Automating code review with reviewdog

Using reviewdog to assist with golang code review on Gitlab

gitlab ci-cd
Thomas Kooi

Your time spend on code review should be optimized as much as possible. Automation is something that can help you with this, and detecting security bugs within go code can be done using tools such as gosec. This post looks into configuring reviewdog to assist in Gitlab Merge Request reviews using tools such as gosec.

This is a blog post from 2021 and may be out-dated.

Review Dog Logo

Reviewdog is a tool that lets you integrate any code analyises tool into your CI pipelines, and have it comment on your merge request. Reviewdog works on both Github and Gitlab.

Configure environment variables

First, you need to configure the environment variable REVIEWDOG_GITLAB_API_TOKEN. This can be done through your CI/CD settings, either at the Gitlab group level or are the project level.

The value must be an access token from an user account with at least reporter permissions. Make sure, that when generating the access token, you use the scope api.

Add reviewdog configuration file

Next, in your project configure a file called .reviewdog.yml. Below is an example that uses govet, gosec and staticcheck:

    cmd: go vet $(go list ./pkg/...)
    format: govet
    level: warning
    cmd: gosec -quiet -no-fail -fmt golint ./pkg/...
    format: golint
    level: warning
    cmd: staticcheck -fail none $(go list ./pkg/...)
      - "%f:%l:%c: %m"

Configure Gitlab CI job

Next we need to configure the gitlab CI job. For this part, I ran into some issues myself, related due to some default git configuration in the CI pipeline. I had to configure the GIT_STRATEGY to use clone, otherwise the reviewdog would not work properly. By default, Gitlab uses fetch. I also had to configure GIT_DEPTH: '0' due to default pipeline configuration.

  stage: review
  image: circleci/golang
    GIT_STRATEGY: clone
    GIT_CHECKOUT: 'true'
    GIT_DEPTH: '0'
    - curl -sfL | sh -s -- -b ./bin
    - curl -sfL | sh -s -- -b $(go env GOPATH)/bin
    - go install
    - if [ -f .reviewdog.yml ]; then ./bin/reviewdog -reporter=gitlab-mr-discussion -tee; fi
  needs: []

The job above sets up and installs Reviewdog, Gosec, and Staticcheck, and then runs these tools to check your code changes. If there is an open merge request for your commit, Reviewdog will automatically comment on the merge request with any issues it detects.

An example comment

Reviewdog will post comments on any line of code it finds an issue, such as the below example:

Reviewdog example comment


Reviewdog is an invaluable tool for software and DevOps engineers dedicated to maintaining high code quality and streamlining their development workflows.

By automating code review and integrating seamlessly with CI/CD pipelines, Reviewdog helps catch errors early, enforce coding standards, and facilitate effective collaboration among team members. This not only improves the overall quality of your codebase but also accelerates the development process, reducing the time spent on manual code reviews and allowing engineers to focus on building innovative features.

Related Tags:
#gitlab #ci-cd
3 min read
Share this post: