Your time spend on code review should be optimized as much as possible. Automation is something that can help you with this, and detecting security bugs within go code can be done using tools such as gosec. This post looks into configuring reviewdog to assist in gitlab merge request reviews using tools such as gosec.

Reviewdog is a tool that lets you integrate any code analyises tool into your CI pipelines, and have it comment on your merge request. Reviewdog works on both Github and Gitlab.

Configure environment variables

First, you need to configure the environment variable REVIEWDOG_GITLAB_API_TOKEN. This can be done through your CI/CD settings, either at the Gitlab group level or are the project level.

The value must be an access token from an user account with at least reporter permissions. Make sure, that when generating the access token, you use the scope api.

Add reviewdog configuration file

Next, in your project configure a file called .reviewdog.yml. Below is an example that uses govet, gosec and staticcheck:

runner:
  govet:
    cmd: go vet $(go list ./pkg/...)
    format: govet
    level: warning
  gosec:
    cmd: gosec -quiet -no-fail -fmt golint ./pkg/...
    format: golint
    level: warning
  staticcheck:
    cmd: staticcheck -fail none $(go list ./pkg/...)
    errorformat:
      - "%f:%l:%c: %m"

Configure Gitlab CI job

Next we need to configure the gitlab CI job. For this part, I ran into some issues myself, related due to some default git configuration in the CI pipeline. I had to configure the GIT_STRATEGY to use clone, otherwise the reviewdog would not work properly. By default, Gitlab uses fetch. I also had to configure GIT_DEPTH: '0' due to default pipeline configuration.

go:code_review:
  stage: review
  image: circleci/golang
  variables:
    GIT_STRATEGY: clone
    GIT_CHECKOUT: "true"
    GIT_DEPTH: "0"
  before_script:
    - curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b ./bin
    - curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
    - go install honnef.co/go/tools/cmd/staticcheck@latest
  script:
    - if [ -f .reviewdog.yml ]; then ./bin/reviewdog -reporter=gitlab-mr-discussion -tee; fi
  needs: []

The above job installs reviewdog, gosec and staticcheck, before running the checks against your code changes. If you have a merge request open for your commit, reviewdog will leave a comment for anything it finds on the merge request.