Your time spend on code review should be optimized as much as possible. Automation is something that can help you with this, and detecting security bugs within go code can be done using tools such as gosec. This post looks into configuring reviewdog to assist in Gitlab Merge Request reviews using tools such as gosec.
This is a blog post from 2021 and may be out-dated.
Reviewdog is a tool that lets you integrate any code analyises tool into your CI pipelines, and have it comment on your merge request. Reviewdog works on both Github and Gitlab.
Configure environment variables
First, you need to configure the environment variable REVIEWDOG_GITLAB_API_TOKEN. This can be done through your CI/CD settings, either at the Gitlab group level or are the project level.
The value must be an access token from an user account with at least reporter permissions. Make sure, that when generating the access token, you use the scope api.
Add reviewdog configuration file
Next, in your project configure a file called .reviewdog.yml. Below is an example that uses govet, gosec and staticcheck:
runner:
govet:
cmd: go vet $(go list ./pkg/...)
format: govet
level: warning
gosec:
cmd: gosec -quiet -no-fail -fmt golint ./pkg/...
format: golint
level: warning
staticcheck:
cmd: staticcheck -fail none $(go list ./pkg/...)
errorformat:
- "%f:%l:%c: %m"
Configure Gitlab CI job
Next we need to configure the gitlab CI job. For this part, I ran into some issues myself, related due to some default git configuration in the CI pipeline.
I had to configure the GIT_STRATEGY to use clone, otherwise the reviewdog would not work properly. By default, Gitlab uses fetch. I also had to configure GIT_DEPTH: '0' due to default pipeline configuration.
go:code_review:
stage: review
image: circleci/golang
variables:
GIT_STRATEGY: clone
GIT_CHECKOUT: 'true'
GIT_DEPTH: '0'
before_script:
- curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b ./bin
- curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
- go install honnef.co/go/tools/cmd/staticcheck@latest
script:
- if [ -f .reviewdog.yml ]; then ./bin/reviewdog -reporter=gitlab-mr-discussion -tee; fi
needs: []
The job above sets up and installs Reviewdog, Gosec, and Staticcheck, and then runs these tools to check your code changes. If there is an open merge request for your commit, Reviewdog will automatically comment on the merge request with any issues it detects.
An example comment
Reviewdog will post comments on any line of code it finds an issue, such as the below example:
Conclusion
Reviewdog is an invaluable tool for software and DevOps engineers dedicated to maintaining high code quality and streamlining their development workflows.
By automating code review and integrating seamlessly with CI/CD pipelines, Reviewdog helps catch errors early, enforce coding standards, and facilitate effective collaboration among team members. This not only improves the overall quality of your codebase but also accelerates the development process, reducing the time spent on manual code reviews and allowing engineers to focus on building innovative features.