Your time spend on code review should be optimized as much as possible. Automation is something that can help you with this, and detecting security bugs within go code can be done using tools such as gosec. This post looks into configuring reviewdog to assist in gitlab merge request reviews using tools such as gosec.
Reviewdog is a tool that lets you integrate any code analyises tool into your CI pipelines, and have it comment on your merge request. Reviewdog works on both Github and Gitlab.
The value must be an access token from an user account with at least reporter permissions. Make sure, that when generating the access token, you use the scope
Next, in your project configure a file called
.reviewdog.yml. Below is an example that uses
runner: govet: cmd: go vet $(go list ./pkg/...) format: govet level: warning gosec: cmd: gosec -quiet -no-fail -fmt golint ./pkg/... format: golint level: warning staticcheck: cmd: staticcheck -fail none $(go list ./pkg/...) errorformat: - "%f:%l:%c: %m"
Next we need to configure the gitlab CI job. For this part, I ran into some issues myself, related due to some default git configuration in the CI pipeline.
I had to configure the
GIT_STRATEGY to use
clone, otherwise the reviewdog would not work properly. By default, Gitlab uses
fetch. I also had to configure
GIT_DEPTH: '0' due to default pipeline configuration.
go:code_review: stage: review image: circleci/golang variables: GIT_STRATEGY: clone GIT_CHECKOUT: 'true' GIT_DEPTH: '0' before_script: - curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b ./bin - curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin - go install honnef.co/go/tools/cmd/staticcheck@latest script: - if [ -f .reviewdog.yml ]; then ./bin/reviewdog -reporter=gitlab-mr-discussion -tee; fi needs: 
The above job installs reviewdog, gosec and staticcheck, before running the checks against your code changes. If you have a merge request open for your commit, reviewdog will leave comment for anything it finds on the merge request.