Spaces:
Running
Running
metadata
title: codewatcher
emoji: π³
colorFrom: green
colorTo: yellow
sdk: static
pinned: false
tags:
- deepsite
CodeWatcher ππ‘οΈ
CodeWatcher is a GitHub Actions bot that performs security-focused code reviews on pull requests using static analysis tools with a mentor/red-team approach.
Features
- Automated Security Reviews: Runs pylint, bandit, and semgrep on every PR
- In-line Comments: Provides contextual feedback directly on code changes
- Mentor Mode: Offers constructive suggestions for code quality improvements
- Red Team Mode: Highlights security vulnerabilities with attack scenarios
- SARIF Integration: Uploads findings to GitHub's code scanning interface
How It Works
CodeWatcher automatically:
- Triggers on pull request events
- Analyzes changed Python files using multiple static analysis tools
- Posts in-line comments with security insights and improvement suggestions
- Provides a summary of findings in the PR conversation
Installation
Add the workflow file to your repository:
mkdir -p .github/workflows curl -o .github/workflows/codewatcher.yml https://raw.githubusercontent.com/your-org/CodeWatcher/main/.github/workflows/codewatcher.ymlCreate the scripts directory:
mkdir -p .github/scripts curl -o .github/scripts/codewatcher.py https://raw.githubusercontent.com/your-org/CodeWatcher/main/.github/scripts/codewatcher.pyCommit and push these changes to your repository:
git add .github git commit -m "Add CodeWatcher security review workflow" git push
Configuration
Customize CodeWatcher by adding these files to your repository root:
.pylintrc- Pylint configuration.bandit- Bandit configuration.semgrep.yml- Custom Semgrep rules
Example Output
