File size: 2,205 Bytes
509108d
b0a728d
 
 
509108d
 
 
b0a728d
 
509108d
 
7e4a452
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
11ca274
7e4a452
11ca274
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
title: codewatcher
emoji: 🐳
colorFrom: green
colorTo: yellow
sdk: static
pinned: false
tags:
  - deepsite
---

# CodeWatcher 🔍🛡️

[![GitHub Actions](https://github.com/your-org/CodeWatcher/workflows/CodeWatcher/badge.svg)](https://github.com/your-org/CodeWatcher/actions)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)

CodeWatcher is a GitHub Actions bot that performs security-focused code reviews on pull requests using static analysis tools with a mentor/red-team approach.

## Features

- **Automated Security Reviews**: Runs pylint, bandit, and semgrep on every PR
- **In-line Comments**: Provides contextual feedback directly on code changes
- **Mentor Mode**: Offers constructive suggestions for code quality improvements
- **Red Team Mode**: Highlights security vulnerabilities with attack scenarios
- **SARIF Integration**: Uploads findings to GitHub's code scanning interface

## How It Works

CodeWatcher automatically:
1. Triggers on pull request events
2. Analyzes changed Python files using multiple static analysis tools
3. Posts in-line comments with security insights and improvement suggestions
4. Provides a summary of findings in the PR conversation

## Installation

1. Add the workflow file to your repository:
   ```bash
   mkdir -p .github/workflows
   curl -o .github/workflows/codewatcher.yml https://raw.githubusercontent.com/your-org/CodeWatcher/main/.github/workflows/codewatcher.yml
   ```

2. Create the scripts directory:
   ```bash
   mkdir -p .github/scripts
   curl -o .github/scripts/codewatcher.py https://raw.githubusercontent.com/your-org/CodeWatcher/main/.github/scripts/codewatcher.py
   ```

3. Commit and push these changes to your repository:
   ```bash
   git add .github
   git commit -m "Add CodeWatcher security review workflow"
   git push
   ```

## Configuration

Customize CodeWatcher by adding these files to your repository root:

- `.pylintrc` - Pylint configuration
- `.bandit` - Bandit configuration
- `.semgrep.yml` - Custom Semgrep rules

## Example Output

![CodeWatcher in action](https://github.com/your-org/CodeWatcher/raw/main/images/example-comment.png)