checks into CI/CD pipelines, (6) Auditing configuration drift against organizational security standards, (7) Implementing least-privilege access controls.
AgentSecOps/SecOpsAgentKit
ir-velociraptor
Endpoint visibility, digital forensics, and incident response using Velociraptor Query Language (VQL) for evidence collection and threat hunting at scale. Use when: (1) Conducting forensic investigations across multiple endpoints, (2) Hunting for indicators of compromise or suspicious activities, (3) Collecting endpoint telemetry and artifacts for incident analysis, (4) Performing live response and evidence preservation, (5) Monitoring endpoints for security events, (6) Creating custom forensic artifacts for specific threat scenarios.
AgentSecOps/SecOpsAgentKit
forensics-osquery
SQL-powered forensic investigation and system interrogation using osquery to query operating systems as relational databases. Enables rapid evidence collection, threat hunting, and incident response across Linux, macOS, and Windows endpoints. Use when: (1) Investigating security incidents and collecting forensic artifacts, (2) Threat hunting across endpoints for suspicious activity, (3) Analyzing running processes, network connections, and persistence mechanisms, (4) Collecting system state during incident response, (5) Querying file hashes, user activity, and system configuration for compromise indicators, (6) Building detection queries for continuous monitoring with osqueryd.
AgentSecOps/SecOpsAgentKit
detection-sigma
Generic detection rule creation and management using Sigma, the universal SIEM rule format. Sigma provides vendor-agnostic detection logic for log analysis across multiple SIEM platforms. Use when: (1) Creating detection rules for security monitoring, (2) Converting rules between SIEM platforms (Splunk, Elastic, QRadar, Sentinel), (3) Threat hunting with standardized detection patterns, (4) Building detection-as-code pipelines, (5) Mapping detections to MITRE ATT&CK tactics, (6) Implementing compliance-based monitoring rules.
AgentSecOps/SecOpsAgentKit
skill-name
[REQUIRED] Comprehensive description of what this skill does and when to use it. Include: (1) Primary functionality, (2) Specific use cases, (3) Security operations context. Must include specific "Use when:" clause for skill discovery. Example: "SAST vulnerability analysis and remediation guidance using Semgrep and industry security standards. Use when: (1) Analyzing static code for security vulnerabilities, (2) Prioritizing security findings by severity, (3) Providing secure coding remediation, (4) Integrating security checks into CI/CD pipelines." Maximum 1024 characters.
AgentSecOps/SecOpsAgentKit
pytm
Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.
Didn't find tool you were looking for?