Automating code review with reviewdog

Posted July 31, 2021 by Thomas Kooi ‐ 2 min read

Your time spend on code review should be optimized as much as possible. Automation is something that can help you with this, and detecting security bugs within go code can be done using tools such as gosec. This post looks into configuring reviewdog to assist in gitlab merge request reviews using tools such as gosec.

Reviewdog is a tool that lets you integrate any code analyises tool into your CI pipelines, and have it comment on your merge request. Reviewdog works on both Github and Gitlab.

Configure environment variables

First, you need to configure the environment variable REVIEWDOG_GITLAB_API_TOKEN. This can be done through your CI/CD settings, either at the Gitlab group level or are the project level.

The value must be an access token from an user account with at least reporter permissions. Make sure, that when generating the access token, you use the scope api.

Add reviewdog configuration file

Next, in your project configure a file called .reviewdog.yml. Below is an example that uses govet, gosec and staticcheck:

    cmd: go vet $(go list ./pkg/...)
    format: govet
    level: warning
    cmd: gosec -quiet -no-fail -fmt golint ./pkg/...
    format: golint
    level: warning
    cmd: staticcheck -fail none $(go list ./pkg/...)
      - "%f:%l:%c: %m"

Configure Gitlab CI job

Next we need to configure the gitlab CI job. For this part, I ran into some issues myself, related due to some default git configuration in the CI pipeline. I had to configure the GIT_STRATEGY to use clone, otherwise the reviewdog would not work properly. By default, Gitlab uses fetch. I also had to configure GIT_DEPTH: '0' due to default pipeline configuration.

  stage: review
  image: circleci/golang
    GIT_STRATEGY: clone
    GIT_CHECKOUT: 'true'
    GIT_DEPTH: '0'
    - curl -sfL | sh -s -- -b ./bin
    - curl -sfL | sh -s -- -b $(go env GOPATH)/bin
    - go install
    - if [ -f .reviewdog.yml ]; then ./bin/reviewdog -reporter=gitlab-mr-discussion -tee; fi
  needs: []

The above job installs reviewdog, gosec and staticcheck, before running the checks against your code changes. If you have a merge request open for your commit, reviewdog will leave a comment for anything it finds on the merge request.